告诉HN:CrowdStrike Falcon 用户,请检查是否存在过多的 KernelModuleArchiveExt 文件。
你好!<p>这是一个提醒,特别是针对在Linux服务器上运行CrowdStrike Falcon的用户,尤其是那些较早配置的Linux服务器。这个问题CrowdStrike并不打算修复,因此我想提前告知大家,以免导致你的机器出现挂起的情况。<p>你应该在路径/opt/CrowdStrike/下安装了CrowdStrike Falcon。在该目录中,你可能会看到一个以“KernelModuleArchive”开头的文件,以及许多以“KernelModuleArchiveExt”开头的文件。这就是问题所在。<p>CrowdStrike会在每个可执行文件和库文件后附加一个版本号。它在清理几乎所有文件的旧版本方面做得很好,除了KernelModuleArchiveExt。<p>我第一次注意到这个问题是当一个虚拟机(/opt分区较小)填满了/opt,系统停止响应。结果发现,/opt/CrowdStrike中充满了18个不同的KernelModuleArchiveExt文件。<p>解决办法是什么?我们的CrowdStrike管理员向CrowdStrike提交了工单,我们得到了以下回复:<p>* 是的,KernelModuleArchiveExt文件不会被自动清理。其他文件会被自动清理,但KernelModuleArchiveExt文件不会。<p>* CrowdStrike会发布一个更新来清理KernelModuleArchiveExt文件吗?不会。<p>* 你们会将此纳入未来的计划吗?不会。<p>* 那我们该怎么办?如果你想清理这些文件,就自己动手。<p>如果你所在的站点使用CrowdStrike卸载保护,你在没有先从CrowdStrike管理员那里获得“维护令牌”的情况下,<i>无法</i>自行清理这些文件。否则,删除所有KernelModuleArchiveExt文件并重启CrowdStrike Falcon传感器是可行的(它会重新下载所需的KernelModuleArchiveExt文件)。不过,我个人认为我们不应该这样做。<p>由于CrowdStrike拒绝修复这个问题,我想让大家知道,以便你们可以检查自己的系统。如果你发现这个问题也影响到你,我鼓励你向CrowdStrike提交自己的支持工单。
查看原文
Hello!<p>This is a heads-up for folks who run CrowdStrike Falcon on Linux servers, and particularly on Linux servers that were provisioned some time ago. It's a problem that CrowdStrike does not plan on fixing, and so I wanted to let others know before it causes your machines to hang.<p>You should have CrowdStrike Falcon installed at path /opt/CrowdStrike/. In that directory, you probably have one file whose name begins with "KernelModuleArchive", and many files whose name begins with "KernelModuleArchiveExt". That's the problem.<p>CrowdStrike appends a version number to every executable & library file. It does a good job of cleaning up old versions of <i>almost all</i> of its files. Except for KernelModuleArchiveExt.<p>I first noticed this happening when a virtual machine (with a small /opt partition) filled up /opt, and the system stopped responding. Turns out, /opt/CrowdStrike had filled up with 18 different KernelModuleArchiveExt files.<p>What is the fix? Well, our CrowdStrike admins opened a ticket with CrowdStrike, and we were told:<p>* Yes, the KernelModuleArchiveExt files are not being cleaned up automatically. Other files are being cleaned up automatically, but not the KernelModuleArchiveExt files.<p>* Will CrowdStrike release an update that cleans up the KernelModuleArchiveExt files? No.<p>* Will you put it on your roadmap to implement in the future? No.<p>* So, what should we do? If you want to clean them up, do it yourself.<p>If your site uses CrowdStrike uninstall protection, you <i>cannot</i> clean them up yourself without first getting a "maintenance token" from your CrowdStrike admins. Otherwise, deleting all KernelModuleArchiveExt files and restarting the CrowdStrike Falcon sensor works (it goes out and downloads the KernelModuleArchiveExt that it needs). Personally, though, I don't think we should have to do this.<p>Since CrowdStrike refuses to fix this, I wanted to let folks know, so you can check your systems. If you discover that this problem also affects you, I encourage you to open your own support ticket with CrowdStrike.