[ BUG ] Import-FalconConfig fails to modify and ignores default SensorUpdatePolicy
#444
Assignees
Labels
Comments
|
Related causes:
|
bk-cs
added a commit
that referenced
this issue
Jan 10, 2025
Updated `Compare-Setting` function to convert `scheduler` and `variants` properties under `SensorUpdatePolicy` to Json strings when capturing a modification result. Added additional verbose messaging to indicate when... * `ModifyDefault` or `ModifyExisting` policies have been selected for modification * `build`, `sensor_version`, and `stage` properties have been modified under a `SensorUpdatePolicy` and under the `variants` for a `SensorUpdatePolicy` Added check for an empty `variants` list for a `SensorUpdatePolicy` to remove `variants` from creation/modification submission. Added check for null/empty `timezone` values under the `scheduler` property of a `SensorUpdatePolicy` to add a default value of `Etc/Universal` when no `timezone` is found in the imported policy. Changed `SensorUpdatePolicy` modification code to better handle the `HomeCid` variable. Now instead of skipping over policies that weren't exported from the same CID they're being imported into, `HomeCid` is only used if the CID is the same. Additionally, the ID used for policy modification is assumed to be the matching ID found in the CID for policies that already exist if `new_id` isn't present (from the `Update-Id` function when the policy is created earlier in the import). Added a check to determine if multiple default policies already exist in the CID and can't be correlated against `HomeCid`. Now the policies will be ignored and an `Ignored` result will be added to final output, since it's impossible to tell which `platform_default` policy (i.e. inherited or not-inheritied) is the right one if you're importing from a source CID that doesn't match the current CID. Added additional result for `platform_default` policies when no changes have been made because they are identical. Modified `FirewallPolicy` import to ensure that a proper result was captured when `rule_group_ids` were added instead of a `Cannot bind argument to parameter 'ReferenceObject' because it is null` error due to there being no original `rule_group_ids` to compare against.
|
Several changes have been made to fix these issues for the next PSFalcon release. If you'd like to resolve it for your local module before release, you can replace Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/292faa7ece10860a46a3c88429b6ca148cac7c1a/public/psf-config.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-config.ps1)Please ensure that you close and re-open PowerShell and re-import the PSFalcon module before testing. EDIT 2025-01-13: Updated to account for some additional fixes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Import-FalconConfigdoes not modify defaultSensorUpdatePolicy. Errors may also occur related tovariantssensor values (like missingbuild, orsensor_version) orschedulervalues (missingtimezone).Additional items may fail to import or fail to be modified (especially "default" policies). Users have reported that prevention policy settings were not being modified after creation.
To Reproduce
Attempt to use
Import-FalconConfigto modify defaultSensorUpdatePolicyEnvironment (please complete the following information):
The text was updated successfully, but these errors were encountered: