Skip to content

Latest commit

 

History

History

README.md

CrowdStrike Image Sync

A standalone CrowdStrike sensor image synchronization system for AWS ECR.

Overview

This system monitors CrowdStrike's registry for new sensor versions and synchronizes them to AWS ECR repositories across multiple regions. It supports all CrowdStrike sensor types and provides a complete CLI interface for image management operations.

Features

  • Multi-sensor support: falcon-sensor, falcon-container, falcon-kac
  • Multi-region deployment: us-1, us-2, us-gov-1
  • OAuth2 authentication with CrowdStrike API
  • Auto-region discovery for optimal API performance
  • Docker credential management with retry logic
  • Dry-run mode for safe testing
  • Comprehensive logging and error handling
  • ECR lifecycle management
  • 🔐 Advanced Security: Automatic credential scrubbing prevents sensitive data from appearing in logs
  • 🛡️ AWS Secrets Manager: Secure credential storage with rotation support

Quick Start

1. Credential Setup (Required)

The easiest way to get started is with the interactive setup script:

./setup-credentials.sh

This will:

  • Guide you through CrowdStrike and AWS configuration
  • Store your CrowdStrike API credentials securely in AWS Secrets Manager
  • Test the credentials and connectivity
  • Generate a complete configuration file at ~/.cs-image-sync.yaml

For detailed instructions, see CREDENTIAL-SETUP.md.

2. Verify Setup

# Test configuration
cs-image-sync config validate

# Test system connectivity
cs-image-sync validate

# List available sensor versions
cs-image-sync list-versions

3. Sync Images

# Dry run (recommended first)
cs-image-sync sync-images --dry-run

# Live sync
cs-image-sync sync-images

Manual Configuration (Advanced)

If you need custom configuration beyond what the setup script provides:

  1. Start with setup script: ./setup-credentials.sh (sets up credentials securely)
  2. Customize configuration: Edit ~/.cs-image-sync.yaml or create a custom config
  3. Use custom config: cs-image-sync -c /path/to/custom-config.yaml

See config-sample.yaml and examples in docs/examples/ for configuration options.

Installation

pip install -e .

Security

The system includes comprehensive security features:

  • 🔐 Automatic Log Scrubbing: Prevents credentials from appearing in logs
  • 🛡️ Secrets Manager Integration: Secure credential storage in AWS
  • 🔒 Multi-layer Protection: Security at logging, display, and storage levels
  • 🧪 Validated Security: Comprehensive test suite ensures protection

For detailed security information, see SECURITY.md.

Security Quick Test

The security system is automatically tested as part of the main test suite:

# Run the test suite (includes security tests)
pytest tests/

Configuration

Recommended: Use the setup script to create your configuration:

./setup-credentials.sh

This creates a configuration file at ~/.cs-image-sync.yaml:

crowdstrike:
  # Secure credential storage (recommended)
  use_secrets_manager: true
  secret_name: "crowdstrike-api-credentials-us-1"
  cloud: "us-1"  # us-1, us-2, us-gov-1

  # Alternative: Direct credentials (NOT recommended for production)
  # client_id: "your_client_id"
  # client_secret: "your_client_secret"

aws:
  region: "ca-central-1"  # Update to your preferred region
  profile: "solar-lab"    # Optional: AWS profile to use

sync:
  sensor_types:
    - falcon-sensor
    - falcon-container
    - falcon-kac

  retention_days: 30
  max_images_per_type: 2  # Keep only 2 most recent versions per sensor type

logging:
  level: INFO
  format: "%(asctime)s - %(name)s - %(levelname)s - %(message)s"

Usage

CLI Commands

# List available sensor versions
cs-image-sync list-versions

# Sync all images (dry-run)
cs-image-sync sync-images --dry-run

# Sync specific sensor type
cs-image-sync sync-images --sensor-type falcon-sensor

# Cleanup old images
cs-image-sync cleanup --retention-days 30

# Show configuration
cs-image-sync config show

Authentication

Set up AWS credentials via:

  • AWS CLI (aws configure)
  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • IAM roles (for EC2/ECS deployment)

CrowdStrike credentials can be provided via:

  • AWS Secrets Manager (recommended) - Set up with ./setup-credentials.sh
  • Configuration file (not recommended for production)
  • Environment variables (CS_CLIENT_ID, CS_CLIENT_SECRET)

Development

# Install development dependencies
pip install -e ".[dev]"

# Run tests
pytest

# Format code
black cs_image_sync/

# Type checking
mypy cs_image_sync/

Docker Deployment

The application can be containerized for deployment in orchestrated environments:

# Build the Docker image
docker build -t cs-image-sync .

# Run with local config
docker run -v ~/.aws:/home/csync/.aws \
           -v $(pwd)/config-sample.yaml:/app/config.yaml \
           cs-image-sync \
           cs-image-sync -c config.yaml sync-images --dry-run

# Deploy as Kubernetes CronJob
kubectl apply -f k8s-cronjob.yaml

Perfect for:

  • Kubernetes CronJobs - Scheduled synchronization
  • AWS ECS Tasks - Serverless execution
  • CI/CD Pipelines - Automated deployments

License

MIT License