Cyber Monitoring tools on ProxMox host?

[voidindigo]

Hello all,

My company is requiring installation of cybersecurity monitoring tools on our Linux systems, and there's been some question about the ProxMox servers I'm running. Currently I'm running two hosts in a cluster, I believe we're still at v5 but they are down at the moment. I don't have a problem upgrading them to v8 (probably a "backup / rebuild cluster / restore" kind of thing) as needed.

My question is, has anyone got experience running something like Carbon Black or CrowdStrike Falcon Server on the ProxMox host OS itself? Is that even possible?

Thanks
Scott

 

[bbgeek17]

I would not install any security tools on V5 PVE, which was based Debian9/Strech. PVE5 was EoL 07/2020 and the underlying OS since 6/30/2022.
If you can even get a package for Deb9 from one of the modern providers, you risk being walked out of the building along with the servers

Jokes aside, after you reinstall or upgrade to PVE8, you should have no issues installing appropriate Debian client. There may be many "false positives", depending on the vendor. Just keep in mind to treat PVE as an appliance rather than standard multi-user Linux install.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[voidindigo]

Thanks for the reply, I had a pretty strong feeling it would require at least the upgrade before installing... I know it's a modified kernel, just wanted to know if there were any gotcha's to be aware of

 

[bbgeek17]

Its Debian base with Ubuntu derived Kernel https://pve.proxmox.com/wiki/Proxmox_VE_Kernel#Proxmox_VE_8.x
You can find additions and patches here https://github.com/proxmox/pve-kernel

There will be extra open ports, there will be a root account that cant be disabled, I wouldnt call these "gotchas". Normal appliance artifacts.
Throw PVE in a VM of your corporate Hypervisor and run the scan there if you want to preview the results.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[voidindigo]

Good thought... excellent thought actually! Thank you

 

[cyberoot]

I try to install Crowdstrike Agent on PVE 7.4-3 so far no issue

 

[voidindigo]

Just FYI (anyone else that finds this) I did manage to backup the 5.X cluster and rebuild / restore an 8.0.3 cluster, then install both Carbon Black and CrowdStrike Falcon Server on the ProxMox hosts... and it's all running great.

 

[forbin]

Just FYI (anyone else that finds this) I did manage to backup the 5.X cluster and rebuild / restore an 8.0.3 cluster, then install both Carbon Black and CrowdStrike Falcon Server on the ProxMox hosts... and it's all running great.

Hi, thanks for your post. It's been almost a year since you deployed CrowdStrike on your PVE hosts. How's it going? We are interested in doing the same thing.

 

[voidindigo]

Hi, we're still running ProxMox 8.0.3 and having no problems at all. I haven't noticed any undue overhead or load caused by the CrowdStrike falcon-sensor service.

 

[forbin]

Hi, we're still running ProxMox 8.0.3 and having no problems at all. I haven't noticed any undue overhead or load caused by the CrowdStrike falcon-sensor service.

That's terrific news, thanks for responding!

 

[killmasta93]

currently running wazuh and using custom rules to monitor login or brute force