Update 20/7/21 Originally installing Crowdstrike was included in this project, but I had a good chat with cybersec and was advised it's best not to install CS on the device with my supplied package, since it will become registered to our network. This project will still aim to achieve a secure Pi as best as possible! However due to other projects, I am benching this one for now.
Installing Crowdstrike Falcon on a Raspberry Pi is no different from installing it on Linux. Simply find the type of distro that is supported by Crowdstrike here and go about installing it onto the Pi. There is no official documentation for installing CS on a Raspberry Pi, but why would someone want to do this in the first place?
Crowdstrike is a corporate product by nature and not for the average consumer. If the business somehow requires a Raspberry Pi as part of its operations or for a project, and it needs to connect to the internet in order to function, it becomes an additional point of vulnerability on the corporate network. This brings complications as the Pi is no stranger to being compromised. One of the highest profile cases being the 2018 security breach at NASA’s Jet Propulsion Lab. Adding CS is an additional measure to make the device more secure on the network, and while we’re at it, let’s explore further avenues to make it more secure, from start to finish, and hopefully get the green light from the security team to join the corporate network.
- Project Device: Raspberry Pi 2 Model B
- Alternatively, can be done in a VM like Hyper-V. Just make sure your desktop internet is shared via the network adapter and configured in the VM.
Aim
Deploy a securely configured Raspberry Pi on a corporate network and allow it to view secure webpages
Distro: CentOS 7 Minimal
For this project, I go with CentOS, as it is one of the most secure Linux distros available, alongside RHEL. Furthermore, the Pi’s use case is in an enterprise environment which makes sense to lean towards a more stable distro with plenty of official documentation to fall back on as opposed to digging through the mountains of Stack Overflow.
Why the minimal version? The less additional services and processes installed, the less opportunity and potential avenues and entryways for malicious attacks on the system. For this reason, I’d opt for a version that only provides the bare essential kernels and server programs and only add on what is required for the project. Furthermore, let’s draft a quick comparison for the resources side of things. Take a look at the requirements for installing the Ubuntu 20.04 LTS Desktop vs Server. There is a significant increase in resources required to run a GUI, which is far more than what the Pi 2 can handle. See below comparison of specs.
| Raspberry Pi 2 Model B | [GUI] Ubuntu Desktop Requirements |
| 900 MHz quad-core ARM Cortex-A7 | 2GHz dual core processor |
| 1gb RAM | 4gb RAM |
| 32gb (microSD card*) | 25gb storage space |
For this reason, the more lightweight distro you use, the more secure the Pi can afford to be, and CentOS is truly minimal in its offering of only Linux core functionality.
Securing CentOS
- Update the system to install updated features and patches.
yum update -y Alternatively, yum update --security to only install security-related updates
- Enable the firewall
sudo systemctl enable firewalld
sudo systemctl start firewalld- Open Port 443. An open port allows a pathway for attackers listening in on the port. Whilst this is a security risk, 443 allows the Pi to access HTTPS websites. We won’t bother with Port 80.
sudo firewall-cmd --add-port=443/tcp --permanentSave and double-check the firewall rules have been applied with:
sudo firewall-cmd --reload
sudo firewall-cmd --list-allLet’s install another firewall on top of the standard package offered by CentOS, and an enterprise one to boot!
Optional: PfSense
Deviating to PfSense because I don’t have the proper yum package for CrowdStrike. I need to coax someone from infrastructure to download the right package for me. PfSense also offers a firewall solution, but is based on FreeBSD open source. TBA on the CrowdStrike front!
Current progress:
Ended up virtualising pfSense in Hyper-V, check my progress here.
Future work:
Isolate the Pi on a private VLAN on the live network
If the firewall or the Pi security fails, we can at least hope to prevent the attacker to gain access to other devices on the network. Nothing is ever completely safe, so I’ll look into ways to prevent Double Tagging and Spoofing.
Another project to do in the future, which I’ll write about here.