Table Bug: kolide_falconctl_options not supported on NixOS

[FritzX6]

What is the issue?

It appears that on NixOS devices the kolide_falconctl_options table used to gather sensor information about a Crowdstrike Falcon sensor does not return any data.

My first hypothesis was that the paths might be different on NixOS, but I have verified firsthand that the standard /opt/Crowdstrike/falconctl path is the same and that the binary is present on that OS.

I have tried running the query with different options called to see if it was simply that the table was choking on an unsupported option, however that also did not affect the outcome.

[directionless]

Do you have a machine, or is this all LQ? Because I wonder if the command even produce output

[canozokur]

@FritzX6 Were you trying to run the falconctl binary directly from the store path? Because that works, but /opt/CrowdStrike/falconctl does not work unless nix-ld is enabled in the configuration.

I stumbled upon a similar issue on my work device a couple days ago. CrowdStrike was running but Kolide seemed to report the opposite. I requested my device details from Kolide and I suspect it didn't populate the kolide_falconctl_options table because my version, agent_id etc. fields were empty:

$ cat CrowdStrike\ -\ Require\ CrowdStrike\ Agent\ to\ Be\ Installed\ and\ Running.json
[
  {
    "failure": "not installed",
    "version": "",
    "agent_id": "",
    "client_id": "",
    "rfm_state": "",
    "sensor_operational": "Yes",
    "KOLIDE_CHECK_STATUS": "FAIL",
    "ran_at": "2025-06-24 09:57:30 UTC"
  }
]

I could see it running from the system though. I realized Kolide has an interactive shell and gave it a try:

$ sudo /nix/store/fsc44cfbl978g70916s2rs05shr30v8k-kolide-launcher-1.20.2/bin/launcher interactive
{"time":"2025-06-24T10:47:34.704350414Z","level":"INFO","msg":"launcher starting up","version":"1.20.2","revision":"f083550382e6552d2136f438eec2d3311bbe2514"}
{"time":"2025-06-24T10:47:34.70441912Z","level":"ERROR","msg":"could not check out latest launcher","err":"checking out latest launcher: could not get autoupdate config: could not read config file because it does not exist at /etc/kolide-k2/launcher.flags: stat /etc/kolide-k2/launcher.flags: no such file or directory"}
Using a virtual database. Need help, type '.help'
osquery> select * from kolide_falconctl_options;
{"time":"2025-06-24T10:47:40.504549419Z","level":"INFO","msg":"exec failed","table":"kolide_falconctl_options","err":"exec '/opt/CrowdStrike/falconctl -g --aid --apd --aph --app --cid --feature --metadata-query --rfm-reason --rfm-state --rfm-history --tags --version': exit status 127","span_id":"0000000000000000","trace_id":"00000000000000000000000000000000","trace_sampled":false}
time=2025-06-24T10:47:40.504Z level=INFO source=/__w/launcher/launcher/ee/tables/crowdstrike/falconctl/table.go:103 msg="exec failed" table=kolide_falconctl_options err="exec '/opt/CrowdStrike/falconctl -g --aid --apd --aph --app --cid --feature --metadata-query --rfm-reason --rfm-state --rfm-history --tags --version': exit status 127" span_id=0000000000000000 trace_id=00000000000000000000000000000000 trace_sampled=false
{"time":"2025-06-24T10:47:40.504606661Z","level":"INFO","msg":"failure flattening output","table":"kolide_falconctl_options","err":"flattening at path []: unknown type on map[_error:falconctl parse failure: exec '/opt/CrowdStrike/falconctl -g --aid --apd --aph --app --cid --feature --metadata-query --rfm-reason --rfm-state --rfm-history --tags --version': exit status 127]","span_id":"0000000000000000","trace_id":"00000000000000000000000000000000","trace_sampled":false}
time=2025-06-24T10:47:40.504Z level=INFO source=/__w/launcher/launcher/ee/tables/crowdstrike/falconctl/table.go:113 msg="failure flattening output" table=kolide_falconctl_options err="flattening at path []: unknown type on map[_error:falconctl parse failure: exec '/opt/CrowdStrike/falconctl -g --aid --apd --aph --app --cid --feature --metadata-query --rfm-reason --rfm-state --rfm-history --tags --version': exit status 127]" span_id=0000000000000000 trace_id=00000000000000000000000000000000 trace_sampled=false
osquery>

I also tried to run CrowdStrike manually (directly by the store path) and it worked. With the info I had from interactive shell, I realized Kolide was using the /opt/CrowdStrike path instead. Tried it and failed as expected because it's a dynamically linked binary and I didn't have nix-ld enabled in my configuration. Once I enabled it with programs.nix-ld.enable = true; Kolide populated the tables correctly.

Here's my config if you need it: https://github.com/canozokur/nixos-config/blame/main/boxes/nexusbox/falcon-sensor.nix#L9