Use Crowdstrike ZTA scores to restrict device access

Device posture attributes and conditions are currently in private alpha. Therefore, this topic is currently hidden.

Crowdstrike Falcon Zero Trust Assessment calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be currently achieved using the posturesync tool with Tailscale’s device posture features:

  • Device posture attributes API, which allows customers to associate arbitrary key/value pairs with their devices.
  • Posture conditions in access rules, which allows configuring additional access restrictions based on device attributes.

This document provides instructions on how to:

  • Configure and run posturesync to manage a new Tailscale device posture attribute that contains Crowdstrike Falcon trust score of a given node.
  • Update your Tailscale access rules to only allow certain access from trusted nodes.

What is posturesync?

The posturesync utility continuously runs as a daemon and copies Falcon trust scores to a Tailscale device posture attribute. We provide a Docker image that can be used to run posturesync in any environment that supports Docker containers. A single instance of posturesync can manage Falcon attributes for one Tailscale network (known as a tailnet).

When running, posturesync will regularly:

  • Fetch a list of hosts recorded in your Falcon account, and their ZTA scores.
  • Match Falcon hosts with corresponding devices in your tailnet, based on the Tailscale IP address associated with a device. This is available for Windows and macOS devices only.
  • Copy the ZTA score of each device into a Tailscale device posture attribute. To do this, posturesync uses Device posture attributes API and needs a name of a custom attribute that will contain the score. As an example, we will use an attribute called custom:falconScore.


Create a Crowdstrike Falcon API client

Generate a Crowdstrike Falcon API client that will be used to fetch a list of hosts from Falcon along with their ZTA scores.

  1. In Falcon, open Support and resources and then API clients and keys.

  2. Add a description. For the Hosts scope add Read, and for the Zero Trust scope add Read.

    Add Falcon client and scopes
  3. Click Create, then make sure to copy the displayed Client ID and Client Secret. These will be only displayed once.

Also copy the Falcon Cloud ID, which is the third-level part of the domain name of the base URL displayed. For example, the base URL means that your Cloud ID is us-2.

Run posturesync

The posturesync utility is available as a tailscale/posturesync image on Docker Hub. It needs to run continuously as a daemon.

To test posturesync, you can run it manually on any machine that has Docker installed:

docker run tailscale/posturesync:unstable

Configure parameters

You can provide the following configuration parameters to posturesync as environment variables:

Parameter Environmental variable Requirements
Name of the device posture attribute that will contain ZTA scores. This needs to be an alphanumeric string prefixed with a namespace custom:. For example, custom:falconScore. SCORE_ATTRIBUTE Required, string
Update frequency. INTERVAL Optional, string duration, defaults to 10m (10 minutes)
IP address and port used for a status web server. LISTEN Optional, string, defaults to :8080 (port 8080 on all IP addresses)
When set, posturesync will log changes instead of actually making them. DRY_RUN Optional, boolean, defaults to false

Configure the API clients

You will need to provide Tailscale and Falcon API connection parameters using environment variables or command line flags:

Parameter Environmental variable
Tailscale OAuth client ID TAILSCALE_CLIENT_ID
Tailscale OAuth client secret TAILSCALE_CLIENT_SECRET
Falcon client secret FALCON_CLIENT_SECRET
Falcon cloud ID FALCON_CLOUD

Full example:

docker run -p 8080:8080 \
    -e SCORE_ATTRIBUTE=custom:falconScore \
    -e TAILSCALE_CLIENT_ID=kxxxxxxxxx \
    -e TAILSCALE_CLIENT_SECRET=tskey-client-kxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLOUD=us-2 \

View the web status page

You can examine a list of devices that posturesync tracks on a status page available at http://localhost:8080/ on the device on which posturesync is running.

The web status page for posturesync

Check node attributes

After you get posturesync running, you can confirm that the trust score attribute is being written for your Tailscale nodes by calling the Tailscale device posture attributes API, which is part of the Tailscale API.

To make this API call, you need the ID of an individual node, which you can get from the admin console or from the devices method shown in the next example. You also need an API access token for authentication.

$ NODE_ID=nxxxxxxCNTRL
$ API_KEY=tskey-api-xxxxxxx-xxxxxxxxxxxxxxxxxxx
$ curl -Ssu "$API_KEY:" "$NODE_ID/attributes" |jq

In the output, you should see the value of the custom attribute set by posturesync, as well as default attributes provided by Tailscale:

  "attributes": {
    "custom:falconScore": "75",
    "node:os": "windows",
    "node:osVersion": "10.0.19045.3086",
    "node:tsReleaseTrack": "stable",
    "node:tsVersion": "1.44.0"

You can also print all device posture attributes for all devices of your tailnet using the following script:

$ API_KEY=tskey-api-xxxxxxx-xxxxxxxxxxxxxxxxxxx
$ curl -Ssu "$API_KEY:" "" \
  | jq -c '.devices[] | {nodeId, hostname}' \
  | while read device; do
    curl -Ssu "$API_KEY:" "$(echo $device | jq -r .nodeId)/attributes" \
    | jq --argjson device "$device" '$device + .'

Adjust Tailscale access rules

Once you have posturesync running and your devices have a custom attribute that reflects their Falcon trust score, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that have Crowdstrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": ["custom:falconScore >= 70"],
"acls": [
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],


The posturesync utility is not currently able to identify Falcon hosts that correspond to Tailscale devices using Ubuntu, since Falcon may not collect network interface details for Ubuntu.

Last updated