Crowdstrike Falcon Zero Trust Assessment calculates a numeric trust score (from 0 to 100) for each device that runs a Falcon agent. Using that score as part of access rules in Tailscale can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be currently achieved using the posturesync tool with Tailscale’s device posture features:

• Device posture attributes API, which allows customers to associate arbitrary key/value pairs with their devices.
• Posture conditions in access rules, which allows configuring additional access restrictions based on device attributes.

This document provides instructions on how to:

• Configure and run posturesync to manage a new Tailscale device posture attribute that contains Crowdstrike Falcon trust score of a given node.
• Update your Tailscale access rules to only allow certain access from trusted nodes.

What is posturesync?

The posturesync utility continuously runs as a daemon and copies Falcon trust scores to a Tailscale device posture attribute. We provide a Docker image that can be used to run posturesync in any environment that supports Docker containers. A single instance of posturesync can manage Falcon attributes for one Tailscale network (known as a tailnet).

When running, posturesync will regularly:

• Fetch a list of hosts recorded in your Falcon account, and their ZTA scores.
• Match Falcon hosts with corresponding devices in your tailnet, based on the Tailscale IP address associated with a device. This is available for Windows and macOS devices only.
• Copy the ZTA score of each device into a Tailscale device posture attribute. To do this, posturesync uses Device posture attributes API and needs a name of a custom attribute that will contain the score. As an example, we will use an attribute called custom:falconScore.

Prerequisites

• A Tailscale OAuth client with the scopes ACL set to Read and Write, and Devices set to Read. See Setting up an OAuth client for more information.
• A Crowdstrike Falcon API client

Create a Crowdstrike Falcon API client

Generate a Crowdstrike Falcon API client that will be used to fetch a list of hosts from Falcon along with their ZTA scores.

1. In Falcon, open Support and resources and then API clients and keys.

2. Add a description. For the Hosts scope add Read, and for the Zero Trust scope add Read.

   

3. Click Create, then make sure to copy the displayed Client ID and Client Secret. These will be only displayed once.

Also copy the Falcon Cloud ID, which is the third-level part of the domain name of the base URL displayed. For example, the base URL https://api.us-2.crowdstrike.com means that your Cloud ID is us-2.

Run posturesync

The posturesync utility is available as a tailscale/posturesync image on Docker Hub. It needs to run continuously as a daemon.

To test posturesync, you can run it manually on any machine that has Docker installed:

docker run tailscale/posturesync:unstable

Configure parameters

You can provide the following configuration parameters to posturesync as environment variables:

Configure the API clients

You will need to provide Tailscale and Falcon API connection parameters using environment variables or command line flags:

Full example:

docker run -p 8080:8080 \
    -e SCORE_ATTRIBUTE=custom:falconScore \
    -e TAILSCALE_CLIENT_ID=kxxxxxxxxx \
    -e TAILSCALE_CLIENT_SECRET=tskey-client-kxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxx \
    -e FALCON_CLOUD=us-2 \
    tailscale/posturesync:unstable

View the web status page

You can examine a list of devices that posturesync tracks on a status page available at http://localhost:8080/ on the device on which posturesync is running.

Check node attributes

After you get posturesync running, you can confirm that the trust score attribute is being written for your Tailscale nodes by calling the Tailscale device posture attributes API, which is part of the Tailscale API.

To make this API call, you need the ID of an individual node, which you can get from the admin console or from the devices method shown in the next example. You also need an API access token for authentication.

$ NODE_ID=nxxxxxxCNTRL
$ API_KEY=tskey-api-xxxxxxx-xxxxxxxxxxxxxxxxxxx
$ curl -Ssu "$API_KEY:" "https://api.tailscale.com/api/v2/device/$NODE_ID/attributes" |jq

In the output, you should see the value of the custom attribute set by posturesync, as well as default attributes provided by Tailscale:

{
  "attributes": {
    "custom:falconScore": "75",
    "node:os": "windows",
    "node:osVersion": "10.0.19045.3086",
    "node:tsReleaseTrack": "stable",
    "node:tsVersion": "1.44.0"
  }
}

You can also print all device posture attributes for all devices of your tailnet using the following script:

$ API_KEY=tskey-api-xxxxxxx-xxxxxxxxxxxxxxxxxxx
$ curl -Ssu "$API_KEY:" "https://api.tailscale.com/api/v2/tailnet/-/devices" \
  | jq -c '.devices[] | {nodeId, hostname}' \
  | while read device; do
    curl -Ssu "$API_KEY:" "https://api.tailscale.com/api/v2/device/$(echo $device | jq -r .nodeId)/attributes" \
    | jq --argjson device "$device" '$device + .'
  done

Adjust Tailscale access rules

Once you have posturesync running and your devices have a custom attribute that reflects their Falcon trust score, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices that have Crowdstrike ZTA score of 70 or higher, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": ["custom:falconScore >= 70"],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]

Limitations

The posturesync utility is not currently able to identify Falcon hosts that correspond to Tailscale devices using Ubuntu, since Falcon may not collect network interface details for Ubuntu.