Skip to content

Instantly share code, notes, and snippets.

@hazcod

hazcod/falcon-autoinstall.sh

Last active October 22, 2023 12:58
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hazcod/f5730b159c129ca725fb64412d3715a1 to your computer and use it in GitHub Desktop.
Save hazcod/f5730b159c129ca725fb64412d3715a1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
falcon-autoinstall.sh
#!/usr/bin/env bash
CLIENT_ID="_FALCON_API_CLIENT_ID_"
CLIENT_SECRET="FALCON_API_CLIENT_SECRET_"
CID="_FALCON_CID_"
TOKEN="_FALCON_INSTALL_TOKEN"
API_HOST="api.eu-1.crowdstrike.com"
function main() {
if [[ $EUID -ne 0 ]]; then
echo "ERROR: this script must be run as root"
exit 1
fi
if isSensorHealthy; then
echo "Unloading previously installed sensor"
sudo /Applications/Falcon.app/Contents/Resources/falconctl unload
fi
echo "Installing profile..."
profilePath=$(getProfile)
openInstallProfile "${profilePath}"
exit 0
waitForInstall
quitSystemPrefs
rm "${profilePath}"
echo "Retrieving sensor boostrap..."
sensorAccessToken=$(getFalconAccessToken)
latestSensorHash=$(getSensorhash "${sensorAccessToken}")
echo "Installing sensor..."
installSensor "${sensorAccessToken}" "${latestSensorHash}"
echo "Loading sensor..."
loadSensor
echo "Testing sensor..."
if ! isSensorHealthy; then
echo "ERROR: sensor still not healthy, please contact support"
exit 1
fi
echo "Falcon sensor successfully installed!"
}
function getFalconAccessToken() {
curl -s -X POST -d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" https://${API_HOST}/oauth2/token | \
python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])"
}
function getSensorhash() {
curl -s -H "Authorization: Bearer ${1}" "https://${API_HOST}/sensors/combined/installers/v1?filter=platform%3A%22mac%22" | \
python3 -c "import sys, json; print(json.load(sys.stdin)['resources'][0]['sha256'])"
}
function isSensorHealthy() {
/Applications/Falcon.app/Contents/Resources/falconctl stats | grep -q 'Sensor operational: true'
}
function loadSensor() {
sudo /Applications/Falcon.app/Contents/Resources/falconctl load
}
function installSensor() {
local apiToken="$1"
local hash="$2"
if [ -z "$apiToken" ] || [ -z "$hash" ]; then
echo "token and/or hash not detected, exiting"
exit 1
fi
sensorPath="$(mktemp).pkg"
curl -o "${sensorPath}" -s -H "Authorization: Bearer ${apiToken}" "https://${API_HOST}/sensors/entities/download-installer/v1?id=${hash}"
sudo installer -verboseR -pkg "${sensorPath}" -target /
rm "${sensorPath}"
if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then
echo "ERROR: falconctl not installed, exiting"
exit 1
fi
sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${CID}" "${TOKEN}" || true
}
function openInstallProfile() {
local profilePath="$1"
set -e
set -x
open /System/Library/PreferencePanes/Profiles.prefPane "${profilePath}"
}
function waitForInstall() {
osascript -e 'display dialog "Did you install the profile in System Preferences>Profiles?\nIf so, we can start installing the sensor for you." buttons {"Yes"}'
}
function quitSystemPrefs() {
osascript -e 'quit app "System Preferences"'
}
function getProfile() {
tmpFile="/tmp/falcon.mobileconfig"
chmod 666 "${tmpFile}"
cat <<EOF > "${tmpFile}"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string>
<key>PayloadIdentifier</key>
<string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>IRON Security</string>
<key>PayloadDisplayName</key>
<string>IRON Sensor Permissions</string>
<key>PayloadDescription</key>
<string>Kernel Extensions, System Extensions, and Privacy Preferences for the IRON sensor.</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>FilterBrowsers</key>
<false/>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
<key>FilterPacketProviderBundleIdentifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>FilterPacketProviderDesignatedRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string>
<key>FilterGrade</key>
<string>inspector</string>
<key>FilterPackets</key>
<false/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>Organization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>Web Content Filter</string>
<key>PayloadIdentifier</key>
<string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PluginBundleID</key>
<string>com.crowdstrike.falcon.App</string>
<key>UserDefinedName</key>
<string>Falcon</string>
</dict>
<dict>
<key>PayloadUUID</key>
<string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
<key>PayloadIdentifier</key>
<string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadDescription</key>
<string>Configures System Extensions Policy settings</string>
<key>AllowUserOverrides</key>
<true/>
<key>AllowedSystemExtensions</key>
<dict>
<key>X9E956P446</key>
<array>
<string>com.crowdstrike.falcon.Agent</string>
</array>
</dict>
<key>AllowedSystemExtensionTypes</key>
<dict>
<key>X9E956P446</key>
<array>
<string>EndpointSecurityExtension</string>
<string>NetworkExtension</string>
</array>
</dict>
</dict>
<dict>
<key>PayloadUUID</key>
<string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
<key>PayloadIdentifier</key>
<string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string>
<key>PayloadType</key>
<string>com.apple.system-extensions.admin</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>App System Extension Control</string>
<key>PayloadDescription</key>
<string>Controls the system extension loading/unloading</string>
<key>AllowedTeamIdentifiers</key>
<array>
<string>X9E956P446</string>
</array>
</dict>
<dict>
<key>PayloadUUID</key>
<string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
<key>PayloadIdentifier</key>
<string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string>
<key>PayloadType</key>
<string>com.apple.syspolicy.kernel-extension-policy</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>Kernel Extensions</string>
<key>PayloadDescription</key>
<string>Configures Kernel Extension Policy settings</string>
<key>AllowedTeamIdentifiers</key>
<array>
<string>X9E956P446</string>
</array>
</dict>
<dict>
<key>PayloadUUID</key>
<string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
<key>PayloadIdentifier</key>
<string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>
<string>CrowdStrike Inc.</string>
<key>PayloadDisplayName</key>
<string>Privacy Preferences</string>
<key>PayloadDescription</key>
<string>Configures Privacy Preferences Policy Control settings</string>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.Agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.crowdstrike.falcon.App</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<false/>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>
EOF
echo "${tmpFile}"
}
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment