From 1eccf322402435a2534fedb3edaa2ec03d4dc618 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Fri, 16 Aug 2024 16:20:06 -0400 Subject: [PATCH] feat(bash install): add ability to prepare the sensor for gold images (#358) * feat(bash install): add ability to prepare the sensor for gold images Fixes #355 This PR introduces the ability to now prepare the Falcon sensor to be created as a gold image/template. It also fixes some minor output issues. * fix(bash uninstall): fixes issue with silent error Since we use set -e, if you weren't setting FALCON_REMOVE_HOST then it would stop at the end of the cs_sensor_installed(). * docs(bash install): updated readme to reflect new gold image option Also refactored the README to be more readable imo. TOC helps someone see the layout and choose their own path. --- bash/install/README.md | 88 ++++++++++++++++++++++---- bash/install/falcon-linux-install.sh | 46 +++++++++++++- bash/install/falcon-linux-uninstall.sh | 6 +- 3 files changed, 121 insertions(+), 19 deletions(-) diff --git a/bash/install/README.md b/bash/install/README.md index d0a432a..f0148db 100644 --- a/bash/install/README.md +++ b/bash/install/README.md @@ -3,7 +3,7 @@ Bash script to install Falcon Sensor through the Falcon APIs on a Linux endpoint. By default, this script will install, register the sensor, and start the service. If you would like to simply install the sensor without any additional configurations, configure the `FALCON_INSTALL_ONLY` -environment variable. +environment variable. Consult the Environment Variables for each script for more information. ## Security Recommendations @@ -13,6 +13,20 @@ We have identified a security concern related to cURL versions prior to 7.55, wh To check your version of cURL, run the following command: `curl --version` +## Table of Contents + +- [Falcon API Permissions](#falcon-api-permissions) +- [Configuration](#configuration) + - [Setting up Authentication](#setting-up-authentication) +- [Install Script](#install-script) + - [Usage](#usage) + - [Examples](#examples) +- [Uninstall Script](#uninstall-script) + - [Usage](#usage-1) + - [Examples](#examples-1) +- [Troubleshooting](#troubleshooting) + + ## Falcon API Permissions API clients are granted one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform. @@ -71,7 +85,7 @@ export FALCON_CLOUD="us-1" The installer is AWS SSM aware, if `FALCON_CLIENT_ID` and `FALCON_CLIENT_SECRET` are not provided AND the script is running on an AWS instance, the script will try to get API credentials from the SSM store of the region. -### Install +## Install Script ```terminal Installs and configures the CrowdStrike Falcon Sensor for Linux. @@ -153,35 +167,66 @@ Other Options Prints an access token and exits. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET. Accepted values are ['true', 'false']. + + - PREP_GOLDEN_IMAGE (default: false) + To prepare the sensor to be used in a golden image. + Accepted values are ['true', 'false']. ``` -***Examples***: +### Usage -To download and run the script: +To download and run the script directly: ```bash +export FALCON_CLIENT_ID="XXXXXXX" +export FALCON_CLIENT_SECRET="YYYYYYYYY" curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash ``` -Alternatively, you can run the script by cloning the repo: +Alternatively, download the script and run it locally: + +```bash +export FALCON_CLIENT_ID="XXXXXXX" +export FALCON_CLIENT_SECRET="YYYYYYYYY" +curl -O https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh +bash falcon-linux-install.sh +``` + +Or pass the environment variables directly to the script: ```bash -git clone https://github.com/crowdstrike/falcon-scripts +FALCON_CLIENT_ID="XXXXXXX" FALCON_CLIENT_SECRET="YYYYYYYYY" bash falcon-linux-install.sh ``` -Then, run the following command: +### Examples + +#### Install the latest Falcon Sensor with the default settings ```bash -./falcon-linux-install.sh +export FALCON_CLIENT_ID="XXXXXXX" +export FALCON_CLIENT_SECRET="YYYYYYYYY" +curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash ``` -or +#### Install the Falcon Sensor with the previous version (n-1) ```bash -bash falcon-linux-install.sh +export FALCON_CLIENT_ID="XXXXXXX" +export FALCON_CLIENT_SECRET="YYYYYYYYY" +export FALCON_SENSOR_VERSION_DECREMENT=1 +curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash +``` + +#### Create a Golden Image + +```bash +export FALCON_CLIENT_ID="XXXXXXX" +export FALCON_CLIENT_SECRET="YYYYYYYYY" +export PREP_GOLDEN_IMAGE="true" +curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash ``` -### Uninstall +## Uninstall Script ```terminal Uninstalls the CrowdStrike Falcon Sensor from Linux operating systems. @@ -223,15 +268,30 @@ Other Options: The proxy port for the sensor to use when communicating with CrowdStrike. ``` -***Examples***: +### Usage + +#### To download and run the script directly + +```bash +curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh | bash +``` + +#### Alternatively, download the script and run it locally + +```bash +curl -O https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh +bash falcon-linux-uninstall.sh +``` + +### Examples -To download and run the script: +#### Uninstall the Falcon Sensor ```bash curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh | bash ``` -Uninstall and remove the host from the Falcon console: +#### Uninstall and remove the host from the Falcon console ```bash export FALCON_CLIENT_ID="XXXXXXX" diff --git a/bash/install/falcon-linux-install.sh b/bash/install/falcon-linux-install.sh index 3d10368..25695e1 100755 --- a/bash/install/falcon-linux-install.sh +++ b/bash/install/falcon-linux-install.sh @@ -77,11 +77,15 @@ Other Options - ALLOW_LEGACY_CURL (default: false) To use the legacy version of curl; version < 7.55.0. - - GET_ACCESS_TOKEN (default: unset) + - GET_ACCESS_TOKEN (default: false) Prints an access token and exits. Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET. Accepted values are ['true', 'false']. + - PREP_GOLDEN_IMAGE (default: false) + To prepare the sensor to be used in a golden image. + Accepted values are ['true', 'false']. + EOF } @@ -121,7 +125,14 @@ main() { cs_sensor_restart echo '[ Ok ]' fi - echo 'Falcon Sensor installed successfully.' + if [ "${PREP_GOLDEN_IMAGE}" = "true" ]; then + echo -n 'Prepping Golden Image ... ' + cs_golden_image_prep + echo '[ Ok ]' + echo 'Falcon Sensor is ready for golden image creation.' + else + echo 'Falcon Sensor installed successfully.' + fi } cs_sensor_register() { @@ -171,7 +182,7 @@ cs_sensor_register() { fi # run the configuration command # shellcheck disable=SC2086 - /opt/CrowdStrike/falconctl -s -f ${cs_falcon_args} + /opt/CrowdStrike/falconctl -s -f ${cs_falcon_args} >/dev/null } cs_sensor_is_running() { @@ -191,6 +202,35 @@ cs_sensor_restart() { fi } +cs_golden_image_prep() { + local wait_time=60 + local sleep_interval=5 + local aid + + get_aid() { + /opt/CrowdStrike/falconctl -g --aid | awk -F '"' '{print $2}' + } + + aid=$(get_aid) + while [ -z "$aid" ]; do + if [ "$wait_time" -le 0 ]; then + echo '[ Failed ]' + die "Failed to retrieve existing AID. Please check the sensor status." + fi + sleep "$sleep_interval" + wait_time=$((wait_time - sleep_interval)) + aid=$(get_aid) + done + + # Remove the aid + /opt/CrowdStrike/falconctl -d -f --aid >/dev/null + + # Check if a provisioning token was used, if so add it back + if [ -n "$cs_falcon_token" ]; then + /opt/CrowdStrike/falconctl -s -f --provisioning-token="$cs_falcon_token" >/dev/null + fi +} + cs_sensor_install() { local tempdir package_name tempdir=$(mktemp -d) diff --git a/bash/install/falcon-linux-uninstall.sh b/bash/install/falcon-linux-uninstall.sh index 0ac334a..90dbb12 100755 --- a/bash/install/falcon-linux-uninstall.sh +++ b/bash/install/falcon-linux-uninstall.sh @@ -66,7 +66,7 @@ main() { echo -n 'Removing host from console ... ' get_oauth_token cs_remove_host_from_console - echo '[ Ok ] ' + echo '[ Ok ]' fi echo 'Falcon Sensor removed successfully.' } @@ -119,7 +119,9 @@ cs_sensor_installed() { echo "Falcon sensor is already uninstalled." && exit 0 fi # Get AID if FALCON_REMOVE_HOST is set to true and sensor is installed - [ "${FALCON_REMOVE_HOST}" = "true" ] && get_aid + if [ "${FALCON_REMOVE_HOST}" = "true" ]; then + get_aid + fi } old_curl=$(