Skip to content

Commit

Permalink
Update powershell and bash scripts to provide and accept access token…
Browse files Browse the repository at this point in the history 
…s. Added functionality to remove hosts in bash unsintall script
  • Loading branch information
Gax Theodorio committed Apr 3, 2024
1 parent 7006303 commit 7240fe0
Show file tree
Hide file tree
Showing 6 changed files with 418 additions and 115 deletions.
13 changes: 13 additions & 0 deletions bash/install/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ Ensure the following API scopes are enabled:
export FALCON_CLIENT_ID="XXXXXXX"
export FALCON_CLIENT_SECRET="YYYYYYYYY"
```
**You can also specify a falcon access token if doing a batch install across multiple machines to prevent the need to call the token endpoint multiple times. If using the an access token to authenticate, you MUST also provide `FALCON_CLOUD`:**
```bash
export FALCON_ACCESS_TOKEN="XXXXXXXX"
export FALCON_CLOUD="us-1"
```
**To retrieve your falcon access token, set the GET_ACCESS_TOKEN. The Falcon sensor will NOT be installed while this variable is set**
```bash
export FALCON_CLIENT_ID="XXXXXXX"
export FALCON_CLIENT_SECRET="YYYYYYYYY"
export GET_ACCESS_TOKEN="true"
```

The installer is AWS SSM aware, if `FALCON_CLIENT_ID` and `FALCON_CLIENT_SECRET` are not provided AND the script is running on an AWS instance, the script will try to get API credentials from the SSM store of the region.

Expand All @@ -51,6 +62,8 @@ FALCON_BILLING (default: default) possible values: [default|m
FALCON_BACKEND (default: auto) possible values: [auto|bpf|kernel]
FALCON_TRACE (default: none) possible values: [none|err|warn|info|debug]
ALLOW_LEGACY_CURL (default: false)
GET_ACCESS_TOKEN (default: false) possible values: [true|false]
FALCON_REMOVE_HOST (default: true)
```

**Run the script**:
Expand Down
83 changes: 53 additions & 30 deletions bash/install/falcon-linux-install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,12 @@ CrowdStrike API credentials are needed to download Falcon sensor. The script rec
- FALCON_CLIENT_ID
- FALCON_CLIENT_SECRET
or
- FALCON_ACCESS_TOKEN (default: unset)
- FALCON_CLOUD (default: auto)
Optional:
- FALCON_CID (default: auto)
- FALCON_CLOUD (default: auto)
- FALCON_SENSOR_VERSION_DECREMENT (default: 0 [latest])
- FALCON_PROVISIONING_TOKEN (default: unset)
- FALCON_SENSOR_UPDATE_POLICY_NAME (default: unset)
Expand All @@ -25,6 +27,7 @@ Optional:
- FALCON_UNINSTALL (default: false)
- FALCON_INSTALL_ONLY (default: false)
- ALLOW_LEGACY_CURL (default: false)
- GET_ACCESS_TOKEN (default: false) possible values: [true|false]
EOF
}

Expand All @@ -33,6 +36,12 @@ main() {
print_usage
exit 1
fi

if [ "$GET_ACCESS_TOKEN" = "true" ]; then
echo "$cs_falcon_oauth_token"
exit 1
fi

echo -n 'Check if Falcon Sensor is running ... '
cs_sensor_is_running
echo '[ Not present ]'
Expand Down Expand Up @@ -621,25 +630,32 @@ aws_instance=$(
fi
)

cs_falcon_client_id=$(
if [ -n "$FALCON_CLIENT_ID" ]; then
echo "$FALCON_CLIENT_ID"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_ID" | json_value Value 1
else
die "Missing FALCON_CLIENT_ID environment variable. Please provide your OAuth2 API Client ID for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)
if [ -z "$FALCON_ACCESS_TOKEN" ]; then
cs_falcon_client_id=$(
if [ -n "$FALCON_CLIENT_ID" ]; then
echo "$FALCON_CLIENT_ID"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_ID" | json_value Value 1
else
die "Missing FALCON_CLIENT_ID environment variable. Please provide your OAuth2 API Client ID for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)

cs_falcon_client_secret=$(
if [ -n "$FALCON_CLIENT_SECRET" ]; then
echo "$FALCON_CLIENT_SECRET"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_SECRET" | json_value Value 1
else
die "Missing FALCON_CLIENT_SECRET environment variable. Please provide your OAuth2 API Client Secret for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
cs_falcon_client_secret=$(
if [ -n "$FALCON_CLIENT_SECRET" ]; then
echo "$FALCON_CLIENT_SECRET"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_SECRET" | json_value Value 1
else
die "Missing FALCON_CLIENT_SECRET environment variable. Please provide your OAuth2 API Client Secret for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)
else
if [ -z "$FALCON_CLOUD" ]; then
die "If setting the FALCON_ACCESS_TOKEN manually, you must also specify the FALCON_CLOUD"
fi
)
fi


cs_falcon_token=$(
if [ -n "$FALCON_PROVISIONING_TOKEN" ]; then
Expand Down Expand Up @@ -701,18 +717,22 @@ proxy=$(
)

cs_falcon_oauth_token=$(
token_result=$(echo "client_id=$cs_falcon_client_id&client_secret=$cs_falcon_client_secret" |
curl -X POST -s -x "$proxy" -L "https://$(cs_cloud)/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
-H 'User-Agent: crowdstrike-falcon-scripts/1.3.3' \
--dump-header "${response_headers}" \
--data @-)
if [ -n "$FALCON_ACCESS_TOKEN" ]; then
token=$FALCON_ACCESS_TOKEN
else
token_result=$(echo "client_id=$cs_falcon_client_id&client_secret=$cs_falcon_client_secret" |
curl -X POST -s -x "$proxy" -L "https://$(cs_cloud)/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
-H 'User-Agent: crowdstrike-falcon-scripts/1.3.3' \
--dump-header "${response_headers}" \
--data @-)
handle_curl_error $?
handle_curl_error $?
token=$(echo "$token_result" | json_value "access_token" | sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$token" ]; then
die "Unable to obtain CrowdStrike Falcon OAuth Token. Response was $token_result"
token=$(echo "$token_result" | json_value "access_token" | sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$token" ]; then
die "Unable to obtain CrowdStrike Falcon OAuth Token. Response was $token_result"
fi
fi
echo "$token"
)
Expand All @@ -726,7 +746,9 @@ if [ -z "${FALCON_CLOUD}" ]; then
fi
cs_falcon_cloud="${region_hint}"
else
if [ "x${FALCON_CLOUD}" != "x${region_hint}" ]; then
if [ -n "$FALCON_ACCESS_TOKEN" ]; then
:
elif [ "x${FALCON_CLOUD}" != "x${region_hint}" ]; then
echo "WARNING: FALCON_CLOUD='${FALCON_CLOUD}' environment variable specified while credentials only exists in '${region_hint}'" >&2
fi
fi
Expand Down Expand Up @@ -822,4 +844,5 @@ if [ -n "$FALCON_TRACE" ]; then
)
fi

main "$@"

main "$@"
214 changes: 212 additions & 2 deletions bash/install/falcon-linux-uninstall.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,21 @@ print_usage() {
cat <<EOF
This script removes the CrowdStrike Falcon Sensor for Linux from the operating system.
Crowdstrike API credentials are needed to remove host from the Falcon console
- FALCON_CLIENT_ID
- FALCON_CLIENT_SECRET
or
- FALCON_ACCESS_TOKEN (default: unset)
- FALCON_CLOUD (default: auto)
Optional:
- GET_ACCESS_TOKEN (default: false) possible values: [true|false
- FALCON_APH (default: unset)
- FALCON_APP (default: unset)
- FALCON_REMOVE_HOST (default: true)
EOF
}

Expand All @@ -12,10 +27,20 @@ main() {
print_usage
exit 1
fi

if [ "$GET_ACCESS_TOKEN" = "true" ]; then
echo "$cs_falcon_oauth_token"
exit 1
fi
echo -n 'Removing Falcon Sensor ... '
cs_sensor_remove
echo '[ Ok ]'
echo 'Falcon Sensor removed successfully.'
if [ -z "$FALCON_REMOVE_HOST" ] || [ "${FALCON_INSTALL_ONLY}" = "true" ]; then
echo -n 'Removing host from console ... '
cs_remove_host_from_console
echo '[ Ok ] '
fi
echo 'Falcon Sensor removed successfully. '
}

cs_sensor_remove() {
Expand All @@ -38,4 +63,189 @@ cs_sensor_remove() {
remove_package "falcon-sensor"
}

main "$@"
cs_remove_host_from_console(){
if [ "$aid" = "" ]; then
echo 'unable to find aid'
else
curl_command -X "POST" "https://$(cs_cloud)/devices/entities/devices-actions/v2?action_name=hide_host" -d "{ \"ids\": [ \"$aid\" ]}" -H 'Content-Type: application/json'
handle_curl_error $?
fi
}

cs_cloud() {
case "${cs_falcon_cloud}" in
us-1) echo "api.crowdstrike.com" ;;
us-2) echo "api.us-2.crowdstrike.com" ;;
eu-1) echo "api.eu-1.crowdstrike.com" ;;
us-gov-1) echo "api.laggar.gcw.crowdstrike.com" ;;
*) die "Unrecognized Falcon Cloud: ${cs_falcon_cloud}" ;;
esac
}

old_curl=$(
if ! command -v curl >/dev/null 2>&1; then
die "The 'curl' command is missing. Please install it before continuing. Aborting..."
fi
version=$(curl --version | head -n 1 | awk '{ print $2 }')
minimum="7.55"
# Check if the version is less than the minimum
if printf "%s\n" "$version" "$minimum" | sort -V -C; then
echo 0
else
echo 1
fi
)

curl_command() {
# Dash does not support arrays, so we have to pass the args as separate arguments
set -- "$@"

if [ "$old_curl" -eq 0 ]; then
curl -s -x "$proxy" -L -H "Authorization: Bearer ${cs_falcon_oauth_token}" "$@"
else
echo "Authorization: Bearer ${cs_falcon_oauth_token}" | curl -s -x "$proxy" -L -H @- "$@"
fi
}

handle_curl_error() {
if [ "$1" = "28" ]; then
err_msg="Operation timed out (exit code 28)."
if [ -n "$proxy" ]; then
err_msg="$err_msg A proxy was used to communicate ($proxy). Please check your proxy settings."
fi
die "$err_msg"
fi

if [ "$1" = "5" ]; then
err_msg="Couldn't resolve proxy (exit code 5). The address ($proxy) of the given proxy host could not be resolved. Please check your proxy settings."
die "$err_msg"
fi

if [ "$1" = "7" ]; then
err_msg="Failed to connect to host (exit code 7). Host found, but unable to open connection with host."
if [ -n "$proxy" ]; then
err_msg="$err_msg A proxy was used to communicate ($proxy). Please check your proxy settings."
fi
die "$err_msg"
fi
}

json_value() {
KEY=$1
num=$2
awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'"$KEY"'\042/){print $(i+1)}}}' | tr -d '"' | sed -n "${num}p"
}

die() {
echo "Fatal error: $*" >&2
exit 1
}


cs_falcon_cloud=$(
if [ -n "$FALCON_CLOUD" ]; then
echo "$FALCON_CLOUD"
else
# Auto-discovery is using us-1 initially
echo "us-1"
fi
)

response_headers=$(mktemp)
proxy=$(
proxy=""
if [ -n "$FALCON_APH" ]; then
proxy="$(echo "$FALCON_APH" | sed "s|http.*://||")"
if [ -n "$FALCON_APP" ]; then
proxy="$proxy:$FALCON_APP"
fi
fi
if [ -n "$proxy" ]; then
# Remove redundant quotes
proxy="$(echo "$proxy" | sed "s/[\'\"]//g")"
proxy="http://$proxy"
fi
echo "$proxy"
)


if [ -z "$FALCON_ACCESS_TOKEN" ]; then
cs_falcon_client_id=$(
if [ -n "$FALCON_CLIENT_ID" ]; then
echo "$FALCON_CLIENT_ID"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_ID" | json_value Value 1
else
die "Missing FALCON_CLIENT_ID environment variable. Please provide your OAuth2 API Client ID for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)

cs_falcon_client_secret=$(
if [ -n "$FALCON_CLIENT_SECRET" ]; then
echo "$FALCON_CLIENT_SECRET"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_SECRET" | json_value Value 1
else
die "Missing FALCON_CLIENT_SECRET environment variable. Please provide your OAuth2 API Client Secret for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)
else
if [ -z "$FALCON_CLOUD" ]; then
die "If setting the FALCON_ACCESS_TOKEN manually, you must also specify the FALCON_CLOUD"
fi
fi


cs_falcon_token=$(
if [ -n "$FALCON_PROVISIONING_TOKEN" ]; then
echo "$FALCON_PROVISIONING_TOKEN"
fi
)


cs_falcon_oauth_token=$(
if [ -n "$FALCON_ACCESS_TOKEN" ]; then
token=$FALCON_ACCESS_TOKEN
else
token_result=$(echo "client_id=$cs_falcon_client_id&client_secret=$cs_falcon_client_secret" |
curl -X POST -s -x "$proxy" -L "https://$(cs_cloud)/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
-H 'User-Agent: crowdstrike-falcon-scripts/1.3.3' \
--dump-header "${response_headers}" \
--data @-)
handle_curl_error $?
token=$(echo "$token_result" | json_value "access_token" | sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$token" ]; then
die "Unable to obtain CrowdStrike Falcon OAuth Token. Response was $token_result"
fi
fi
echo "$token"
)

region_hint=$(grep -i ^x-cs-region: "$response_headers" | head -n 1 | tr '[:upper:]' '[:lower:]' | tr -d '\r' | sed 's/^x-cs-region: //g')
rm "${response_headers}"

if [ -z "${FALCON_CLOUD}" ]; then
if [ -z "${region_hint}" ]; then
die "Unable to obtain region hint from CrowdStrike Falcon OAuth API, Please provide FALCON_CLOUD environment variable as an override."
fi
cs_falcon_cloud="${region_hint}"
else
if [ -n "$FALCON_ACCESS_TOKEN" ]; then
:
elif [ "x${FALCON_CLOUD}" != "x${region_hint}" ]; then
echo "WARNING: FALCON_CLOUD='${FALCON_CLOUD}' environment variable specified while credentials only exists in '${region_hint}'" >&2
fi
fi

aid=$(
echo $(/opt/CrowdStrike/falconctl 2>/dev/null -g --aid | cut -c 6- | rev | cut -c 3- | rev)
)

main "$@"
Loading

0 comments on commit 7240fe0

Please sign in to comment.