Last active
October 22, 2023 12:58
-
-
Save hazcod/f5730b159c129ca725fb64412d3715a1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
CLIENT_ID="_FALCON_API_CLIENT_ID_" | |
CLIENT_SECRET="FALCON_API_CLIENT_SECRET_" | |
CID="_FALCON_CID_" | |
TOKEN="_FALCON_INSTALL_TOKEN" | |
API_HOST="api.eu-1.crowdstrike.com" | |
function main() { | |
if [[ $EUID -ne 0 ]]; then | |
echo "ERROR: this script must be run as root" | |
exit 1 | |
fi | |
if isSensorHealthy; then | |
echo "Unloading previously installed sensor" | |
sudo /Applications/Falcon.app/Contents/Resources/falconctl unload | |
fi | |
echo "Installing profile..." | |
profilePath=$(getProfile) | |
openInstallProfile "${profilePath}" | |
exit 0 | |
waitForInstall | |
quitSystemPrefs | |
rm "${profilePath}" | |
echo "Retrieving sensor boostrap..." | |
sensorAccessToken=$(getFalconAccessToken) | |
latestSensorHash=$(getSensorhash "${sensorAccessToken}") | |
echo "Installing sensor..." | |
installSensor "${sensorAccessToken}" "${latestSensorHash}" | |
echo "Loading sensor..." | |
loadSensor | |
echo "Testing sensor..." | |
if ! isSensorHealthy; then | |
echo "ERROR: sensor still not healthy, please contact support" | |
exit 1 | |
fi | |
echo "Falcon sensor successfully installed!" | |
} | |
function getFalconAccessToken() { | |
curl -s -X POST -d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" https://${API_HOST}/oauth2/token | \ | |
python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])" | |
} | |
function getSensorhash() { | |
curl -s -H "Authorization: Bearer ${1}" "https://${API_HOST}/sensors/combined/installers/v1?filter=platform%3A%22mac%22" | \ | |
python3 -c "import sys, json; print(json.load(sys.stdin)['resources'][0]['sha256'])" | |
} | |
function isSensorHealthy() { | |
/Applications/Falcon.app/Contents/Resources/falconctl stats | grep -q 'Sensor operational: true' | |
} | |
function loadSensor() { | |
sudo /Applications/Falcon.app/Contents/Resources/falconctl load | |
} | |
function installSensor() { | |
local apiToken="$1" | |
local hash="$2" | |
if [ -z "$apiToken" ] || [ -z "$hash" ]; then | |
echo "token and/or hash not detected, exiting" | |
exit 1 | |
fi | |
sensorPath="$(mktemp).pkg" | |
curl -o "${sensorPath}" -s -H "Authorization: Bearer ${apiToken}" "https://${API_HOST}/sensors/entities/download-installer/v1?id=${hash}" | |
sudo installer -verboseR -pkg "${sensorPath}" -target / | |
rm "${sensorPath}" | |
if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then | |
echo "ERROR: falconctl not installed, exiting" | |
exit 1 | |
fi | |
sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${CID}" "${TOKEN}" || true | |
} | |
function openInstallProfile() { | |
local profilePath="$1" | |
set -e | |
set -x | |
open /System/Library/PreferencePanes/Profiles.prefPane "${profilePath}" | |
} | |
function waitForInstall() { | |
osascript -e 'display dialog "Did you install the profile in System Preferences>Profiles?\nIf so, we can start installing the sensor for you." buttons {"Yes"}' | |
} | |
function quitSystemPrefs() { | |
osascript -e 'quit app "System Preferences"' | |
} | |
function getProfile() { | |
tmpFile="/tmp/falcon.mobileconfig" | |
chmod 666 "${tmpFile}" | |
cat <<EOF > "${tmpFile}" | |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1"> | |
<dict> | |
<key>PayloadUUID</key> | |
<string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string> | |
<key>PayloadIdentifier</key> | |
<string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string> | |
<key>PayloadType</key> | |
<string>Configuration</string> | |
<key>PayloadOrganization</key> | |
<string>IRON Security</string> | |
<key>PayloadDisplayName</key> | |
<string>IRON Sensor Permissions</string> | |
<key>PayloadDescription</key> | |
<string>Kernel Extensions, System Extensions, and Privacy Preferences for the IRON sensor.</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>PayloadEnabled</key> | |
<true/> | |
<key>PayloadRemovalDisallowed</key> | |
<false/> | |
<key>PayloadScope</key> | |
<string>System</string> | |
<key>PayloadContent</key> | |
<array> | |
<dict> | |
<key>FilterBrowsers</key> | |
<false/> | |
<key>FilterDataProviderBundleIdentifier</key> | |
<string>com.crowdstrike.falcon.Agent</string> | |
<key>FilterDataProviderDesignatedRequirement</key> | |
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> | |
<key>FilterPacketProviderBundleIdentifier</key> | |
<string>com.crowdstrike.falcon.Agent</string> | |
<key>FilterPacketProviderDesignatedRequirement</key> | |
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> | |
<key>FilterGrade</key> | |
<string>inspector</string> | |
<key>FilterPackets</key> | |
<false/> | |
<key>FilterSockets</key> | |
<true/> | |
<key>FilterType</key> | |
<string>Plugin</string> | |
<key>Organization</key> | |
<string>CrowdStrike Inc.</string> | |
<key>PayloadDisplayName</key> | |
<string>Web Content Filter</string> | |
<key>PayloadIdentifier</key> | |
<string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string> | |
<key>PayloadType</key> | |
<string>com.apple.webcontent-filter</string> | |
<key>PayloadUUID</key> | |
<string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>PluginBundleID</key> | |
<string>com.crowdstrike.falcon.App</string> | |
<key>UserDefinedName</key> | |
<string>Falcon</string> | |
</dict> | |
<dict> | |
<key>PayloadUUID</key> | |
<string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string> | |
<key>PayloadIdentifier</key> | |
<string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string> | |
<key>PayloadType</key> | |
<string>com.apple.system-extension-policy</string> | |
<key>PayloadOrganization</key> | |
<string>CrowdStrike Inc.</string> | |
<key>PayloadDisplayName</key> | |
<string>System Extensions</string> | |
<key>PayloadDescription</key> | |
<string>Configures System Extensions Policy settings</string> | |
<key>AllowUserOverrides</key> | |
<true/> | |
<key>AllowedSystemExtensions</key> | |
<dict> | |
<key>X9E956P446</key> | |
<array> | |
<string>com.crowdstrike.falcon.Agent</string> | |
</array> | |
</dict> | |
<key>AllowedSystemExtensionTypes</key> | |
<dict> | |
<key>X9E956P446</key> | |
<array> | |
<string>EndpointSecurityExtension</string> | |
<string>NetworkExtension</string> | |
</array> | |
</dict> | |
</dict> | |
<dict> | |
<key>PayloadUUID</key> | |
<string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string> | |
<key>PayloadIdentifier</key> | |
<string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string> | |
<key>PayloadType</key> | |
<string>com.apple.system-extensions.admin</string> | |
<key>PayloadOrganization</key> | |
<string>CrowdStrike Inc.</string> | |
<key>PayloadDisplayName</key> | |
<string>App System Extension Control</string> | |
<key>PayloadDescription</key> | |
<string>Controls the system extension loading/unloading</string> | |
<key>AllowedTeamIdentifiers</key> | |
<array> | |
<string>X9E956P446</string> | |
</array> | |
</dict> | |
<dict> | |
<key>PayloadUUID</key> | |
<string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string> | |
<key>PayloadIdentifier</key> | |
<string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string> | |
<key>PayloadType</key> | |
<string>com.apple.syspolicy.kernel-extension-policy</string> | |
<key>PayloadOrganization</key> | |
<string>CrowdStrike Inc.</string> | |
<key>PayloadDisplayName</key> | |
<string>Kernel Extensions</string> | |
<key>PayloadDescription</key> | |
<string>Configures Kernel Extension Policy settings</string> | |
<key>AllowedTeamIdentifiers</key> | |
<array> | |
<string>X9E956P446</string> | |
</array> | |
</dict> | |
<dict> | |
<key>PayloadUUID</key> | |
<string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string> | |
<key>PayloadIdentifier</key> | |
<string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string> | |
<key>PayloadType</key> | |
<string>com.apple.TCC.configuration-profile-policy</string> | |
<key>PayloadOrganization</key> | |
<string>CrowdStrike Inc.</string> | |
<key>PayloadDisplayName</key> | |
<string>Privacy Preferences</string> | |
<key>PayloadDescription</key> | |
<string>Configures Privacy Preferences Policy Control settings</string> | |
<key>Services</key> | |
<dict> | |
<key>SystemPolicyAllFiles</key> | |
<array> | |
<dict> | |
<key>Allowed</key> | |
<true/> | |
<key>CodeRequirement</key> | |
<string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> | |
<key>Comment</key> | |
<string></string> | |
<key>Identifier</key> | |
<string>com.crowdstrike.falcon.Agent</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>StaticCode</key> | |
<false/> | |
</dict> | |
<dict> | |
<key>Allowed</key> | |
<true/> | |
<key>CodeRequirement</key> | |
<string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> | |
<key>Comment</key> | |
<string></string> | |
<key>Identifier</key> | |
<string>com.crowdstrike.falcon.App</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>StaticCode</key> | |
<false/> | |
</dict> | |
</array> | |
</dict> | |
</dict> | |
</array> | |
</dict> | |
</plist> | |
EOF | |
echo "${tmpFile}" | |
} | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment