Last active
October 22, 2023 12:58
-
-
Save hazcod/f5730b159c129ca725fb64412d3715a1 to your computer and use it in GitHub Desktop.
Revisions
-
hazcod revised this gist
Oct 18, 2021 . 1 changed file with 8 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,6 +6,7 @@ CID="_FALCON_CID_" TOKEN="_FALCON_INSTALL_TOKEN" API_HOST="api.eu-1.crowdstrike.com" function main() { if [[ $EUID -ne 0 ]]; then echo "ERROR: this script must be run as root" @@ -20,6 +21,7 @@ function main() { echo "Installing profile..." profilePath=$(getProfile) openInstallProfile "${profilePath}" exit 0 waitForInstall quitSystemPrefs rm "${profilePath}" @@ -87,7 +89,8 @@ function installSensor() { function openInstallProfile() { local profilePath="$1" set -e set -x open /System/Library/PreferencePanes/Profiles.prefPane "${profilePath}" } @@ -100,9 +103,8 @@ function quitSystemPrefs() { } function getProfile() { tmpFile="/tmp/falcon.mobileconfig" chmod 666 "${tmpFile}" cat <<EOF > "${tmpFile}" <?xml version="1.0" encoding="UTF-8"?> @@ -286,7 +288,8 @@ function getProfile() { </dict> </plist> EOF echo "${tmpFile}" } main -
Oct 18, 2021 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,7 @@ CLIENT_ID="_FALCON_API_CLIENT_ID_" CLIENT_SECRET="FALCON_API_CLIENT_SECRET_" CID="_FALCON_CID_" TOKEN="_FALCON_INSTALL_TOKEN" API_HOST="api.eu-1.crowdstrike.com" function main() { if [[ $EUID -ne 0 ]]; then @@ -44,12 +44,12 @@ function main() { } function getFalconAccessToken() { curl -s -X POST -d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" https://${API_HOST}/oauth2/token | \ python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])" } function getSensorhash() { curl -s -H "Authorization: Bearer ${1}" "https://${API_HOST}/sensors/combined/installers/v1?filter=platform%3A%22mac%22" | \ python3 -c "import sys, json; print(json.load(sys.stdin)['resources'][0]['sha256'])" } @@ -71,7 +71,7 @@ function installSensor() { fi sensorPath="$(mktemp).pkg" curl -o "${sensorPath}" -s -H "Authorization: Bearer ${apiToken}" "https://${API_HOST}/sensors/entities/download-installer/v1?id=${hash}" sudo installer -verboseR -pkg "${sensorPath}" -target / @@ -289,4 +289,4 @@ EOF echo "${tmpFile}" } main -
Oct 18, 2021 . 1 changed file with 15 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,10 @@ #!/usr/bin/env bash CLIENT_ID="_FALCON_API_CLIENT_ID_" CLIENT_SECRET="FALCON_API_CLIENT_SECRET_" CID="_FALCON_CID_" TOKEN="_FALCON_INSTALL_TOKEN" CLOUD="_FALCON_CLOUD_" function main() { if [[ $EUID -ne 0 ]]; then @@ -14,8 +13,8 @@ function main() { fi if isSensorHealthy; then echo "Unloading previously installed sensor" sudo /Applications/Falcon.app/Contents/Resources/falconctl unload fi echo "Installing profile..." @@ -40,6 +39,8 @@ function main() { echo "ERROR: sensor still not healthy, please contact support" exit 1 fi echo "Falcon sensor successfully installed!" } function getFalconAccessToken() { @@ -64,38 +65,38 @@ function installSensor() { local apiToken="$1" local hash="$2" if [ -z "$apiToken" ] || [ -z "$hash" ]; then echo "token and/or hash not detected, exiting" exit 1 fi sensorPath="$(mktemp).pkg" curl -o "${sensorPath}" -s -H "Authorization: Bearer ${apiToken}" "https://api.${CLOUD}.crowdstrike.com/sensors/entities/download-installer/v1?id=${hash}" sudo installer -verboseR -pkg "${sensorPath}" -target / rm "${sensorPath}" if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then echo "ERROR: falconctl not installed, exiting" exit 1 fi sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${CID}" "${TOKEN}" || true } function openInstallProfile() { local profilePath="$1" open /System/Library/PreferencePanes/Profiles.prefPane "${profilePath}" } function waitForInstall() { osascript -e 'display dialog "Did you install the profile in System Preferences>Profiles?\nIf so, we can start installing the sensor for you." buttons {"Yes"}' } function quitSystemPrefs() { osascript -e 'quit app "System Preferences"' } function getProfile() { -
Oct 18, 2021 . 1 changed file with 5 additions and 19 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,15 +1,10 @@ #!/usr/bin/env bash set -e CLIENT_ID="_FALCON_CLIENT_ID_" CLIENT_SECRET="_FALCON_CLIENT_SECRET" CID="_FALCON_CID_" CLOUD="eu-1" function main() { @@ -35,7 +30,7 @@ function main() { latestSensorHash=$(getSensorhash "${sensorAccessToken}") echo "Installing sensor..." installSensor "${sensorAccessToken}" "${latestSensorHash}" echo "Loading sensor..." loadSensor @@ -58,7 +53,7 @@ function getSensorhash() { } function isSensorHealthy() { /Applications/Falcon.app/Contents/Resources/falconctl stats | grep -q 'Sensor operational: true' } function loadSensor() { @@ -86,16 +81,7 @@ function installSensor() { exit 1 fi sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${CID}" || true } function openInstallProfile() { -
Oct 18, 2021 . 1 changed file with 52 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,28 @@ #!/usr/bin/env bash # token to be replaced with sensor-download permissions CLIENT_ID="_FALCON_CLIENT_ID_" CLIENT_SECRET="_FALCON_CLIENT_SECRET" # the sensor CID CID="_FALCON_CID_" # the sensor bootstrap token TOKEN="_FALCON_TOKEN_" # the cloud instance CLOUD="eu-1" function main() { if [[ $EUID -ne 0 ]]; then echo "ERROR: this script must be run as root" exit 1 fi if isSensorHealthy; then echo "No sensor installation necessary" exit 0 fi echo "Installing profile..." profilePath=$(getProfile) openInstallProfile "${profilePath}" @@ -12,42 +31,62 @@ function main() { rm "${profilePath}" echo "Retrieving sensor boostrap..." sensorAccessToken=$(getFalconAccessToken) latestSensorHash=$(getSensorhash "${sensorAccessToken}") echo "Installing sensor..." installSensor ${sensorData} echo "Loading sensor..." loadSensor echo "Testing sensor..." if ! isSensorHealthy; then echo "ERROR: sensor still not healthy, please contact support" exit 1 fi } function getFalconAccessToken() { curl -s -X POST -d "client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" https://api.${CLOUD}.crowdstrike.com/oauth2/token | \ python3 -c "import sys, json; print(json.load(sys.stdin)['access_token'])" } function getSensorhash() { curl -s -H "Authorization: Bearer ${1}" https://api.${CLOUD}.crowdstrike.com/sensors/combined/installers/v1?filter=platform%3A%22mac%22 | \ python3 -c "import sys, json; print(json.load(sys.stdin)['resources'][0]['sha256'])" } function isSensorHealthy() { [ -z "$(/Applications/Falcon.app/Contents/Resources/falconctl stats | grep 'Sensor operational: true')" ] } function loadSensor() { sudo /Applications/Falcon.app/Contents/Resources/falconctl load } function installSensor() { local apiToken="$1" local hash="$2" if [ -z "$token" ] || [ -z "$hash" ]; then echo "token and/or hash not detected, exiting" exit 1 fi sensorPath=$(mktemp) curl -o "${sensorPath}" -s -H "Authorization: Bearer ${apiToken}" "https://api.${CLOUD}.crowdstrike.com/sensors/entities/download-installer/v1?id=${hash}" sudo installer -verboseR -pkg "${sensorPath}" -target / rm "${sensorPath}" if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then echo "falconctl not installed, exiting" exit 1 fi sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${CID}" "${TOKEN}" || true } function getSensorBootstrapInfo() { -
Oct 18, 2021 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,6 +9,7 @@ function main() { openInstallProfile "${profilePath}" waitForInstall quitSystemPrefs rm "${profilePath}" echo "Retrieving sensor boostrap..." sensorData=$(getSensorBootstrapInfo) @@ -43,6 +44,8 @@ function installSensor() { exit 1 fi rm "${sensorPath}" sudo /Applications/Falcon.app/Contents/Resources/falconctl provisioning-token "${token}" sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${cid}" } -
Oct 18, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,263 @@ #!/usr/bin/env bash TOKEN="_TOKEN_" API_URL="https://api.foo/sensor/bootstrap" function main() { echo "Installing profile..." profilePath=$(getProfile) openInstallProfile "${profilePath}" waitForInstall quitSystemPrefs echo "Retrieving sensor boostrap..." sensorData=$(getSensorBootstrapInfo) echo "Installing sensor..." installSensor ${sensorData} echo "Loading sensor..." loadSensor } function loadSensor() { sudo /Applications/Falcon.app/Contents/Resources/falconctl load } function installSensor() { local cid="$1" local token="$2" if [ -z "$cid" ] || [ -z "$token" ]; then echo "cid/token not detected, exiting" exit 1 fi sensorPath=$(mktemp) curl -q -O "${sensorPath}" -H "x-auth-token: ${TOKEN}" "${API_URL}/installer" sudo installer -verboseR -pkg "${sensorPath}" -target / if [ ! -f /Applications/Falcon.app/Contents/Resources/falconctl ]; then echo "falconctl not detected, exiting" exit 1 fi sudo /Applications/Falcon.app/Contents/Resources/falconctl provisioning-token "${token}" sudo /Applications/Falcon.app/Contents/Resources/falconctl license "${cid}" } function getSensorBootstrapInfo() { jsonResponse=$(curl -q -H "x-auth-token: ${TOKEN}" "${API_URL}/data") CID=$(echo "${jsonResponse}" | jq .cid) INSTALL_TOKEN=$(echo "${jsonResponse}" | jq .install_token) echo "${CID}" "${INSTALL_TOKEN}" } function openInstallProfile() { local token="$1" open /System/Library/PreferencePanes/Profiles.prefPane "${token}" } function waitForInstall() { osascript -e 'display dialog "Did you install the profile in System Preferences>Profiles?\nIf so, we can start installing the sensor for you." buttons {"Yes"}' } function quitSystemPrefs() { osascript -e 'tell application "System Preferences" Quit end tell' } function getProfile() { tmpFile=$(mktemp) mv "${tmpFile}" "${tmpFile}.mobileconfig" tmpFile="${tmpFile}.mobileconfig" cat <<EOF > "${tmpFile}" <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1"> <dict> <key>PayloadUUID</key> <string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string> <key>PayloadIdentifier</key> <string>863BE372-D1FA-4082-85B2-3B8FE63797C5</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>IRON Security</string> <key>PayloadDisplayName</key> <string>IRON Sensor Permissions</string> <key>PayloadDescription</key> <string>Kernel Extensions, System Extensions, and Privacy Preferences for the IRON sensor.</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadContent</key> <array> <dict> <key>FilterBrowsers</key> <false/> <key>FilterDataProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterDataProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterPacketProviderBundleIdentifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>FilterPacketProviderDesignatedRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "X9E956P446"</string> <key>FilterGrade</key> <string>inspector</string> <key>FilterPackets</key> <false/> <key>FilterSockets</key> <true/> <key>FilterType</key> <string>Plugin</string> <key>Organization</key> <string>CrowdStrike Inc.</string> <key>PayloadDisplayName</key> <string>Web Content Filter</string> <key>PayloadIdentifier</key> <string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string> <key>PayloadType</key> <string>com.apple.webcontent-filter</string> <key>PayloadUUID</key> <string>2C5CBFD0-7CFE-41CB-95BC-A681F4D293B8</string> <key>PayloadVersion</key> <integer>1</integer> <key>PluginBundleID</key> <string>com.crowdstrike.falcon.App</string> <key>UserDefinedName</key> <string>Falcon</string> </dict> <dict> <key>PayloadUUID</key> <string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string> <key>PayloadIdentifier</key> <string>20258B06-5866-4424-8893-A3AF1AFAAEDC</string> <key>PayloadType</key> <string>com.apple.system-extension-policy</string> <key>PayloadOrganization</key> <string>CrowdStrike Inc.</string> <key>PayloadDisplayName</key> <string>System Extensions</string> <key>PayloadDescription</key> <string>Configures System Extensions Policy settings</string> <key>AllowUserOverrides</key> <true/> <key>AllowedSystemExtensions</key> <dict> <key>X9E956P446</key> <array> <string>com.crowdstrike.falcon.Agent</string> </array> </dict> <key>AllowedSystemExtensionTypes</key> <dict> <key>X9E956P446</key> <array> <string>EndpointSecurityExtension</string> <string>NetworkExtension</string> </array> </dict> </dict> <dict> <key>PayloadUUID</key> <string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string> <key>PayloadIdentifier</key> <string>E45B5986-74A6-4B6A-A4CA-E179516A7F52</string> <key>PayloadType</key> <string>com.apple.system-extensions.admin</string> <key>PayloadOrganization</key> <string>CrowdStrike Inc.</string> <key>PayloadDisplayName</key> <string>App System Extension Control</string> <key>PayloadDescription</key> <string>Controls the system extension loading/unloading</string> <key>AllowedTeamIdentifiers</key> <array> <string>X9E956P446</string> </array> </dict> <dict> <key>PayloadUUID</key> <string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string> <key>PayloadIdentifier</key> <string>5671B4FB-3B3A-4D93-B12A-E8487BD9B5EE</string> <key>PayloadType</key> <string>com.apple.syspolicy.kernel-extension-policy</string> <key>PayloadOrganization</key> <string>CrowdStrike Inc.</string> <key>PayloadDisplayName</key> <string>Kernel Extensions</string> <key>PayloadDescription</key> <string>Configures Kernel Extension Policy settings</string> <key>AllowedTeamIdentifiers</key> <array> <string>X9E956P446</string> </array> </dict> <dict> <key>PayloadUUID</key> <string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string> <key>PayloadIdentifier</key> <string>9A10BE5D-5E46-4C22-89C9-20597A04B616</string> <key>PayloadType</key> <string>com.apple.TCC.configuration-profile-policy</string> <key>PayloadOrganization</key> <string>CrowdStrike Inc.</string> <key>PayloadDisplayName</key> <string>Privacy Preferences</string> <key>PayloadDescription</key> <string>Configures Privacy Preferences Policy Control settings</string> <key>Services</key> <dict> <key>SystemPolicyAllFiles</key> <array> <dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> <key>Comment</key> <string></string> <key>Identifier</key> <string>com.crowdstrike.falcon.Agent</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <false/> </dict> <dict> <key>Allowed</key> <true/> <key>CodeRequirement</key> <string>identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446</string> <key>Comment</key> <string></string> <key>Identifier</key> <string>com.crowdstrike.falcon.App</string> <key>IdentifierType</key> <string>bundleID</string> <key>StaticCode</key> <false/> </dict> </array> </dict> </dict> </array> </dict> </plist> EOF echo "${tmpFile}" } main