I am trying to create a property to report on to show our endpoint protection posture, we have the following relevance that is working, I just need to combine them into a single property. Is this possible?
Windows
if (exists running service “CsFalconService”) then “Running” else "Stopped"
Linux
if (exists process “falcon-sensor”) then “Running” else “Stopped”
Thanks!
Tony
Yes, there are a couple of ways to do it. The first is to assume the same process name on any on-Windows (including Mac, AIX, etc.); The second should return an “N/A” for systems that are neither Windows nor Linux
if (windows of operating system) then (if (exists running service "CsFalconService") then "Running" else "Stopped") else (if (exists process "falcon-sensor") then "Running" else “Stopped")
Alternatively
if (Windows of operating system) then (if (exists running service "CsFalconService") then "Running" else "Stopped") else (if name of operating system as lowercase contains "linux" then (if (exists process "falcon-sensor") then "Running" else “Stopped") else "N/A“)
Edit: 2022-07-17 : in the second query I was comparing name of operating system as lowercase contains "Linux" - but comparing a lowercase to a mixed-case “Linux” will always be false.
Thank you! The only other issue I have now that I am working with HCL regarding is why the Linux hosts all report back as Stopped even though when we run them in the qna app the report Running but this should be good to go once we have the resolved. I will also be saving this for future reference on how to cross multiple OSs… Thank you so much!
Is “falcon-sensor” the exact process name? Including upper/lowercase?
I posted the relevance over on Reddit, but I’ll post it here as well. I have some other properties I pull (CID License Keys (we have two environments so it helps to keep track of which endpoints are connected to which system. If you want them, let me know.
On Linux systems you need to run a Task to export the Version information. I haven’t found it in any files other than where I export it to …
If (Windows of Operating System) THEN (IF (Exists Folder "C:\Program Files\CrowdStrike") THEN (Version of File "CSFalconService.exe" of Folder "C:\Program Files\CrowdStrike") as String ELSE (NOTHING)) ELSE (IF (Mac of Operating System) THEN (IF (Exists Folder "/Library/CS/kexts") THEN ((string "CFBundleShortVersionString" of dictionary of file "/Library/CS/kexts/Agent.kext/Contents/Info.plist") AS String) ELSE (IF (Exists Folder "/Library/CS/kexts") THEN ((string "CFBundleShortVersionString" of dictionary of file "/Library/CS/kexts/Agent.kext/Contents/Info.plist") AS String) ELSE (IF (Exists Folder "/Applications/Falcon.app/Contents") THEN ((string "CFBundleShortVersionString" of dictionary of file "/Applications/Falcon.app/Contents/Info.plist") AS String) ELSE (NOTHING)))) ELSE (IF (Exists Folder "/opt/CrowdStrike" whose (exists File "version.txt" of it)) THEN (((first ((length of (substring after "= " of Line 1 of file "version.txt" of folder "/opt/CrowdStrike"))) of (substring after "= " of Line 1 of file "version.txt" of folder "/opt/CrowdStrike")) as String)) ELSE (IF ((exists RPM) AND (Exists (packages whose (it as string contains "falcon") of rpm))) THEN (substring after ("falcon-sensor-") of ((packages whose (it as string contains "falcon") of rpm) as string)) ELSE (NOTHING))))
The task I run to create the version.txt file on Linux systems is …
createfile until ##END##
cd /opt/CrowdStrike
./falconctl -g --version > /opt/CrowdStrike/version.txt
##END##
delete FalconVersion.sh
move __createfile FalconVersion.sh
wait chmod +x FalconVersion.sh
wait ./FalconVersion.shHi Tim, Thanks for this, it helps a lot! Sure we will probably be able to use anything CrowdStrike related; we just switched from McAfee so many of this has yet to be created…
Hi Jason, we checked one of the server and ran it exactly like this in the qna app and it returns Running but when I create a property for it all the Linux hosts return Stopped… I wonder if it either has something to do with the hyphen in the process name or the client not having adequate rights but it is in the root group so I am at a loss… I also am no expert in Linux…
Linux machines also have a command-line version of the Debugger, at /opt/BESClient/bin/qna. You can try running that to debug relevance on Linux systems, or use the Query app in WebUI to do it remotely.
I’d try the following query to get a list of process names and verify that the process name appears as you expect it…
names of processesTry the following in your linux qna tool (/opt/BESClient/bin/qna)
names whose (it as string as lowercase contains "falcon") of processes
For the State or Status of the Falcon Sensor, I use …
IF (Windows of Operating System) THEN (IF (Exists Service whose (it as string as lowercase contains "csfalconservice")) THEN (State of Service whose (it as string as lowercase contains "csfalconservice")) ELSE (NOTHING)) ELSE (IF (UNIX of Operating System) THEN (IF (exists file "/opt/CrowdStrike/version.txt") THEN (IF (exists processes whose (name of it as string as lowercase contains "falcon-sensor")) THEN "Running" ELSE "Stopped") ELSE (NOTHING)) ELSE (IF (Mac of Operating System) THEN (IF ((exists file "/Library/CS/falconctl") OR (Exists Folder "/Applications/Falcon.app/Contents")) THEN (IF (Exists processes whose (name of it as string as lowercase contains "falcond")) THEN ("Running") ELSE ("Stopped")) ELSE (NOTHING)) ELSE (NOTHING)))
To retrieve the CID used for the installation …
IF (Exists Folder "/opt/CrowdStrike" whose (exists File "cid.txt" of it)) THEN (((first ((length of (substring after "=" of Line 1 of file "cid.txt" of folder "/opt/CrowdStrike"))-1) of (substring after "=" of Line 1 of file "cid.txt" of folder "/opt/CrowdStrike")) as String)) ELSE (NOTHING)
As with the Linux Version, I have to run a Task to export the CID value.
createfile until ##END##
cd /opt/CrowdStrike
./falconctl -g --cid > /opt/CrowdStrike/cid.txt
##END##
delete FalconCID.sh
move __createfile FalconCID.sh
wait chmod +x FalconCID.sh
wait ./FalconCID.shApologies for raking up an old post but there’s a far easier way to get the CrowdStrike versions on Linux (I’ve included Windows too just to make it easier)
There might be a nicer way to write this but it does what I need it to do 
if unix of operating system and exists folder "/opt/CrowdStrike" then versions of packages "falcon-sensor" of rpm as string else if windows of operating system and exists folder "C:\Program Files\CrowdStrike" then version of file "CSFalconService.exe" of Folder "C:\Program Files\CrowdStrike" as string else "not installed"