I need to create a fixlet to deploy falcon sensor to linux servers using CLI.
these are the steps I need to take
can someone create me an action script for this. much appreciate. would it be better to create a seperate script file and just run that on bigfix?
Just use Software Distribution Wizard Or Software Distribution Dashboard to upload the RPM into BigFix and then you can use ActionScript (wait) to install it.
wait rpm -ivh __Download/package_name.rpm
wait /opt/CrowdStrike/falconctl -s --cid=SERIAL backend=kernel
wait systemctl start falcon-sensor
action requires restart
This will mark the computer as Pending Restart
On the Post-Action, you can select when to restart the machine
Here is what we use on RHEL 9. I believe we had to use the rpm command due to issues with the digest and filedigest when using yum. This might be resolved but I havn't checked in a while.
// *** ******************************************************************************** ***
// *** Documentation :: ***
// *** https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor-for-linux ***
// *** ******************************************************************************** ***
// Query operator for action parameters of fixlet
action parameter query "_inputCID" with description "Please input the CrowdStrike CID." with default "xxxxxxxxxxxxx"
parameter "package" = "falcon-sensor-7.17.0-17005.el9.x86_64.rpm"
// Prefetch the CrowdStrike sensor from the designated URL
prefetch falcon-sensor-7.17.0-17005.el9.x86_64.rpm sha1:4737f914aac988c975b9642a48e129545f9ab334 size:61518440 https://local_repo/falcon-sensor-7.17.0-17005.el9.x86_64.rpm
// Good housekeeping
delete "/tmp/{parameter "package"}"
// Move the downloaded RPM to TMP directory
move "__Download/{parameter "package"}" "/tmp/{parameter "package"}"
// Update RPM permissions
wait sudo su - root -c "chmod 744 /tmp/{parameter "package"}"
parameter "__ExitCode01" = "{if exist exit code of action then exit code of action as string else "999"}"
if {parameter "__ExitCode01" != "0"}
exit {parameter "__ExitCode01"}
endif
// Execute RPM install command for CrowdStrike sensor
wait sudo su - root -c "rpm --nofiledigest --nodigest --install /tmp/{parameter "package"}"
parameter "__ExitCode02" = "{if exist exit code of action then exit code of action as string else "998"}"
if {parameter "__ExitCode02" != "0"}
exit {parameter "__ExitCode02"}
endif
// Set CID config for sensor as per documentation
wait sudo su - root -c "/opt/CrowdStrike/falconctl -s --cid={parameter "_inputCID"} --provisioning-token=xxxxxxxx"
parameter "__ExitCode03" = "{if exist exit code of action then exit code of action as string else "997"}"
if {parameter "__ExitCode03" != "0"}
exit {parameter "__ExitCode03"}
endif
// Start the CrowdStrike sensor as per documentation
wait sudo su - root -c "systemctl enable falcon-sensor --now"
parameter "__ExitCode04" = "{if exist exit code of action then exit code of action as string else "996"}"
if {parameter "__ExitCode04" != "0"}
exit {parameter "__ExitCode04"}
endif
// Good housekeeping
delete "/tmp/{parameter "package"}"
@RichCampbell I have tried this actionscript however facing issues with “ Wait sudo “ and Exit code logic, do you have any working actionscript
I do. Its the one I had posted in this thread in August of 24.
Recently, I built a deployment package for CrowdStrike Falcon Sensor v7.32 and did not encounter any issues. Sharing the Action Script used for RHEL systems below in case it helps others facing similar problems.
//action parameter query "APP_PROXYNAME" with description "Please enter the proxy name (without http://) for example: proxy.company.com"
//action parameter query "APP_PROXYPORT" with description "Please enter the proxy port for example: 8080"
//Install package
if {(name of it as string starts with "Linux Red Hat Enterprise 9") of operating system}
extract 6f2734901ac7b7d880004218761e70b0303f856d
wait chmod +x __Download/falcon-sensor-7.32.0-18504.el9.x86_64.rpm
wait yum -y install __Download/falcon-sensor-7.32.0-18504.el9.x86_64.rpm
elseif {(name of it as string starts with "Linux Red Hat Enterprise 8") of operating system}
extract e9ec8ec6908793c8f366a0f6e3335c7e0e7f4156
wait chmod +x __Download/falcon-sensor-7.32.0-18504.el8.x86_64.rpm
wait yum -y install __Download/falcon-sensor-7.32.0-18504.el8.x86_64.rpm
elseif {(name of it as string starts with "Linux Red Hat Enterprise Server 7") of operating system}
extract 3f81e81cd76c2f0c269a28e6e1db19e8f8f0685c
wait chmod +x __Download/falcon-sensor-7.32.0-18504.el7.x86_64.rpm
wait yum -y install __Download/falcon-sensor-7.32.0-18504.el7.x86_64.rpm
endif
//set CID
wait /opt/CrowdStrike/falconctl -s --cid=<CID_VALUE>
wait /opt/CrowdStrike/falconctl -s --tags="Linux_Devices"
//set proxy - Optional
//if {parameter "APP_PROXYNAME" != "" AND parameter "APP_PROXYPORT" != ""}
//wait /opt/CrowdStrike/falconctl -s --aph={parameter "APP_PROXYNAME"}
//wait /opt/CrowdStrike/falconctl -s --app={parameter "APP_PROXYPORT"}
//endif
//restart service
wait systemctl restart falcon-sensor//validate
if {not exists process whose (name of it as lowercase contains "falcon-sensor")}
exit 10
endif
Thanks @vk.khurava this helps. By luck any windows code available with you?
Sure, here we go!
//For Windows, I kept the placeholders if proxy is required, please use accordingly.
prefetch ...
extract ...//action parameter query "APP_PROXYNAME" with description "Please enter the proxy FQDN or IP"
//action parameter query "APP_PROXYPORT" with description "Please enter the proxy port for example: 8080"action uses wow64 redirection false
//if {parameter "APP_PROXYNAME" = "" AND Parameter "APP_PROXYPORT" = ""}
waithidden __Download\FalconSensor_Windows.exe CID=CID_Token ProvWaitTime=1800000 GROUPING_TAGS="Win_Devices" /install /quiet NoFA=1 /norestart//else
//waithidden __Download\FalconSensor_Windows.exe CID= APP_PROXYNAME={parameter "APP_PROXYNAME"} APP_PROXYPORT={parameter "APP_PROXYPORT"} ProvWaitTime=1800000 GROUPING_TAGS="Win_Devices" /install /quiet NoFA=1 /norestart
//endifif {not exists service "CSFalconService" OR state of service "CSFalconService" != "Running"}
exit 10
endif
//For Linux Amazon 2/2023:
You can use the same RHEL deployment script.//For Ubuntu:
prefetch ...
extract ....//action parameter query "APP_PROXYNAME" with description "Please enter the proxyname (without http://) for example: ABC.company.com"
//action parameter query "APP_PROXYPORT" with description "Please enter the proxy port for example: 8080"//Install package
wait chmod +x __Download/falcon-sensor_7.32.0-18504_amd64.deb
wait dpkg -i __Download/falcon-sensor_7.32.0-18504_amd64.deb//set CID
wait /opt/CrowdStrike/falconctl -s --cid=<CID_Token>
wait /opt/CrowdStrike/falconctl -s --tags="Ubuntu_Devices"//set proxy - Optional
//if {parameter "APP_PROXYNAME" != "" AND Parameter "APP_PROXYPORT" != ""}
//wait /opt/CrowdStrike/falconctl -s --aph={parameter "APP_PROXYNAME"}
//wait /opt/CrowdStrike/falconctl -s --app={parameter "APP_PROXYPORT"}
//endif//restart service
wait systemctl restart falcon-sensor//validate
if {not exists process whose (name of it as lowercase contains "falcon-sensor")}
exit 10
endif
Thanks @vk.khurava this will help.