Deploy Falcon Sensor to Linux server

Iamabeginner · August 6, 2024, 3:33pm

I need to create a fixlet to deploy falcon sensor to linux servers using CLI.
these are the steps I need to take

Cache install .rpm to target host
Provide CID Key to BF agent for the install
sudo yum install <installer_filename.rpm>
sudo /opt/CrowdStrike/falconctl -s --cid= --backend=kernel
sudo systemctl start falcon-sensor
Reboot

can someone create me an action script for this. much appreciate. would it be better to create a seperate script file and just run that on bigfix?

orbiton · August 6, 2024, 4:49pm

Just use Software Distribution Wizard Or Software Distribution Dashboard to upload the RPM into BigFix and then you can use ActionScript (wait) to install it.

wait rpm -ivh __Download/package_name.rpm
wait /opt/CrowdStrike/falconctl -s --cid=SERIAL backend=kernel
wait systemctl start falcon-sensor
action requires restart

This will mark the computer as Pending Restart
On the Post-Action, you can select when to restart the machine

RichCampbell · August 6, 2024, 5:39pm

Here is what we use on RHEL 9. I believe we had to use the rpm command due to issues with the digest and filedigest when using yum. This might be resolved but I havn’t checked in a while.

// *** ******************************************************************************** ***
// *** Documentation :: ***
// *** CrowdStrike Tech Hub: In-Depth Demos, Videos, and Trainings ***
// *** ******************************************************************************** ***

// Query operator for action parameters of fixlet
action parameter query “_inputCID” with description “Please input the CrowdStrike CID.” with default “xxxxxxxxxxxxx”
parameter “package” = “falcon-sensor-7.17.0-17005.el9.x86_64.rpm”

// Prefetch the CrowdStrike sensor from the designated URL
prefetch falcon-sensor-7.17.0-17005.el9.x86_64.rpm sha1:4737f914aac988c975b9642a48e129545f9ab334 size:61518440 https://local_repo/falcon-sensor-7.17.0-17005.el9.x86_64.rpm

// Good housekeeping
delete “/tmp/{parameter “package”}”

// Move the downloaded RPM to TMP directory
move “__Download/{parameter “package”}” “/tmp/{parameter “package”}”

// Update RPM permissions
wait sudo su - root -c “chmod 744 /tmp/{parameter “package”}”
parameter “__ExitCode01” = “{if exist exit code of action then exit code of action as string else “999”}”
if {parameter “__ExitCode01” != “0”}
exit {parameter “__ExitCode01”}
endif

// Execute RPM install command for CrowdStrike sensor
wait sudo su - root -c “rpm --nofiledigest --nodigest --install /tmp/{parameter “package”}”
parameter “__ExitCode02” = “{if exist exit code of action then exit code of action as string else “998”}”
if {parameter “__ExitCode02” != “0”}
exit {parameter “__ExitCode02”}
endif

// Set CID config for sensor as per documentation
wait sudo su - root -c “/opt/CrowdStrike/falconctl -s --cid={parameter “_inputCID”} --provisioning-token=xxxxxxxx”
parameter “__ExitCode03” = “{if exist exit code of action then exit code of action as string else “997”}”
if {parameter “__ExitCode03” != “0”}
exit {parameter “__ExitCode03”}
endif

// Start the CrowdStrike sensor as per documentation
wait sudo su - root -c “systemctl enable falcon-sensor --now”
parameter “__ExitCode04” = “{if exist exit code of action then exit code of action as string else “996”}”
if {parameter “__ExitCode04” != “0”}
exit {parameter “__ExitCode04”}
endif

// Good housekeeping
delete “/tmp/{parameter “package”}”