feat(bash install): add ability to prepare the sensor for gold images (…

…#358) * feat(bash install): add ability to prepare the sensor for gold images Fixes #355 This PR introduces the ability to now prepare the Falcon sensor to be created as a gold image/template. It also fixes some minor output issues. * fix(bash uninstall): fixes issue with silent error Since we use set -e, if you weren't setting FALCON_REMOVE_HOST then it would stop at the end of the cs_sensor_installed(). * docs(bash install): updated readme to reflect new gold image option Also refactored the README to be more readable imo. TOC helps someone see the layout and choose their own path.
CrowdStrike · Aug 16, 2024 · 1eccf32 · 1eccf32
1 parent 26e4fd2
commit 1eccf32
Show file tree

Hide file tree

Showing 3 changed files with 121 additions and 19 deletions.
diff --git a/bash/install/README.md b/bash/install/README.md
@@ -3,7 +3,7 @@
 Bash script to install Falcon Sensor through the Falcon APIs on a Linux endpoint. By default,
 this script will install, register the sensor, and start the service. If you would like to simply
 install the sensor without any additional configurations, configure the `FALCON_INSTALL_ONLY`
-environment variable.
+environment variable. Consult the Environment Variables for each script for more information.
 
 ## Security Recommendations
 
@@ -13,6 +13,20 @@ We have identified a security concern related to cURL versions prior to 7.55, wh
 
 To check your version of cURL, run the following command: `curl --version`
 
+## Table of Contents
+
+- [Falcon API Permissions](#falcon-api-permissions)
+- [Configuration](#configuration)
+  - [Setting up Authentication](#setting-up-authentication)
+- [Install Script](#install-script)
+  - [Usage](#usage)
+  - [Examples](#examples)
+- [Uninstall Script](#uninstall-script)
+  - [Usage](#usage-1)
+  - [Examples](#examples-1)
+- [Troubleshooting](#troubleshooting)
+
+
 ## Falcon API Permissions
 
 API clients are granted one or more API scopes. Scopes allow access to specific CrowdStrike APIs and describe the actions that an API client can perform.
@@ -71,7 +85,7 @@ export FALCON_CLOUD="us-1"
 
 The installer is AWS SSM aware, if `FALCON_CLIENT_ID` and `FALCON_CLIENT_SECRET` are not provided AND the script is running on an AWS instance, the script will try to get API credentials from the SSM store of the region.
 
-### Install
+## Install Script
 
 ```terminal
 Installs and configures the CrowdStrike Falcon Sensor for Linux.
@@ -153,35 +167,66 @@ Other Options
         Prints an access token and exits.
         Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET.
         Accepted values are ['true', 'false'].
+
+    - PREP_GOLDEN_IMAGE                 (default: false)
+        To prepare the sensor to be used in a golden image.
+        Accepted values are ['true', 'false'].
 ```
 
-***Examples***:
+### Usage
 
-To download and run the script:
+To download and run the script directly:
 
 ```bash
+export FALCON_CLIENT_ID="XXXXXXX"
+export FALCON_CLIENT_SECRET="YYYYYYYYY"
 curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash
 ```
 
-Alternatively, you can run the script by cloning the repo:
+Alternatively, download the script and run it locally:
+
+```bash
+export FALCON_CLIENT_ID="XXXXXXX"
+export FALCON_CLIENT_SECRET="YYYYYYYYY"
+curl -O https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh
+bash falcon-linux-install.sh
+```
+
+Or pass the environment variables directly to the script:
 
 ```bash
-git clone https://github.com/crowdstrike/falcon-scripts
+FALCON_CLIENT_ID="XXXXXXX" FALCON_CLIENT_SECRET="YYYYYYYYY" bash falcon-linux-install.sh
 ```
 
-Then, run the following command:
+### Examples
+
+#### Install the latest Falcon Sensor with the default settings
 
 ```bash
-./falcon-linux-install.sh
+export FALCON_CLIENT_ID="XXXXXXX"
+export FALCON_CLIENT_SECRET="YYYYYYYYY"
+curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash
 ```
 
-or
+#### Install the Falcon Sensor with the previous version (n-1)
 
 ```bash
-bash falcon-linux-install.sh
+export FALCON_CLIENT_ID="XXXXXXX"
+export FALCON_CLIENT_SECRET="YYYYYYYYY"
+export FALCON_SENSOR_VERSION_DECREMENT=1
+curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash
+```
+
+#### Create a Golden Image
+
+```bash
+export FALCON_CLIENT_ID="XXXXXXX"
+export FALCON_CLIENT_SECRET="YYYYYYYYY"
+export PREP_GOLDEN_IMAGE="true"
+curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-install.sh | bash
 ```
 
-### Uninstall
+## Uninstall Script
 
 ```terminal
 Uninstalls the CrowdStrike Falcon Sensor from Linux operating systems.
@@ -223,15 +268,30 @@ Other Options:
         The proxy port for the sensor to use when communicating with CrowdStrike.
 ```
 
-***Examples***:
+### Usage
+
+#### To download and run the script directly
+
+```bash
+curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh | bash
+```
+
+#### Alternatively, download the script and run it locally
+
+```bash
+curl -O https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh
+bash falcon-linux-uninstall.sh
+```
+
+### Examples
 
-To download and run the script:
+#### Uninstall the Falcon Sensor
 
 ```bash
 curl -L https://raw.githubusercontent.com/crowdstrike/falcon-scripts/v1.5.4/bash/install/falcon-linux-uninstall.sh | bash
 ```
 
-Uninstall and remove the host from the Falcon console:
+#### Uninstall and remove the host from the Falcon console
 
 ```bash
 export FALCON_CLIENT_ID="XXXXXXX"

diff --git a/bash/install/falcon-linux-install.sh b/bash/install/falcon-linux-install.sh
@@ -77,11 +77,15 @@ Other Options
     - ALLOW_LEGACY_CURL                 (default: false)
         To use the legacy version of curl; version < 7.55.0.
 
-    - GET_ACCESS_TOKEN                  (default: unset)
+    - GET_ACCESS_TOKEN                  (default: false)
         Prints an access token and exits.
         Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET.
         Accepted values are ['true', 'false'].
 
+    - PREP_GOLDEN_IMAGE                 (default: false)
+        To prepare the sensor to be used in a golden image.
+        Accepted values are ['true', 'false'].
+
 EOF
 }
 
@@ -121,7 +125,14 @@ main() {
         cs_sensor_restart
         echo '[ Ok ]'
     fi
-    echo 'Falcon Sensor installed successfully.'
+    if [ "${PREP_GOLDEN_IMAGE}" = "true" ]; then
+        echo -n 'Prepping Golden Image  ... '
+        cs_golden_image_prep
+        echo '[ Ok ]'
+        echo 'Falcon Sensor is ready for golden image creation.'
+    else
+        echo 'Falcon Sensor installed successfully.'
+    fi
 }
 
 cs_sensor_register() {
@@ -171,7 +182,7 @@ cs_sensor_register() {
     fi
     # run the configuration command
     # shellcheck disable=SC2086
-    /opt/CrowdStrike/falconctl -s -f ${cs_falcon_args}
+    /opt/CrowdStrike/falconctl -s -f ${cs_falcon_args} >/dev/null
 }
 
 cs_sensor_is_running() {
@@ -191,6 +202,35 @@ cs_sensor_restart() {
     fi
 }
 
+cs_golden_image_prep() {
+    local wait_time=60
+    local sleep_interval=5
+    local aid
+
+    get_aid() {
+        /opt/CrowdStrike/falconctl -g --aid | awk -F '"' '{print $2}'
+    }
+
+    aid=$(get_aid)
+    while [ -z "$aid" ]; do
+        if [ "$wait_time" -le 0 ]; then
+            echo '[ Failed ]'
+            die "Failed to retrieve existing AID. Please check the sensor status."
+        fi
+        sleep "$sleep_interval"
+        wait_time=$((wait_time - sleep_interval))
+        aid=$(get_aid)
+    done
+
+    # Remove the aid
+    /opt/CrowdStrike/falconctl -d -f --aid >/dev/null
+
+    # Check if a provisioning token was used, if so add it back
+    if [ -n "$cs_falcon_token" ]; then
+        /opt/CrowdStrike/falconctl -s -f --provisioning-token="$cs_falcon_token" >/dev/null
+    fi
+}
+
 cs_sensor_install() {
     local tempdir package_name
     tempdir=$(mktemp -d)

diff --git a/bash/install/falcon-linux-uninstall.sh b/bash/install/falcon-linux-uninstall.sh
@@ -66,7 +66,7 @@ main() {
         echo -n 'Removing host from console ... '
         get_oauth_token
         cs_remove_host_from_console
-        echo '[ Ok ] '
+        echo '[ Ok ]'
     fi
     echo 'Falcon Sensor removed successfully.'
 }
@@ -119,7 +119,9 @@ cs_sensor_installed() {
         echo "Falcon sensor is already uninstalled." && exit 0
     fi
     # Get AID if FALCON_REMOVE_HOST is set to true and sensor is installed
-    [ "${FALCON_REMOVE_HOST}" = "true" ] && get_aid
+    if [ "${FALCON_REMOVE_HOST}" = "true" ]; then
+        get_aid
+    fi
 }
 
 old_curl=$(