-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathfalcon-linux-uninstall.sh
executable file
·398 lines (335 loc) · 13.6 KB
/
falcon-linux-uninstall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
#!/bin/bash
print_usage() {
cat <<EOF
Usage: $0 [-h|--help]
Uninstalls the CrowdStrike Falcon Sensor from Linux operating systems.
Version: $VERSION
This script recognizes the following environmental variables:
Authentication:
- FALCON_CLIENT_ID (default: unset)
Your CrowdStrike Falcon API client ID.
- FALCON_CLIENT_SECRET (default: unset)
Your CrowdStrike Falcon API client secret.
- FALCON_ACCESS_TOKEN (default: unset)
Your CrowdStrike Falcon API access token.
If used, FALCON_CLOUD must also be set.
- FALCON_CLOUD (default: unset)
The cloud region where your CrowdStrike Falcon instance is hosted.
Required if using FALCON_ACCESS_TOKEN.
Accepted values are ['us-1', 'us-2', 'eu-1', 'us-gov-1'].
Other Options:
- FALCON_REMOVE_HOST (default: unset)
Determines whether the host should be removed from the Falcon console after uninstalling the sensor.
Requires API Authentication.
NOTE: It is recommended to use Host Retention Policies in the Falcon console instead.
Accepted values are ['true', 'false'].
- GET_ACCESS_TOKEN (default: unset)
Prints an access token and exits.
Requires FALCON_CLIENT_ID and FALCON_CLIENT_SECRET.
Accepted values are ['true', 'false'].
- FALCON_APH (default: unset)
The proxy host for the sensor to use when communicating with CrowdStrike.
- FALCON_APP (default: unset)
The proxy port for the sensor to use when communicating with CrowdStrike.
This script recognizes the following argument:
-h, --help
Print this help message and exit.
EOF
}
VERSION="1.7.2"
# If -h or --help is passed, print the usage and exit
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
print_usage
exit 0
fi
main() {
if [ "$GET_ACCESS_TOKEN" = "true" ]; then
get_oauth_token
echo "$cs_falcon_oauth_token"
exit 0
fi
# Check if Falcon sensor is installed
cs_sensor_installed
echo -n 'Removing Falcon Sensor ... '
cs_sensor_remove
echo '[ Ok ]'
if [ "${FALCON_REMOVE_HOST}" = "true" ]; then
echo -n 'Removing host from console ... '
get_oauth_token
cs_remove_host_from_console
echo '[ Ok ]'
fi
echo 'Falcon Sensor removed successfully.'
}
cs_sensor_remove() {
remove_package() {
pkg="$1"
if type dnf >/dev/null 2>&1; then
dnf remove -q -y "$pkg" || rpm -e --nodeps "$pkg"
elif type yum >/dev/null 2>&1; then
yum remove -q -y "$pkg" || rpm -e --nodeps "$pkg"
elif type zypper >/dev/null 2>&1; then
zypper --quiet remove -y "$pkg" || rpm -e --nodeps "$pkg"
elif type apt >/dev/null 2>&1; then
DEBIAN_FRONTEND=noninteractive apt purge -y "$pkg" >/dev/null 2>&1
else
rpm -e --nodeps "$pkg"
fi
}
remove_package "falcon-sensor"
}
cs_remove_host_from_console() {
if [ -z "$aid" ]; then
echo 'Unable to find AID. Skipping host removal from console.'
else
payload="{\"ids\": [\"$aid\"]}"
url="https://$(cs_cloud)/devices/entities/devices-actions/v2?action_name=hide_host"
curl_command -X "POST" -H "Content-Type: application/json" -d "$payload" "$url" >/dev/null
handle_curl_error $?
fi
}
cs_cloud() {
case "${cs_falcon_cloud}" in
us-1) echo "api.crowdstrike.com" ;;
us-2) echo "api.us-2.crowdstrike.com" ;;
eu-1) echo "api.eu-1.crowdstrike.com" ;;
us-gov-1) echo "api.laggar.gcw.crowdstrike.com" ;;
*) die "Unrecognized Falcon Cloud: ${cs_falcon_cloud}" ;;
esac
}
cs_sensor_installed() {
if ! test -f /opt/CrowdStrike/falconctl; then
echo "Falcon sensor is already uninstalled." && exit 0
fi
# Get AID if FALCON_REMOVE_HOST is set to true and sensor is installed
if [ "${FALCON_REMOVE_HOST}" = "true" ]; then
get_aid
fi
}
old_curl=$(
if ! command -v curl >/dev/null 2>&1; then
die "The 'curl' command is missing. Please install it before continuing. Aborting..."
fi
version=$(curl --version | head -n 1 | awk '{ print $2 }')
minimum="7.55"
# Check if the version is less than the minimum
if printf "%s\n" "$version" "$minimum" | sort -V -C; then
echo 0
else
echo 1
fi
)
curl_command() {
# Dash does not support arrays, so we have to pass the args as separate arguments
set -- "$@"
if [ "$old_curl" -eq 0 ]; then
curl -s -x "$proxy" -L -H "Authorization: Bearer ${cs_falcon_oauth_token}" "$@"
else
echo "Authorization: Bearer ${cs_falcon_oauth_token}" | curl -s -x "$proxy" -L -H @- "$@"
fi
}
handle_curl_error() {
if [ "$1" = "28" ]; then
err_msg="Operation timed out (exit code 28)."
if [ -n "$proxy" ]; then
err_msg="$err_msg A proxy was used to communicate ($proxy). Please check your proxy settings."
fi
die "$err_msg"
fi
if [ "$1" = "5" ]; then
err_msg="Couldn't resolve proxy (exit code 5). The address ($proxy) of the given proxy host could not be resolved. Please check your proxy settings."
die "$err_msg"
fi
if [ "$1" = "7" ]; then
err_msg="Failed to connect to host (exit code 7). Host found, but unable to open connection with host."
if [ -n "$proxy" ]; then
err_msg="$err_msg A proxy was used to communicate ($proxy). Please check your proxy settings."
fi
die "$err_msg"
fi
}
json_value() {
KEY=$1
num=$2
awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'"$KEY"'\042/){print $(i+1)}}}' | tr -d '"' | sed -n "${num}p"
}
die() {
echo "Fatal error: $*" >&2
exit 1
}
aws_ssm_parameter() {
local param_name="$1"
hmac_sha256() {
key="$1"
data="$2"
echo -n "$data" | openssl dgst -sha256 -mac HMAC -macopt "$key" | sed 's/^.* //'
}
token=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
api_endpoint="AmazonSSM.GetParameters"
iam_role="$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/iam/security-credentials/)"
aws_my_region="$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/placement/availability-zone | sed s/.$//)"
_security_credentials="$(curl -s -H "X-aws-ec2-metadata-token: $token" http://169.254.169.254/latest/meta-data/iam/security-credentials/"$iam_role")"
access_key_id="$(echo "$_security_credentials" | grep AccessKeyId | sed -e 's/ "AccessKeyId" : "//' -e 's/",$//')"
access_key_secret="$(echo "$_security_credentials" | grep SecretAccessKey | sed -e 's/ "SecretAccessKey" : "//' -e 's/",$//')"
security_token="$(echo "$_security_credentials" | grep Token | sed -e 's/ "Token" : "//' -e 's/",$//')"
datetime=$(date -u +"%Y%m%dT%H%M%SZ")
date=$(date -u +"%Y%m%d")
request_data='{"Names":["'"${param_name}"'"],"WithDecryption":"true"}'
request_data_dgst=$(echo -n "$request_data" | openssl dgst -sha256 | awk -F' ' '{print $2}')
request_dgst=$(
cat <<EOF | head -c -1 | openssl dgst -sha256 | awk -F' ' '{print $2}'
POST
/
content-type:application/x-amz-json-1.1
host:ssm.$aws_my_region.amazonaws.com
x-amz-date:$datetime
x-amz-security-token:$security_token
x-amz-target:$api_endpoint
content-type;host;x-amz-date;x-amz-security-token;x-amz-target
$request_data_dgst
EOF
)
dateKey=$(hmac_sha256 key:"AWS4$access_key_secret" "$date")
dateRegionKey=$(hmac_sha256 "hexkey:$dateKey" "$aws_my_region")
dateRegionServiceKey=$(hmac_sha256 "hexkey:$dateRegionKey" ssm)
hex_key=$(hmac_sha256 "hexkey:$dateRegionServiceKey" "aws4_request")
signature=$(
cat <<EOF | head -c -1 | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$hex_key" | awk -F' ' '{print $2}'
AWS4-HMAC-SHA256
$datetime
$date/$aws_my_region/ssm/aws4_request
$request_dgst
EOF
)
response=$(
curl -s "https://ssm.$aws_my_region.amazonaws.com/" \
-x "$proxy" \
-H "Authorization: AWS4-HMAC-SHA256 \
Credential=$access_key_id/$date/$aws_my_region/ssm/aws4_request, \
SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, \
Signature=$signature" \
-H "x-amz-security-token: $security_token" \
-H "x-amz-target: $api_endpoint" \
-H "content-type: application/x-amz-json-1.1" \
-d "$request_data" \
-H "x-amz-date: $datetime"
)
handle_curl_error $?
if ! echo "$response" | grep -q '^.*"InvalidParameters":\[\].*$'; then
die "Unexpected response from AWS SSM Parameter Store: $response"
elif ! echo "$response" | grep -q '^.*'"${param_name}"'.*$'; then
die "Unexpected response from AWS SSM Parameter Store: $response"
fi
echo "$response"
}
check_aws_instance() {
local aws_instance
# Check if running on EC2 hypervisor
if [ -f /sys/hypervisor/uuid ] && grep -qi ec2 /sys/hypervisor/uuid; then
aws_instance=true
# Check if DMI board asset tag matches EC2 instance pattern
elif [ -f /sys/devices/virtual/dmi/id/board_asset_tag ] && grep -q '^i-[a-z0-9]*$' /sys/devices/virtual/dmi/id/board_asset_tag; then
aws_instance=true
# Check if EC2 instance identity document is accessible
else
curl_output="$(curl -s --connect-timeout 5 http://169.254.169.254/latest/dynamic/instance-identity/)"
if [ -n "$curl_output" ] && ! echo "$curl_output" | grep --silent -i 'not.*found'; then
aws_instance=true
fi
fi
echo "$aws_instance"
}
get_falcon_credentials() {
if [ -z "$FALCON_ACCESS_TOKEN" ]; then
aws_instance=$(check_aws_instance)
cs_falcon_client_id=$(
if [ -n "$FALCON_CLIENT_ID" ]; then
echo "$FALCON_CLIENT_ID"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_ID" | json_value Value 1
else
die "Missing FALCON_CLIENT_ID environment variable. Please provide your OAuth2 API Client ID for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)
cs_falcon_client_secret=$(
if [ -n "$FALCON_CLIENT_SECRET" ]; then
echo "$FALCON_CLIENT_SECRET"
elif [ -n "$aws_instance" ]; then
aws_ssm_parameter "FALCON_CLIENT_SECRET" | json_value Value 1
else
die "Missing FALCON_CLIENT_SECRET environment variable. Please provide your OAuth2 API Client Secret for authentication with CrowdStrike Falcon platform. Establishing and retrieving OAuth2 API credentials can be performed at https://falcon.crowdstrike.com/support/api-clients-and-keys."
fi
)
else
if [ -z "$FALCON_CLOUD" ]; then
die "If setting the FALCON_ACCESS_TOKEN manually, you must also specify the FALCON_CLOUD"
fi
fi
}
get_oauth_token() {
# Get credentials first
get_falcon_credentials
cs_falcon_oauth_token=$(
if [ -n "$FALCON_ACCESS_TOKEN" ]; then
token=$FALCON_ACCESS_TOKEN
else
token_result=$(echo "client_id=$cs_falcon_client_id&client_secret=$cs_falcon_client_secret" |
curl -X POST -s -x "$proxy" -L "https://$(cs_cloud)/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
-H "User-Agent: crowdstrike-falcon-scripts/$VERSION" \
--dump-header "${response_headers}" \
--data @-)
handle_curl_error $?
token=$(echo "$token_result" | json_value "access_token" | sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$token" ]; then
die "Unable to obtain CrowdStrike Falcon OAuth Token. Double check your credentials and/or ensure you set the correct cloud region."
fi
fi
echo "$token"
)
if [ -z "$FALCON_ACCESS_TOKEN" ]; then
region_hint=$(grep -i ^x-cs-region: "$response_headers" | head -n 1 | tr '[:upper:]' '[:lower:]' | tr -d '\r' | sed 's/^x-cs-region: //g')
if [ -z "${FALCON_CLOUD}" ]; then
if [ -z "${region_hint}" ]; then
die "Unable to obtain region hint from CrowdStrike Falcon OAuth API, Please provide FALCON_CLOUD environment variable as an override."
fi
cs_falcon_cloud="${region_hint}"
else
if [ "x${FALCON_CLOUD}" != "x${region_hint}" ]; then
echo "WARNING: FALCON_CLOUD='${FALCON_CLOUD}' environment variable specified while credentials only exists in '${region_hint}'" >&2
fi
fi
fi
rm "${response_headers}"
}
get_aid() {
aid="$(/opt/CrowdStrike/falconctl -g --aid | awk -F '"' '{print $2}')"
}
#------Start of the script------#
set -e
cs_falcon_cloud=$(
if [ -n "$FALCON_CLOUD" ]; then
echo "$FALCON_CLOUD"
else
# Auto-discovery is using us-1 initially
echo "us-1"
fi
)
response_headers=$(mktemp)
# shellcheck disable=SC2001
proxy=$(
proxy=""
if [ -n "$FALCON_APH" ]; then
proxy="$(echo "$FALCON_APH" | sed "s|http.*://||")"
if [ -n "$FALCON_APP" ]; then
proxy="$proxy:$FALCON_APP"
fi
fi
if [ -n "$proxy" ]; then
# Remove redundant quotes
proxy="$(echo "$proxy" | sed "s/[\'\"]//g")"
proxy="http://$proxy"
fi
echo "$proxy"
)
main "$@"