-
-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathCrowdStrike Falcon Status.bash
137 lines (98 loc) · 5.16 KB
/
CrowdStrike Falcon Status.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/env bash
########################################################################################################################################
# A script to collect the state of CrowdStrike Falcon (thanks, ZT!) #
# - If CrowdStrike Falcon is not installed, "Not Installed" will be returned. #
# - If CrowdStrike Falcon is HAS connected within the number of days specified as `lastConnectedVariance`, "Running" will be returned. #
# - If CrowdStrike Falcon is has NOT connected within the number of days specified as `lastConnectedVariance`, #
# the last connected date will be returned. #
########################################################################################################################################
export PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin/
scriptVersion="0.0.5"
RESULT="Failed: Not Installed"
lastConnectedVariance="7" # The number of days before reporting device has not connected to the CrowdStrike Cloud.
###
# Functions
###
check_last_connection() {
# Check if the last connected date is older than lastConnectedVariance
# Arguments
# $1 = (str) date formatted string, captured from "last connected date" in `falconctl stats Communications`
# $2 = (int) number (of days)
if [[ $( /bin/date -j -f "%b %d %Y %H:%M:%S" "$( echo "${1}" | /usr/bin/sed 's/,//g; s/ at//g; s/ [AP]M//g' )" +"%s" ) -lt $( /bin/date -j -v-"${2}"d +"%s" ) ]]; then
returnResult+=" Last Connected: ${1};"
fi
}
report_result() {
# Arguments
# $1 = (str) Message that will be returned
local message="${1}"
echo "<result>${message}</result>"
exit 0
}
###
# Pre-flight: Check the Locale; this will affect the output of falconctl stats
###
lib_locale=$( /usr/bin/defaults read "/Library/Preferences/.GlobalPreferences.plist" AppleLocale )
root_locale=$( /usr/bin/defaults read "/var/root/Library/Preferences/.GlobalPreferences.plist" AppleLocale )
if [[ "${lib_locale}" != "en_US" ]]; then
/usr/bin/defaults write "/Library/Preferences/.GlobalPreferences.plist" AppleLocale "en_US"
fi
if [[ "${root_locale}" != "en_US" ]]; then
/usr/bin/defaults write "/var/root/Library/Preferences/.GlobalPreferences.plist" AppleLocale "en_US"
fi
###
# Program
###
if [[ -d "/Applications/Falcon.app" ]]; then
falconBinary="/Applications/Falcon.app/Contents/Resources/falconctl"
falconAgentStats=$( "$falconBinary" stats agent_info Communications 2>&1 )
if [[ "${falconAgentStats}" == *"Error: Error"* ]]; then
case ${falconAgentStats} in
*"status.bin"* ) RESULT="'status.bin' NOT found" ;;
* ) RESULT="${falconAgentStats}" ;;
esac
echo "<result>${RESULT}</result>"
exit 1
else
connectionState=$( awk '/State:/{print $2}' <<< "$falconAgentStats" )
established=$( echo "${falconAgentStats}" | /usr/bin/awk -F "[^Last] Established At:" '{print $2}' | /usr/bin/xargs )
lastEstablished=$( echo "${falconAgentStats}" | /usr/bin/awk -F "Last Established At:" '{print $2}' | /usr/bin/xargs )
if [[ "${connectionState}" == "connected" ]]; then
# Compare if both were available.
if [[ -n "${established}" && -n "${lastEstablished}" ]]; then
# Check which is more recent.
if [[ $( /bin/date -j -f "%b %d %Y %H:%M:%S" "$(echo "${established}" | /usr/bin/sed 's/,//g; s/ at//g; s/ [AP]M//g')" +"%s" ) -ge $( /bin/date -j -f "%b %d %Y %H:%M:%S" "$(echo "${lastEstablished}" | /usr/bin/sed 's/,//g; s/ at//g; s/ [AP]M//g')" +"%s" ) ]]; then
testConnectionDate="${established}"
else
testConnectionDate="${lastEstablished}"
fi
# Check if the more recent date is older than seven days
check_last_connection "${testConnectionDate}" $lastConnectedVariance
elif [[ -n "${established}" ]]; then
# If only the Established date was available, check if it is older than seven days.
check_last_connection "${established}" $lastConnectedVariance
elif [[ -n "${lastEstablished}" ]]; then
# If only the Last Established date was available, check if it is older than seven days.
check_last_connection "${lastEstablished}" $lastConnectedVariance
else
# If no connection date was available, return disconnected
returnResult+=" Unknown Connection State;"
fi
elif [[ -n "${connectionState}" ]]; then
# If no connection date was available, return state
returnResult+=" Connection State: ${connectionState};"
fi
fi
else
echo "<result>${RESULT}</result>"
exit 0
fi
# Return the EA Value.
if [[ -n "${returnResult}" ]]; then
# Trim leading space
returnResult="${returnResult## }"
# Trim trailing ;
report_result "${returnResult%%;}"
else
report_result "Running"
fi