carlosmmatos
commented
1 month ago @searles9 - so the version of the scripts you are providing us are v1.3.3 - Have you had the ability to test this using the latest version v1.5.4?
Closed searles9 closed 1 month ago
carlosmmatos
commented
1 month ago @searles9 - so the version of the scripts you are providing us are v1.3.3 - Have you had the ability to test this using the latest version v1.5.4?
searles9
commented
1 month ago @searles9 - so the version of the scripts you are providing us are v1.3.3 - Have you had the ability to test this using the latest version v1.5.4?
I have not tested the new version. But the only difference I saw between the two was the "ProvWaitTime". Not sure that would cause that issue.
Thoughts? @carlosmmatos
carlosmmatos
commented
1 month ago A lot has changed: https://github.com/CrowdStrike/falcon-scripts/compare/v1.3.3...v1.5.4
If it's not too much, please try the latest and report back if you are still having API issues.
edit: was trying to get you direct links to the diffs but I guess it doesn't allow for that.. In the link above, navigate to Files changed -> look for the 2 scripts to see the deltas
searles9
commented
1 month ago s trying to get you direct links to the diffs but I guess it doesn't allow for that.. In the link above, navigate to Files changed -> look for the 2 scripts to see the deltas
Ill try the new script and report back @carlosmmatos
searles9
commented
1 month ago @carlosmmatos
I tried the new windows script and that fixed the windows issue.
i tried the new Linux script and ran into a few issues:
I get this error:
[stdout]
Check if Falcon Sensor is running ... [ Not present ]
Falcon Sensor Install ...
[stderr]
Fatal error: No sensor found for with OS Name: UbuntuAdditionally there is a part in the script that checks for positional parameters and I had to remove that:
if [ -n "$1" ]; then
print_usage
exit 1
fiAny chance you can add a flag to ommit this check? We use a powershell command to run the script in the VM. The command has a parameter flag, which sets values as environment variables, but it also seems to think those are positional parameters.
$scriptResult = Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroup.ResourceGroupName -VMName $_.Name -CommandId 'RunShellScript' -ScriptPath LinuxCS.sh -Parameter @{
FALCON_CLIENT_SECRET="${crowdstrikeSecret}";
FALCON_CLIENT_ID="${crowdstrikeId}";
FALCON_CID="ommited";
ALLOW_LEGACY_CURL="true";
} -Verbose@searles9 glad to hear the windows install is working..
As for your problem with bash - that is because the script doesn't support positional arguments, in fact this block:
if [ -n "$1" ]; then
print_usage
exit 1
fiis precisely there to tell you that. I have an active PR #358 right now that is going to enhance the docs a little around usage/examples that may help you.. but what you want to do is figure out how you can pass these as inline parameters like this:
FALCON_CLIENT_SECRET="${crowdstrikeSecret}" FALCON_CLIENT_ID="${crowdstrikeId}" FALCON_CID="ommited" ALLOW_LEGACY_CURL="true" ./LinuxCS.shI'm not too familiar with powershell invoking, perhaps you can use -ScriptString?
Hopefully that works.. otherwise you might need a wrapper script
searles9
commented
1 month ago @searles9 glad to hear the windows install is working..
As for your problem with bash - that is because the script doesn't support positional arguments, in fact this block:
if [ -n "$1" ]; then print_usage exit 1 fiis precisely there to tell you that. I have an active PR #358 right now that is going to enhance the docs a little around usage/examples that may help you.. but what you want to do is figure out how you can pass these as inline parameters like this:
FALCON_CLIENT_SECRET="${crowdstrikeSecret}" FALCON_CLIENT_ID="${crowdstrikeId}" FALCON_CID="ommited" ALLOW_LEGACY_CURL="true" ./LinuxCS.shI'm not too familiar with powershell invoking, perhaps you can use -ScriptString?
Hopefully that works.. otherwise you might need a wrapper script
@carlosmmatos You misunderstand.
When I call Invoke-AzVMRunCommand (from powershell to run the shell script on the linux vm) and pass -Parameter it sees those values for whatever reason as both positional parameters and as environment variables. To work around that I removed this block from the script:
if [ -n "$1" ]; then
print_usage
exit 1
fiI am still able to do something like this in the script for example and have it work (the script sees them as environment variables):
echo $FALCON_CLIENT_IDThe issue seems to be that the script cant find the installer for Ubuntu:
# This is my script output:
Check if Falcon Sensor is running ... [ Not present ]
Falcon Sensor Install ...
[stderr]
Fatal error: No sensor found for with OS Name: UbuntuSomething is going wrong around here I think:
cs_sensor_download() {
local destination_dir="$1" existing_installers sha_list INDEX sha file_type installer
if [ -n "$cs_sensor_policy_name" ]; then
cs_sensor_version=$(cs_sensor_policy_version "$cs_sensor_policy_name")
cs_api_version_filter="+version:\"$cs_sensor_version\""
if [ "$cs_falcon_sensor_version_dec" -gt 0 ]; then
echo "WARNING: Disabling FALCON_SENSOR_VERSION_DECREMENT because it conflicts with FALCON_SENSOR_UPDATE_POLICY_NAME"
cs_falcon_sensor_version_dec=0
fi
fi
existing_installers=$(
curl_command -G "https://$(cs_cloud)/sensors/combined/installers/v2?sort=version|desc" \
--data-urlencode "filter=os:\"$cs_os_name\"+os_version:\"*$cs_os_version*\"$cs_api_version_filter$cs_os_arch_filter"
)
handle_curl_error $?
if echo "$existing_installers" | grep "authorization failed"; then
die "Access denied: Please make sure that your Falcon API credentials allow sensor download (scope Sensor Download [read])"
elif echo "$existing_installers" | grep "invalid bearer token"; then
die "Invalid Access Token: $cs_falcon_oauth_token"
fi
sha_list=$(echo "$existing_installers" | json_value "sha256")
if [ -z "$sha_list" ]; then
die "No sensor found for with OS Name: $cs_os_name"
fi
# Set the index accordingly (the json_value expects and index+1 value)
INDEX=$((cs_falcon_sensor_version_dec + 1))
sha=$(echo "$existing_installers" | json_value "sha256" "$INDEX" |
sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$sha" ]; then
die "Unable to identify a sensor installer matching: $cs_os_name, version: $cs_os_version, index: N-$cs_falcon_sensor_version_dec"
fi
file_type=$(echo "$existing_installers" | json_value "file_type" "$INDEX" | sed 's/ *$//g' | sed 's/^ *//g')
installer="${destination_dir}/falcon-sensor.${file_type}"
curl_command "https://$(cs_cloud)/sensors/entities/download-installer/v1?id=$sha" -o "${installer}"
handle_curl_error $?
echo "$installer"
}
redhatrises
commented
1 month ago @searles9 what Ubuntu version are you attempting to install to?
searles9
commented
1 month ago @searles9 what Ubuntu version are you attempting to install to?
@carlosmmatos It's "Linux (ubuntu 24.04)". However may not be specific to just that OS.
redhatrises
commented
1 month ago @searles9 what Ubuntu version are you attempting to install to?
@carlosmmatos It's "Linux (ubuntu 24.04)". However may not be specific to just that OS.
It actually is specific to that OS. The error message that you are receiving is because 24.04 is not yet supported by the sensor. So, the api won't return an installable package until an OS is supported.
carlosmmatos
commented
1 month ago @searles9 see #335
searles9
commented
1 month ago @searles9 see #335
@carlosmmatos Thanks. That makes sense. I found the FAQ page with the supported OS versions. Testing with the new script version and a supported linux OS seems to work from what I can tell so far.
Could your team implement some sort of change like this?:
# Change this original code:
if [ -n "$1" ]; then
print_usage
exit 1
fi
# To something like this:
if [ -z "$SKIP_POSITIONAL_PARAM_CHECK" ]; then
if [ -n "$1" ]; then
print_usage
exit 1
fi
fi
# description: if "SKIP_POSITIONAL_PARAM_CHECK" is set to "true" then the script will skip checking and erroring if there are positional parameters detectedWith this change we would be able to use the script without modification. Currently we have to remove that line (as described in previous comments).
carlosmmatos
commented
1 month ago @searles9 I added a change to help out on this area. Basically the only positional argument we'll accept is -h|--help, otherwise we'll continue processing as normal. The assumption here is that people who use this script outside of situations like you have with AzVMRunCommands will continue understanding that it currently operates with environmental variables. In the future, as part of v2 we will introduce the ability to pass both ENV and arguments - similar to how we do with the container-pull script.
searles9
commented
1 month ago Great thank you ! @carlosmmatos
Crowdstrike has provided scripts which install the Falcon Agent onto Azure Windows and Linux VMs. Those scripts can be found here:
Ive attached the version of the scripts we are using (remove the .txt extension). LinuxCS (1).sh.txt WindowsCS (1).ps1.txt
We got an error saying that the API key was missing permissions (see initial error).
We then granted the API key the permissions required in the error, however after granting those permissions we get a new error (see second error).
Is this an issue with the script? Is this an issue with Crowdstrike on the back end? I did notice that the lastest version of the script has an increase in the "ProvWaitTime", i don't think that would cause this issue. Please advise us on how we can resolve this urgent issue.
Initial Error:
Error after granting the api key 'Sensor update policies' Read permissions: