Help

Check If Folder Exists (Crowdstrike Falcon)

user-zBNtQAAFCi
New Contributor

Posted on ‎05-18-2021 07:45 PM

Hey All:

Thanks in advance for the help.

I'm trying to see what computers I have in my environment without our Crowdstrike agent installed on them.

I'm guessing the only way is scripting this through an extensible attribute (EA).

I've placed this code in an EA:

if [ -e /library/CS/ ]; then
echo "<result>Has Alias</result>"
else
echo "<result>Does Not Have Alias</result>"
fi

exit

The EA only shows up blank.

Anything I'm doing wrong?

0 Kudos
Reply
3 REPLIES 3

mickl089
Contributor III

Posted on ‎05-18-2021 11:38 PM

Try this one, works for me perfect:

#!/bin/bash
###

Variables

###
user=ls -la /dev/console | cut -d " " -f 4 result=() filesFound=0 suspiciousFiles=( "YOUR FILE OR FOLDER HERE" )
###

Script

###
for suspiciousFile in "${suspiciousFiles[@]}"; do echo "Looking for $suspiciousFile" if [ -e "$suspiciousFile" ]; then filesFound=$(expr $filesFound 1) result=("$suspiciousFile") fi done if [ $filesFound -ne 0 ]; then echo "<result>"Yes: "${result[@]}</result>" else echo "<result>No</result>" fi exit
0 Kudos
Reply

glennmiller
New Contributor III

Posted on ‎05-19-2021 03:18 AM

Update to a later version of Crowdstrike and it becomes an app, not just a binary.
If you're not able to update from 6.15 or older, we used to use the below in an extension attribute:

Returns version of CS agent if 6.15 or older.

#!/bin/sh
RESULT="False"
if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"
0 Kudos
Reply

chrisyeo
New Contributor II

Posted on ‎05-19-2021 10:08 AM

If the EA is turning up blank on your machines, it's likely that they haven't done an inventory (recon) run yet. Have you checked if machines with blank values have done an Inventory run since configuring the EA?

0 Kudos
Reply