Check If Folder Exists (Crowdstrike Falcon)

user-zBNtQAAFCi
New Contributor

Hey All:

Thanks in advance for the help.

I'm trying to see what computers I have in my environment without our Crowdstrike agent installed on them.

I'm guessing the only way is scripting this through an extensible attribute (EA).

I've placed this code in an EA:

if [ -e /library/CS/ ]; then
echo "<result>Has Alias</result>"
else
echo "<result>Does Not Have Alias</result>"
fi

exit

The EA only shows up blank.

Anything I'm doing wrong?

3 REPLIES 3

mickl089
Contributor II

Try this one, works for me perfect:

#!/bin/bash
###

Variables

###
user=ls -la /dev/console | cut -d " " -f 4 result=() filesFound=0 suspiciousFiles=( "YOUR FILE OR FOLDER HERE" )
###

Script

###
for suspiciousFile in "${suspiciousFiles[@]}"; do echo "Looking for $suspiciousFile" if [ -e "$suspiciousFile" ]; then filesFound=$(expr $filesFound 1) result=("$suspiciousFile") fi done if [ $filesFound -ne 0 ]; then echo "<result>"Yes: "${result[@]}</result>" else echo "<result>No</result>" fi exit

glennmiller
New Contributor III

Update to a later version of Crowdstrike and it becomes an app, not just a binary.
If you're not able to update from 6.15 or older, we used to use the below in an extension attribute:

Returns version of CS agent if 6.15 or older.

#!/bin/sh
RESULT="False"
if [ -f "/Library/CS/falconctl" ] ; then
    RESULT=$( sysctl cs.version | awk '{print $2}' )
fi
echo "<result>$RESULT</result>"

cyeo
New Contributor II

If the EA is turning up blank on your machines, it's likely that they haven't done an inventory (recon) run yet. Have you checked if machines with blank values have done an Inventory run since configuring the EA?