Script to show if Crowdstrike Falcon Sensor is installed

j_allenbrand
Contributor

Hi, I am trying to find a way to see if there is a way to show if a program is installed or missing on specific machines. We want to make sure everyone has Crowdstrike Falcon sensor installed and running.

6 REPLIES 6

T_Armstrong
Contributor

Here's what we're using to report on the installed version - you should be able to use the "Not Installed" criteria in a smart group for your purposes.

#!/bin/sh
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Copyright (c) 2018 Jamf.  All rights reserved.
#
#       Redistribution and use in source and binary forms, with or without
#       modification, are permitted provided that the following conditions are met:
#               * Redistributions of source code must retain the above copyright
#                 notice, this list of conditions and the following disclaimer.
#               * Redistributions in binary form must reproduce the above copyright
#                 notice, this list of conditions and the following disclaimer in the
#                 documentation and/or other materials provided with the distribution.
#               * Neither the name of the Jamf nor the names of its contributors may be
#                 used to endorse or promote products derived from this software without
#                 specific prior written permission.
#
#       THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
################
# Most authorship of the following script by Jamf Sr. Systems Engineer: Matt Woodruff
# Jamf Nation username: mwoodruff
################
# Regex for OS detection +10.13
OSREGEX="^1[3-9]$"
# Gets the OS version
OS=$(/usr/bin/sw_vers -productVersion)
OSVERS=$(/usr/bin/sw_vers -productVersion | /usr/bin/awk -F. '{print $2}')
if [[ $OSVERS =~ $OSREGEX ]]; then
    CS=$(sysctl cs | grep cs.version | awk -F: '{print $2}')
else
    CS="none"
fi
if [ "$CS" == "none" ]; then
        echo "<result>Not Supported in OS $OS</result>"
elif [ "$CS" != "" ]; then
        echo "<result>Version $CS</result>"
else 
    echo "<result>Not Installed or Running</result>"
fi

mani2care
Contributor

Hi I'm getting error I think this not supported for big sur
<result>Not Supported in OS 11.0.1</result>

bvrooman
Valued Contributor

I think that script is based on the pre-5.3x versions of the Falcon sensor, because a lot of that info moved into the output from falconctl instead of the kernel variables. Here's what we're using, which has been tested with version 5.11 through 6.18:

#!/bin/bash

# Find falconctl in /Library or /Applications/Falcon.app, or report if it's not there
if [ -e /Library/CS/falconctl ]; then
    falconctlPath="/Library/CS/falconctl"
elif [ -e /Applications/Falcon.app/Contents/Resources/falconctl ]; then
    falconctlPath="/Applications/Falcon.app/Contents/Resources/falconctl"
else
    echo "<result>Not Installed</result>"
    exit 0
fi

# Try to get the information from falconctl
csVersion=$($falconctlPath stats | grep version: | awk '{print $2}')

# If that didn't get it, try the old way
if [[ "$csVersion" == "" ]]; then
    csVersion=$(sysctl cs | grep cs.version | awk '{print $2}')
fi

# Report what we found, or that we don't know
echo "<result>${csVersion:-Unknown}</result>"

mani2care
Contributor

@bvrooman thanks for the script im getting error as like

NTS-IT-001:Desktop manikandan.raju$ sudo ./csv2.sh ./csv2.sh: line 14: /Library/CS/falconctl: is a directory
<result>6.16.12903.0</result>

user-RfQKsjDNqq
New Contributor

Thanks for the information keep sharing such informative post keep suggesting such post.

mani2care
Contributor

try like this it may help to find a better result.

#!/bin/bash
# Supports bith CS-V5.X below and CS-v6.X above .
# Find falconctl in /Library or /Applications/Falcon.app, or report if it's not there
if [ -e /Library/CS/falconctl ]; then
    falconctlPath="/Library/CS/falconctl"
elif [ -e /Applications/Falcon.app/Contents/Resources/falconctl ]; then
    falconctlPath="/Applications/Falcon.app/Contents/Resources/falconctl"
else
    echo "<result>Not Installed</result>"
    exit 0
fi

# Try to get the information from falconctl
csVersion=$($falconctlPath stats | grep version: | awk '{print $2}')

# If that didn't get it, try the old way
if [[ "$csVersion" == "" ]]; then
    csVersion=$(sysctl cs | grep cs.version | awk '{print $2}')
fi

# Report what we found, or that we don't know
echo "<result>${csVersion:-Unknown}</result>"