Help

Approved Kext Extension payload not working for Crowdstrike

inflicted
New Contributor II

Posted on ‎08-13-2018 06:15 PM

After reading numerous threads and @frantic's script to create the plist I tried to create a configuration profile to allow Crowdstrike's kexts, but I am still unable to see CS register correctly.

I use "sysctl cs" to verify if Crowdstrike is installed.

Has anyone gotten the Approved Kernel Extension payload to work with Crowdstrike?b8262bc7bc094308b7b3512227059a14
d1bad701058740da81fea15782c44954

0 Kudos
5 REPLIES 5

donmontalvo
Esteemed Contributor II

Posted on ‎08-13-2018 09:47 PM

Just curious, is there a reason why you decided to whitelist both Team ID and Bundle ID?

--
https://donmontalvo.com

tjhall
Contributor III

Posted on ‎08-14-2018 01:47 AM

If I run "sqlite3 /var/db/SystemPolicyConfiguration/KextPolic"y and "SELECT * FROM kext_policy;"

Might be worth adding these in and see if it works better....

X9E956P446|com.crowdstrike.sensor|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.CSAA|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.FileInfo|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.IOServices|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Kauth|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.libreactos|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.sensor.Network|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.NMR|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.platform|1|CrowdStrike Inc.|8
X9E956P446|com.crowdstrike.TDB|1|CrowdStrike Inc.|8

0 Kudos

scottb
Honored Contributor

Posted on ‎08-14-2018 08:24 AM

@huyinmobi I would remove the "Approved Kernel Extensions" entries, save and try again.
Basically, what @donmontalvo said. I use this profile and it works, but I don't populate the field as mentioned above.

0 Kudos

KSchroeder
Contributor

Posted on ‎08-15-2018 05:44 AM

Yes, looks like if you specify the specific extensions (but not all of them, as @tjhall noted) then any that AREN'T explicitly on the list will NOT be allowed. It does make it confusing because your KEXT policy in Preferences > Policies applet won't show anything for the vendor unless you DO list the specific extensions, from what I've seen.

0 Kudos

scottb
Honored Contributor

Posted on ‎08-15-2018 08:30 AM

I've had no cause as of yet not to just use TEAM ID. I guess I could see circumstances where one would want some, but not all.
TEAM ID has been pretty good so far. I just deploy those on enrollment and login and all the software installs without drama on the user's end.

0 Kudos