I will try to upload screen shots to make this more visual at a later date Could this be improved?Ībsolutely, I could write the code to accept arguments, or fumble around with date-time libs to convert readable human date stamps to epoch date stamps. When the next checkin occurs after after the reboot, a policy will execute the installation of the Falcon Sensor and will register it with the post install script. Once the code runs and blasts Crowdstrike Falcon off the file system, it will drop this text file and calculate smart group membership based off of that file existing
I chose this method to keep all the logic in the code and not in the smart group logic server side. When the falcon_punch.py script runs successfully it will drop a receipt file ( cs.txt) that is tracked via jamf pro EA and criteria for a smart group. This is obviously, only applicable if you have enabled cloud updates. The other check I am doing is the version ( sysctl -n cs.version) and tracking any client that is not auto updating from the cloud tenant. If those conditions are not met I assume the agent is broken, and will flag it for this workflow. There are tons of edge cases and false positives you can get, but I have narrowed down my usecase to /Library/CS/falconctl and sysctl cs having valid stdout output and an exit code of 0. It starts with logical checks via scripts you can execute on endpoints. I have only used this on systems that are broken beyond repair and do not work with the built in maintenance token mechanism Crowdstrike provides.
Also tested this with Falcon Sensor versions 4.x and 5.x for macOS. I have tested this on macOS 10.14.6 and 10.15.3. This is meant to be a one off type of solution, not an actual solution Use at your own risk Your choices are boot into Safe Boot or Recovery Mode and manually remove these components, which does not scale at all. They are mostly edge cases, however, there is no good remediation with automation that the vendor can supply. There are edge cases where the built in maintenance mechanims with in Crowdstrike will fail. This is a script you can use to forceibly remove Crowdstrike Falcon from a macOS system. Yes, a heart emoji you read that correctly. This solution was based off the original sript that Patrick Gallagher on the Mac Admins Slack provided, I rewrote it in Python 3 so I could display a heart emoji in my dialog boxes. Falcon-Punchįorce reinstall and remediation of broken Crowdstrike Falcon agents on macOS Credits
I will leave it up in case folks are using older versions of CS. Crowdstrike has patched in new features into their application/agent that now block all these methods and this repo no longer is valid.
0 kommentar(er)
