-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #393 from carlosmmatos/carlosmmatos/issue380
Add remove/hide host ability for uninstall
- Loading branch information
Showing
13 changed files
with
311 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
minor_changes: | ||
- falcon_uninstall - Adds hide/remove host functionality (https://github.com/CrowdStrike/ansible_collection_falcon/pull/393) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,10 @@ | ||
--- | ||
- name: Converge | ||
hosts: all | ||
vars: | ||
falcon_client_id: "{{ lookup('env', 'FALCON_CLIENT_ID') }}" | ||
falcon_client_secret: "{{ lookup('env', 'FALCON_CLIENT_SECRET') }}" | ||
roles: | ||
- role: crowdstrike.falcon.falcon_uninstall | ||
vars: | ||
falcon_remove_host: yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
# This playbook will hide the host from the falcon console | ||
- name: "CrowdStrike Falcon | Remove/Hide Host from Console (Linux)" | ||
ansible.builtin.uri: | ||
url: "https://{{ falcon_cloud }}/devices/entities/devices-actions/v2?action_name=hide_host" | ||
method: POST | ||
body_format: json | ||
body: | ||
ids: | ||
- "{{ falcon_uninstall_remove_aid }}" | ||
return_content: true | ||
headers: | ||
authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}" | ||
Content-Type: application/json | ||
status_code: 202 | ||
no_log: "{{ falcon_api_enable_no_log }}" | ||
when: ansible_facts['os_family'] != "Windows" | ||
|
||
- name: "CrowdStrike Falcon | Remove/Hide Host from Console (Windows)" | ||
ansible.windows.win_uri: | ||
url: "https://{{ falcon_cloud }}/devices/entities/devices-actions/v2?action_name=hide_host" | ||
method: POST | ||
body: | ||
ids: | ||
- "{{ falcon_uninstall_remove_aid }}" | ||
return_content: true | ||
headers: | ||
authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}" | ||
Content-Type: application/json | ||
status_code: 202 | ||
no_log: "{{ falcon_api_enable_no_log }}" | ||
when: ansible_facts['os_family'] == "Windows" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
# Linux Block | ||
- name: "CrowdStrike Falcon | Linux Install State Block" | ||
when: | ||
- ansible_facts['system'] == 'Linux' | ||
block: | ||
- name: "CrowdStrike Falcon | Get List of Installed Packages (Linux)" | ||
ansible.builtin.package_facts: | ||
manager: auto | ||
|
||
- name: "CrowdStrike Falcon | Set Sensor Name (Linux)" | ||
ansible.builtin.set_fact: | ||
installed_sensor: falcon-sensor | ||
|
||
- name: "CrowdStrike Falcon | Check if Sensor is Installed (Linux)" | ||
ansible.builtin.set_fact: | ||
falcon_sensor_installed_linux: "{{ installed_sensor in ansible_facts.packages }}" | ||
|
||
# Windows block | ||
- name: "CrowdStrike Falcon | Windows Install State Block" | ||
when: | ||
- ansible_facts['os_family'] == "Windows" | ||
block: | ||
- name: "CrowdStrike Falcon | Check status of Falcon Sensor (Windows)" | ||
ansible.windows.win_command: sc.exe query csagent | ||
failed_when: false | ||
changed_when: false | ||
register: win_status | ||
|
||
- name: "CrowdStrike Falcon | Check if Sensor is Installed (Windows)" | ||
ansible.builtin.set_fact: | ||
falcon_sensor_installed_windows: "{{ true if ('RUNNING' in win_status.stdout) else false }}" | ||
|
||
# macOS block | ||
- name: "CrowdStrike Falcon | macOS Install State Block" | ||
when: | ||
- ansible_facts['distribution'] == "MacOSX" | ||
block: | ||
- name: CrowdStrike Falcon | Stat Falcon Sensor (macOS) | ||
ansible.builtin.stat: | ||
path: "/Applications/Falcon.app/Contents/Resources/falconctl" | ||
register: falconctl_mac | ||
|
||
- name: CrowdStrike Falcon | Check if Sensor is Installed (macOS) | ||
ansible.builtin.set_fact: | ||
falcon_sensor_installed_mac: "{{ falconctl_mac.stat.exists }}" | ||
|
||
# Check if sensor is installed | ||
- name: "CrowdStrike Falcon | Check if Sensor is Installed" | ||
ansible.builtin.set_fact: | ||
falcon_sensor_installed: "{{ falcon_sensor_installed_linux | default(falcon_sensor_installed_windows | default(falcon_sensor_installed_mac)) }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
--- | ||
### AID remove_host | ||
# Linux block | ||
- name: "CrowdStrike Falcon | Linux AID Block" | ||
when: | ||
- ansible_facts['system'] == 'Linux' | ||
block: | ||
- name: "CrowdStrike Falcon | Grab existing AID (Linux)" | ||
crowdstrike.falcon.falconctl_info: | ||
name: aid | ||
register: falcon_uninstall_linux_aid_info | ||
|
||
- name: "CrowdStrike Falcon | Set AID (Linux)" | ||
ansible.builtin.set_fact: | ||
falcon_uninstall_linux_aid: "{{ falcon_uninstall_linux_aid_info.falconctl_info.aid }}" | ||
|
||
- name: "CrowdStrike Falcon | Assert AID found (Linux)" | ||
ansible.builtin.assert: | ||
that: | ||
- falcon_uninstall_linux_aid | length > 0 | ||
fail_msg: "AID was not found!" | ||
success_msg: "Found AID." | ||
|
||
# Windows block | ||
- name: "CrowdStrike Falcon | Windows AID Block" | ||
when: | ||
- ansible_facts['os_family'] == "Windows" | ||
block: | ||
- name: "CrowdStrike Falcon | Grab existing AID (Windows)" | ||
ansible.windows.win_reg_stat: | ||
path: "{{ item }}" | ||
name: AG | ||
register: falcon_uninstall_windows_aid_stat | ||
loop: | ||
- 'HKLM:\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default' | ||
- 'HKLM:\SYSTEM\CurrentControlSet\Services\CSAgent\Sim' | ||
|
||
- name: "CrowdStrike Falcon | Set unique value (Windows)" | ||
ansible.builtin.set_fact: | ||
aid_win_value: "{{ falcon_uninstall_windows_aid_stat.results | selectattr('value', 'defined') | first }}" | ||
|
||
- name: "CrowdStrike Falcon | Convert Value to AID (Windows) " | ||
ansible.windows.win_shell: | | ||
$bytes = @( {{ aid_win_value.value | join(',') }} ) | ||
$aid = [System.BitConverter]::ToString($bytes).ToLower() -replace '-', '' | ||
Write-Host -NoNewline $aid | ||
changed_when: false | ||
register: falcon_uninstall_windows_aid_value | ||
|
||
- name: "CrowdStrike Falcon | Set AID (Windows)" | ||
ansible.builtin.set_fact: | ||
falcon_uninstall_windows_aid: "{{ falcon_uninstall_windows_aid_value.stdout }}" | ||
|
||
- name: "CrowdStrike Falcon | Assert AID found (Windows)" | ||
ansible.builtin.assert: | ||
that: | ||
- falcon_uninstall_windows_aid | length > 0 | ||
fail_msg: "AID was not found!" | ||
success_msg: "Found AID." | ||
|
||
# Mac Block | ||
- name: CrowdStrike Falcon | Stat Falcon Sensor (macOS) | ||
ansible.builtin.stat: | ||
path: "/Applications/Falcon.app/Contents/Resources/falconctl" | ||
register: falconctl_mac | ||
when: | ||
- ansible_facts['distribution'] == "MacOSX" | ||
|
||
- name: "CrowdStrike Falcon | macOS AID Block" | ||
when: | ||
- ansible_facts['distribution'] == "MacOSX" | ||
- falconctl_mac.stat.exists | ||
block: | ||
- name: CrowdStrike Falcon | Get AID Value from Stats (macOS) | ||
ansible.builtin.command: | | ||
/Applications/Falcon.app/Contents/Resources/falconctl stats agent_info | grep agentID | ||
register: falcon_uninstall_mac_aid_stat | ||
changed_when: false | ||
|
||
- name: "CrowdStrike Falcon | Set AID (macOS)" | ||
ansible.builtin.set_fact: | ||
falcon_uninstall_mac_aid: "{{ falcon_uninstall_mac_aid_stat.stdout | regex_replace('^.*: ', '') | lower | replace('-', '') }}" | ||
|
||
- name: "CrowdStrike Falcon | Assert AID found (macOS)" | ||
ansible.builtin.assert: | ||
that: | ||
- falcon_uninstall_mac_aid | length > 0 | ||
fail_msg: "AID was not found!" | ||
success_msg: "Found AID." | ||
|
||
- name: "CrowdStrike Falcon | Set AID for Uninstall" | ||
ansible.builtin.set_fact: | ||
falcon_uninstall_remove_aid: "{{ falcon_uninstall_linux_aid | default(falcon_uninstall_windows_aid | default(falcon_uninstall_mac_aid)) }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,7 @@ | ||
--- | ||
# vars file for falcon_uninstall | ||
falcon_cloud_urls: | ||
us-1: "api.crowdstrike.com" | ||
us-2: "api.us-2.crowdstrike.com" | ||
eu-1: "api.eu-1.crowdstrike.com" | ||
us-gov-1: "api.laggar.gcw.crowdstrike.com" |