MacOS Falcon Sensor Deployment
TL;DR I hacked the Falcon sensor installer for MacOS to include the licensing information.
What is falcond?
A lot of searches for “what is falcond” are landing on this page. falcond is the MacOS sensor for CrowdStrike antivirus software. The d is for daemon, a process that runs in the background, and falcon is the name of the antivirus software.
Update (December 2021)
A good semaritan has updated my script to work with the new macOS Falcon Sensor version (6.32 as of writing). I updated this article to reflect the changes.
Overview
CrowdStrike Falcon is a leading endpoint protection platform. The CrowdStrike platform offers increased control, visibility, and protection as well as humans on the back end to make sure that nothing slips through the cracks. In a large environment, it is advantageous to automate the installation process as much as possible. The Windows sensor installer has the Customer ID built-in, but the macOS installer does not.
The Falcon installer is straightforward enough for employees to use, but licensing it requires running a command in Terminal (shell). Easy for some, but Terminal can be a scary place for others. Had I sent the Falcon install instructions (including the licensing command) to the masses, there would have been a lot of partial installs. I knew that there had to be a better, easier, way to deploy Falcon on the Macs, so I started hacking.
Hack the pkg
I’ve never snooped around package (.pkg) installers before, but it was easier than I thought to hack. You will need XCode installed to use the pkgutil command.
1 - Expand package
In order to edit the scripts within the package, you need to expand it using the pkgutil command:
pkgutil --expand FalconSensorMacOS.pkg /tmp/FalconSensorMacOS.unpkg
2 - Edit postinstall scripts
Next, you will need to edit two files (the same script in two locations):
- /tmp/FalconSensorMacOS.unpkg/sensor-kext.pkg/Scripts/postinstall
- /tmp/FalconSensorMacOS.unpkg/sensor-sysx.pkg/Scripts/postinstall
Note: if you are navigating to the files in Finder, you will need to right click on the sensor-kext.pkg and click “Show Package Contents”.
The postinstall
script gets run towards the end of the installation process. We need to edit the file in two places:
2.1 - Assign license key to VALUE variable
First, locate the readManagedProfileKey function towards the top of the file (line number 15 as of writing). Add your license key to line 4 (keep the quotation marks):
|
|
2.2 - Add licenseSensor function
Second, add the licenseSensor function (including the function call) above “loadSensor” (lines 107-112 below):
|
|
Be sure to replace the example license key with your own.
3 - Re-package files
Back in Terminal, flatten (i.e. re-package) the files:
pkgutil --flatten /tmp/FalconSensorMacOS.unpkg FalconSensorMacOSWithID.pkg
That’s it! The user will still need to allow the computer to enable the system extension, but they will not need to run the licensing command in terminal.
Automating the hack
I wrote a script to automatically:
- Expand the package
- Edit the postinstall scripts
- Re-package the files
You can find the script on https://github.com/kguay/falcon-license. The script needs to be run on a computer running MacOS with XCode installed, since it requires the pkgutil
utility.
- Download the MacOS Falcon installer from the Falcon management web portal.
- Download the license-falcon script from https://github.com/kguay/falcon-license
- Run the license-falcon script the path to FalconSensorMacOS.pkg and your Customer ID
For example:
sh license-falcon.sh FalconSensorMacOS.pkg <customer_id>
Previous: Making resolutions stick
Next: Adding two factor authentication to your contacts