-
-
Notifications
You must be signed in to change notification settings - Fork 36
/
csf-Diagnose.bash
368 lines (254 loc) · 13.5 KB
/
csf-Diagnose.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
#!/bin/bash
####################################################################################################
#
# CrowdStrike Falcon diagnose with Progress
#
# Purpose: Provide more detailed feedback on CrowdStrike Falcon's built-in diagnose command
#
####################################################################################################
#
# HISTORY
#
# Version 0.0.1, 06-Feb-2023, Dan K. Snelson (@dan-snelson)
# - Original version
#
# Version 0.0.2, 13-Mar-2023, Dan K. Snelson (@dan-snelson)
# - Prepend Serial Number on output file
#
# Version 0.0.3, 14-Mar-2023, Dan K. Snelson (@dan-snelson)
# - Modified `find` command (thanks, @Samantha Demi and @Pico)
#
# Version 0.0.4, 09-Sep-2023, Dan K. Snelson (@dan-snelson)
# - Updated `dialogURL`
#
####################################################################################################
####################################################################################################
#
# Variables
#
####################################################################################################
scriptVersion="0.0.4"
export PATH=/usr/bin:/bin:/usr/sbin:/sbin
falconBinary="/Applications/Falcon.app/Contents/Resources/falconctl"
osVersion=$( /usr/bin/sw_vers -productVersion )
osMajorVersion=$( echo "${osVersion}" | /usr/bin/awk -F '.' '{print $1}' )
dialogBinary="/usr/local/bin/dialog"
dialogCommandLog=$( mktemp /var/tmp/dialogCommandLog.XXX )
serialNumber=$( system_profiler SPHardwareDataType | grep "Serial Number" | awk -F ": " '{ print $2 }' )
scriptLog="${4:-"/var/tmp/com.company.log"}" # Parameter 4: Full path to your company's client-side log
estimatedTotalSeconds="${5:-"333"}" # Parameter 5: Estimated number of seconds to complete diagnose
####################################################################################################
#
# Pre-flight Checks
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Client-side Logging
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ ! -f "${scriptLog}" ]]; then
touch "${scriptLog}"
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Client-side Script Logging Function
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
function updateScriptLog() {
echo -e "$( date +%Y-%m-%d\ %H:%M:%S ) - ${1}" | tee -a "${scriptLog}"
}
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Logging Preamble
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
updateScriptLog "\n\n###\n# CrowdStrike Falcon diagnose with Progress (${scriptVersion})\n###\n"
updateScriptLog "PRE-FLIGHT CHECK: Initiating …"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Confirm script is running as root
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ $(id -u) -ne 0 ]]; then
updateScriptLog "PRE-FLIGHT CHECK: This script must be run as root; exiting."
exit 1
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Validate Operating System
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ "${osMajorVersion}" -ge 11 ]] ; then
updateScriptLog "PRE-FLIGHT CHECK: macOS ${osMajorVersion} installed; proceeding …"
else
updateScriptLog "PRE-FLIGHT CHECK: macOS ${osMajorVersion} installed; exiting."
exit 1
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Confirm CrowdStrike Falcon is installed
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ -f "${falconBinary}" ]]; then
updateScriptLog "PRE-FLIGHT CHECK: CrowdStrike Falcon installed; proceeding …"
else
updateScriptLog "PRE-FLIGHT CHECK: CrowdStrike Falcon NOT found; exiting."
exit 1
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Confirm Apple's sysdiagnose directory is empty / Delete any previous diagnose files
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
if [[ -d "/private/var/db/sysdiagnose/" ]]; then
updateScriptLog "PRE-FLIGHT CHECK: sysdiagnose directory found; deleting …"
rm -Rf /private/var/db/sysdiagnose/
rm /private/tmp/falconctl_diagnose_*
rm /Users/Shared/"${serialNumber}_"*
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Check: Check for / install swiftDialog (Thanks big bunches, @acodega!)
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
function dialogCheck() {
# Get the URL of the latest PKG From the Dialog GitHub repo
dialogURL=$(curl -L --silent --fail "https://api.github.com/repos/swiftDialog/swiftDialog/releases/latest" | awk -F '"' "/browser_download_url/ && /pkg\"/ { print \$4; exit }")
# Expected Team ID of the downloaded PKG
expectedDialogTeamID="PWA5E9TQ59"
# Check for Dialog and install if not found
if [ ! -e "/Library/Application Support/Dialog/Dialog.app" ]; then
updateScriptLog "PRE-FLIGHT CHECK: Dialog not found. Installing..."
# Create temporary working directory
workDirectory=$( /usr/bin/basename "$0" )
tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )
# Download the installer package
/usr/bin/curl --location --silent "$dialogURL" -o "$tempDirectory/Dialog.pkg"
# Verify the download
teamID=$(/usr/sbin/spctl -a -vv -t install "$tempDirectory/Dialog.pkg" 2>&1 | awk '/origin=/ {print $NF }' | tr -d '()')
# Install the package if Team ID validates
if [[ "$expectedDialogTeamID" == "$teamID" ]]; then
/usr/sbin/installer -pkg "$tempDirectory/Dialog.pkg" -target /
sleep 2
dialogVersion=$( /usr/local/bin/dialog --version )
updateScriptLog "PRE-FLIGHT CHECK: swiftDialog version ${dialogVersion} installed; proceeding..."
else
# Display a so-called "simple" dialog if Team ID fails to validate
osascript -e 'display dialog "Please advise your Support Representative of the following error:\r\r• Dialog Team ID verification failed\r\r" with title "Setup Your Mac: Error" buttons {"Close"} with icon caution'
quitScript "1"
fi
# Remove the temporary working directory when done
/bin/rm -Rf "$tempDirectory"
else
updateScriptLog "PRE-FLIGHT CHECK: swiftDialog version $( /usr/local/bin/dialog --version) found; proceeding..."
fi
}
if [[ ! -e "/Library/Application Support/Dialog/Dialog.app" ]]; then
dialogCheck
else
updateScriptLog "PRE-FLIGHT CHECK: swiftDialog version $(dialog --version) found; proceeding..."
fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Pre-flight Checks Complete
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
updateScriptLog "PRE-FLIGHT CHECK: Complete"
####################################################################################################
#
# Functions
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Update Dialog
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
function updateDialog() {
echo "${1}" >> "${dialogCommandLog}"
sleep 0.4
}
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Quit Script (thanks, @bartreadon!)
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
function quitScript() {
updateScriptLog "QUIT SCRIPT: Exiting …"
updateDialog "quit:"
# Remove dialogCommandLog
if [[ -e ${dialogCommandLog} ]]; then
updateScriptLog "QUIT SCRIPT: Removing ${dialogCommandLog} …"
rm "${dialogCommandLog}"
fi
# Remove any default dialog file
if [[ -e /var/tmp/dialog.log ]]; then
updateScriptLog "QUIT SCRIPT: Removing default dialog file …"
rm /var/tmp/dialog.log
fi
exit "${1}"
}
####################################################################################################
#
# General Dialog Variables
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Dialog Title, Message and Icon
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
title="CrowdStrike Falcon Diagnose (${scriptVersion})"
message="Please wait while a diagnosis is performed …"
icon="https://ics.services.jamfcloud.com/icon/hash_37bf84a34fb6d957fab0718cbf9dfea0a54562db2cd9ecfe8e16cdbe5a24197c"
# overlay=$( defaults read /Library/Preferences/com.jamfsoftware.jamf.plist self_service_app_path )
progressText="Initializing …"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Dialog Settings and Features
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
dialogFalconctlDiagnose="$dialogBinary \
--title \"$title\" \
--message \"$message\" \
--icon \"$icon\" \
--mini \
--position bottomright \
--moveable \
--progress \
--progresstext \"$progressText\" \
--quitkey K \
--commandfile \"$dialogCommandLog\" "
# --overlayicon \"$overlay\" \
####################################################################################################
#
# Program
#
####################################################################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# falconctl diagnose progress
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
updateScriptLog "Create Progress Dialog …"
eval "$dialogFalconctlDiagnose" & sleep 0.5
updateScriptLog "Starting falconctl diagnose …"
SECONDS="0"
eval "$falconBinary diagnose" &
sleep 2
while [[ -n $(pgrep "sysdiagnose_helper") ]]; do
progressPercentage=$( echo "scale=2 ; ( $SECONDS / $estimatedTotalSeconds ) * 100" | bc | sed 's/\.00//g' )
updateDialog "progress: ${progressPercentage}"
updateDialog "progresstext: ${progressPercentage}%"
done
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Update results in diagnose progress
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
updateScriptLog "QUIT SCRIPT: Diagnose Sucessful"
updateDialog "icon: SF=checkmark.circle.fill,weight=bold,colour1=#00ff44,colour2=#075c1e"
updateDialog "message: CrowdStrike Falcon Diagnose Complete"
updateDialog "progress: 100"
updateDialog "progresstext: Elapsed Time: $(printf '%dh:%dm:%ds\n' $((SECONDS/3600)) $((SECONDS%3600/60)) $((SECONDS%60)))"
updateScriptLog "Elapsed Time: $(printf '%dh:%dm:%ds\n' $((SECONDS/3600)) $((SECONDS%3600/60)) $((SECONDS%60)))"
sleep 5
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Wait for 'falconctl_diagnose_' directory to be removed
# See: https://macadmins.slack.com/archives/C07MGJ2SD/p1678735637841009
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
updateScriptLog "Wait for 'falconctl_diagnose_' directory to be removed from /private/tmp/ …"
updateDialog "icon: SF=deskclock.fill,weight=bold,colour1=#0066ff,colour2=#003380"
updateDialog "message: Waiting for file output …"
updateDialog "progresstext: Please wait …"
updateDialog "progress: reset"
until [[ -z "$( find /private/tmp -name "falconctl_diagnose_*" -type d )" ]]; do
updateScriptLog "Pausing for one second before re-checking …"
updateDialog "progress: increment 6"
sleep 1
done
updateDialog "progress: 100"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Prepend output with Serial Number
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
originalFilename=$( find /private/tmp -name "falconctl_diagnose_*" -type f -print0 | xargs basename )
updateScriptLog "Original Filename: ${originalFilename}"
updateScriptLog "Move ${originalFilename} to /User/Shared/ …"
mv -v "/private/tmp/${originalFilename}" "/Users/Shared/${serialNumber}_${originalFilename}"
updateScriptLog "Reveal /User/Shared/${serialNumber}_${originalFilename}"
open -R "/Users/Shared/${serialNumber}_${originalFilename}"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Exit
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
quitScript "0"