Incorrect DeviceID being utilized due to stored variable issue

[delize]

When attempting to use this script, I noticed repeatedly, that when running this as root, I was coming back with an incorrect uninstall token.

Crowdstrike detected. Starting uninstall.
{
 "meta": {
  "query_time": 0.068008897,
  "powered_by": "csam",
  "trace_id": ""
 }
}spawn /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t
Falcon Maintenance Token:
Error: Maintenance token is incorrect%

After adding some debug echo, I narrowed it down to Line 30 & 31 when I saw this: { "audit_message": "Jamf Pro Crowdstrike uninstall script", "device_id": "Communications" }

csfalconstats=$( /Applications/Falcon.app/Contents/Resources/falconctl stats )
    csfalconid=$( echo $csfalconstats | /usr/bin/grep "agentID:" | /usr/bin/awk '{ print $2 }' | /usr/bin/tr -d "-" )

Seems to be transforming the entire output into a long a&* string:

root#  echo $csfalconstats | /usr/bin/grep "agentID:"
=== Communications === Cloud Info Host: ts01-b.cloudsink.net Port: 443 State: connected Message Store Capacity:

Which because of this, awk screws up and cannot read properly to obtain the Device ID and remove the hyphens from the Device ID.

If we change the /usr/bin/grep "agentID:" from line 31 to line 30, this immediately rectifies the issue.

{
 "meta": {
  "query_time": 0.070141203,
  "powered_by": "csam",
  "trace_id": ""
 }
}spawn /Applications/Falcon.app/Contents/Resources/falconctl uninstall -t
Falcon Maintenance Token:
Falcon is uninstalled

I will submit a PR to fix this, and feel free to reject or deny this - as I am not sure if it is only being applied to my machine or others as well.

[delize]

As another side note, I noticed that the installer does not actually load the license directly after installation, which seems like it could be an ideal fix to the solution.

I've added that in an additional commit.

[franton]

I'll deal with your last post first ... yes the installer doesn't register your customer ID for you. This is because the method I'm using (and blogged about) is to deploy a configuration profile containing that ID before installing the client. The postinstall script in the Crowdstrike installer takes care of the registration process for you, and does it far more reliably than I ever managed doing it myself.

[franton]

I cannot replicate the issue you're describing here. I've been able to install and uninstall today using code identical to what's posted. I have to suggest there's something else going on with your devices. Are you installing any shells or anything else that might interfere with zsh? I would check there first.

BTW I was testing with CS Agent 6.50 on macOS without a hitch. Where I'm at usually runs N-1 versioning except for test cases.

[delize]

I would say there isn't anything unusually strange about my zsh profile, shell, or anything else (usually using the default macOS setup).

I will try and test with another machine over the next week (quite busy today with finishing up an acquisition today).

% zsh --version
zsh 5.8.1 (x86_64-apple-darwin22.0)

% cat ~/.zprofile ~/.zshrc
# Set PATH, MANPATH, etc., for Homebrew.
eval "$(/opt/homebrew/bin/brew shellenv)"
source /opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.zsh.inc

# pyenv
export PATH="$HOME/.pyenv/bin:$PATH"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"

#sshagent
plugins=(git ssh-agent)

function gam() { "/Users/andrew.doering/bin/gam/gam" "$@" ; }

if [ $(ps ax | grep "[s]sh-agent" | wc -l) -eq 0 ] ; then
    eval $(ssh-agent -s) > /dev/null
    if [ "$(ssh-add -l)" = "The agent has no identities." ] ; then
        # Auto-add ssh keys to your ssh agent
        # Example:
        ssh-add ~/.ssh/id_rsa > /dev/null 2>&1
    fi
fi

#export PATH="/opt/homebrew/opt/openjdk/bin:$PATH"

We also use a N-1 policy for standard installations, however, in this case I was testing with the latest available download (macOS - Sensor Version 6.50.16304).

For the CustomerID/License, makes sense as to why it wasn't included then. :)

Also for reference, my grep version:

% grep --version
grep (BSD grep, GNU compatible) 2.6.0-FreeBSD

[franton]

Sorry for delay in reply.

Actually I have noticed one thing you have, that I refuse to have. Homebrew. I would test on a system without that.