CrowdStrike
[ BUG ] `Uninstall-FalconSensor` uses Windows script on Linux
Describe the bug
The Uninstall-FalconSensor command uses the Windows uninstallation script i.e. uninstall_sensor.ps1 instead of using the uninstall_sensor.sh.
There is a flaw in the code of the psf-sensors.ps1 file on line 365.
$Platform is not assigned the value of $HostList.platform_name.
The code should be changed to the following
$HostList = Get-FalconHost -Id $Id | Select-Object $Select
if ($HostList.platform_name -notmatch '^(Windows|Linux)$') {
throw 'Only Windows and Linux hosts are currently supported for uninstallation using PSFalcon.'
}
[string]$Filename = if ($HostList.platform_name -eq 'Linux') { 'uninstall_sensor.sh' } else { 'uninstall_sensor.ps1' }
OR
$HostList = Get-FalconHost -Id $Id | Select-Object $Select
if ($HostList.platform_name -notmatch '^(Windows|Linux)$') {
throw 'Only Windows and Linux hosts are currently supported for uninstallation using PSFalcon.'
}
[string]$Platform = $HostList.platform_name
[string]$Filename = if ($Platform -eq 'Linux') { 'uninstall_sensor.sh' } else { 'uninstall_sensor.ps1' }
To Reproduce Try to run the uninstallation command for any linux machine.
Expected behavior
The command should use the uninstall_sensor.sh script for uninstallation.
Nice catch! I have corrected this for the next PSFalcon release.
If you'd like to resolve it for your local module before release, you can replace public\psf-sensors.ps1 using the steps outlined below.
Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/9afc0422d2cf597e8315f0d2e80db541218fa59e/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)
Ensure that you restart PowerShell and re-import PSFalcon before testing.
This fix has been included in the 2.2.8 release which is now available on GitHub. I'm going to leave this issue open until the PowerShell Gallery release is also available.