diff --git a/roles/falcon_install/defaults/main.yml b/roles/falcon_install/defaults/main.yml index 67a797f2..b7257e39 100644 --- a/roles/falcon_install/defaults/main.yml +++ b/roles/falcon_install/defaults/main.yml @@ -42,18 +42,13 @@ falcon_localfile_cleanup: no # falcon_gpg_key_check: yes -# CrowdStrike API URL for downloading the Falcon sensor. Possible values: +# CrowdStrike API Cloud region for downloading the Falcon sensor. Possible values: # us-1: api.crowdstrike.com # us-2: api.us-2.crowdstrike.com # eu-1: api.eu-1.crowdstrike.com # us-gov-1: api.laggar.gcw.crowdstrike.com # -falcon_cloud: "api.crowdstrike.com" - -# Auto-discover the CrowdStrike Cloud API Region. When disabled, -# 'falcon_cloud' should be changed to the appropriate cloud region. -# -falcon_cloud_autodiscover: true +falcon_cloud: "us-1" # Your Falcon Customer ID (CID) used to associate your sensor. # diff --git a/roles/falcon_install/tasks/api.yml b/roles/falcon_install/tasks/api.yml index e0de0888..b8451713 100644 --- a/roles/falcon_install/tasks/api.yml +++ b/roles/falcon_install/tasks/api.yml @@ -1,102 +1,55 @@ --- -# Block when falcon_sensor_update_policy_name is supplied -- name: Build Sensor Update Policy Block (Linux) - when: - - falcon_sensor_update_policy_name - - falcon_sensor_update_policy_platform == 'Linux' - block: - - name: "CrowdStrike Falcon | Build Sensor Update Policy API Query (Linux)" - ansible.builtin.set_fact: - falcon_sensor_update_policy_query: "{{ 'platform_name:\"' + falcon_sensor_update_policy_platform + '\"+name.raw:\"' + falcon_sensor_update_policy_name + '\"' }}" - - - name: "CrowdStrike Falcon | Search for Sensor Update Policy (Linux)" - ansible.builtin.uri: - url: "https://{{ falcon_cloud }}/policy/combined/sensor-update/v2?filter={{ falcon_sensor_update_policy_query | urlencode }}" - method: GET - return_content: true - headers: - authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}" - Content-Type: application/json - register: falcon_sensor_update_policy_info_linux - no_log: "{{ falcon_api_enable_no_log }}" - run_once: "{{ falcon_sensor_update_policy_run_once }}" - -- name: Build Sensor Update Policy Block (MacOS) - when: - - falcon_sensor_update_policy_name - - falcon_sensor_update_policy_platform == 'Mac' - block: - - name: "CrowdStrike Falcon | Build Sensor Update Policy API Query (MacOS)" - ansible.builtin.set_fact: - falcon_sensor_update_policy_query: "{{ 'platform_name:\"' + falcon_sensor_update_policy_platform + '\"+name.raw:\"' + falcon_sensor_update_policy_name + '\"' }}" - - - name: "CrowdStrike Falcon | Search for Sensor Update Policy (MacOS)" - ansible.builtin.uri: - url: "https://{{ falcon_cloud }}/policy/combined/sensor-update/v2?filter={{ falcon_sensor_update_policy_query | urlencode }}" - method: GET - return_content: true - headers: - authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}" - Content-Type: application/json - register: falcon_sensor_update_policy_info_mac - no_log: "{{ falcon_api_enable_no_log }}" - run_once: "{{ falcon_sensor_update_policy_run_once }}" - - name: Sensor Update Policy Block when: - falcon_sensor_update_policy_name block: # Set falcon_sensor_update_policy_info fact based on platform - - name: "CrowdStrike Falcon | Set falcon_sensor_update_policy_info fact based on platform" + # - name: "CrowdStrike Falcon | Set falcon_sensor_update_policy_info fact based on platform" + # ansible.builtin.set_fact: + # falcon_sensor_update_policy_info: "{{ falcon_sensor_update_policy_info_linux if falcon_sensor_update_policy_platform == 'Linux' else falcon_sensor_update_policy_info_mac }}" + - name: "CrowdStrike Falcon | Build Sensor Update Policy API Query" ansible.builtin.set_fact: - falcon_sensor_update_policy_info: "{{ falcon_sensor_update_policy_info_linux if falcon_sensor_update_policy_platform == 'Linux' else falcon_sensor_update_policy_info_mac }}" + falcon_sensor_update_policy_filter: "platform_name:'{{ falcon_sensor_update_policy_platform }}'+name.raw:'{{ falcon_sensor_update_policy_name }}'" + + - name: CrowdStrike Falcon | Search for Sensor Update Policy + crowdstrike.falcon.sensor_update_policy_info: + auth: "{{ falcon.auth }}" + filter: "{{ falcon_sensor_update_policy_filter }}" + register: falcon_sensor_update_policy_info + delegate_to: localhost - name: "CrowdStrike Falcon | Validate Sensor Update Policy request" ansible.builtin.fail: msg: "No Falcon Sensor Update Policy with name: {{ falcon_sensor_update_policy_name }} was found!" - when: falcon_sensor_update_policy_info.json.resources[0] is not defined + when: falcon_sensor_update_policy_info.policies is not defined - name: "CrowdStrike Falcon | Validate Sensor Update Policy request for aarch64 architectures" ansible.builtin.fail: msg: "No Falcon Sensor Update Policy with name: {{ falcon_sensor_update_policy_name }} and enabled for aarch64 was found!" when: - - falcon_sensor_update_policy_info.json.resources[0].settings.variants[0] is not defined + - falcon_sensor_update_policy_info.policies[0].settings.variants[0] is not defined - ansible_facts['machine'] == "aarch64" - name: "CrowdStrike Falcon | Get the Falcon Sensor version from Update Policy" ansible.builtin.set_fact: - falcon_sensor_update_policy_package_version: "{{ falcon_sensor_update_policy_info.json.resources[0].settings.sensor_version }}" + falcon_sensor_update_policy_package_version: "{{ falcon_sensor_update_policy_info.policies[0].settings.sensor_version }}" when: ansible_facts['machine'] != "aarch64" - name: "CrowdStrike Falcon | Get the Falcon Sensor version from Update Policy for aarch64 architecture" ansible.builtin.set_fact: - falcon_sensor_update_policy_package_version: "{{ falcon_sensor_update_policy_info.json.resources[0].settings.variants[0].sensor_version }}" + falcon_sensor_update_policy_package_version: "{{ falcon_sensor_update_policy_info.policies[0].settings.variants[0].sensor_version }}" when: ansible_facts['machine'] == "aarch64" - - name: "CrowdStrike Falcon | Build API Sensor Query based on Sensor Update Policy (Linux)" + - name: CrowdStrike Falcon | Override falcon_sensor_version with version from Sensor Update Policy ansible.builtin.set_fact: - falcon_os_query: "{{ 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + '\"+version:\"' + falcon_sensor_update_policy_package_version + falcon_os_arch }}" - when: ansible_facts['system'] == "Linux" + falcon_sensor_version: "+version:'{{ falcon_sensor_update_policy_package_version }}'" - - name: "CrowdStrike Falcon | Build API Sensor Query based on Sensor Update Policy (MacOS)" - ansible.builtin.set_fact: - falcon_os_query: "{{ 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + '\"+version:\"' + falcon_sensor_update_policy_package_version + '\"' }}" - when: ansible_facts['system'] == "Darwin" -- name: "Build API Sensor Block" - when: not falcon_sensor_update_policy_name - block: - - name: "CrowdStrike Falcon | Build API Sensor Query (Linux)" - ansible.builtin.set_fact: - falcon_os_query: "{{ 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + falcon_os_arch + '+version:\"' + falcon_sensor_version + '\"' - if (falcon_sensor_version) else 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + falcon_os_arch }}" - when: ansible_facts['system'] == "Linux" +- name: "CrowdStrike Falcon | Build API Sensor Query" + ansible.builtin.set_fact: + falcon_os_query: "os:'{{ falcon_target_os }}'+os_version:'{{ falcon_os_version }}'\ + {{ falcon_os_arch | default('') }}{{ falcon_sensor_version | default('') }}" - - name: "CrowdStrike Falcon | Build API Sensor Query (MacOS)" - ansible.builtin.set_fact: - falcon_os_query: "{{ 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + '\"+version:\"' + falcon_sensor_version + '\"' - if (falcon_sensor_version) else 'os:\"' + falcon_target_os + '\"+os_version:\"' + falcon_os_version + '\"' }}" - when: ansible_facts['system'] == "Darwin" - name: CrowdStrike Falcon | Get list of filtered Falcon sensors ansible.builtin.uri: diff --git a/roles/falcon_install/tasks/auth.yml b/roles/falcon_install/tasks/auth.yml index cf104ce3..287ae3f5 100644 --- a/roles/falcon_install/tasks/auth.yml +++ b/roles/falcon_install/tasks/auth.yml @@ -1,42 +1,24 @@ --- - name: CrowdStrike Falcon | Authenticate to CrowdStrike API - ansible.builtin.uri: - url: "https://{{ falcon_cloud }}/oauth2/token" - method: POST - body_format: json - body: - "client_id={{ falcon_client_id }}&client_secret={{ falcon_client_secret }}" - return_content: true - follow_redirects: all - status_code: 201 - headers: - content-type: application/x-www-form-urlencoded - register: falcon_api_oauth2_token - no_log: "{{ falcon_api_enable_no_log }}" + crowdstrike.falcon.auth: + client_id: "{{ falcon_client_id }}" + client_secret: "{{ falcon_client_secret }}" + cloud: "{{ falcon_cloud }}" + register: falcon run_once: "{{ falcon_api_auth_run_once }}" - -- name: CrowdStrike Falcon | Auto-discover CrowdStrike Cloud Region - ansible.builtin.set_fact: - falcon_cloud: "{{ falcon_cloud_urls[falcon_api_oauth2_token.x_cs_region] }}" - when: - - falcon_cloud_autodiscover - - falcon_api_oauth2_token.x_cs_region | length > 0 + no_log: "{{ falcon_api_enable_no_log }}" + delegate_to: localhost - name: Set falcon_cid Block when: not falcon_cid block: - name: CrowdStrike Falcon | Detect Target CID Based on Credentials - ansible.builtin.uri: - url: https://{{ falcon_cloud }}/sensors/queries/installers/ccid/v1 - method: GET - return_content: true - headers: - authorization: "Bearer {{ falcon_api_oauth2_token.json.access_token }}" - Content-Type: application/json - register: falcon_api_target_cid - no_log: "{{ falcon_api_enable_no_log }}" + crowdstrike.falcon.cid_info: + auth: "{{ falcon.auth }}" + register: falcon_api_cid_info run_once: "{{ falcon_api_auth_run_once }}" + delegate_to: localhost - name: CrowdStrike Falcon | Set CID received from API ansible.builtin.set_fact: - falcon_cid: "{{ falcon_api_target_cid.json.resources[0] }}" + falcon_cid: "{{ falcon_api_cid_info.cid }}" diff --git a/roles/falcon_install/tasks/preinstall.yml b/roles/falcon_install/tasks/preinstall.yml index deb3fd94..8f17f4c1 100644 --- a/roles/falcon_install/tasks/preinstall.yml +++ b/roles/falcon_install/tasks/preinstall.yml @@ -104,3 +104,8 @@ when: - falcon_sensor_update_policy_name or falcon_sensor_version + +- name: CrowdStrike Falcon | Override falcon_sensor_version when set + ansible.builtin.set_fact: + falcon_sensor_version: "+version:'{{ falcon_sensor_version }}'" + when: falcon_sensor_version | length > 0 diff --git a/roles/falcon_install/vars/main.yml b/roles/falcon_install/vars/main.yml index 6a747d2f..8330f2e1 100644 --- a/roles/falcon_install/vars/main.yml +++ b/roles/falcon_install/vars/main.yml @@ -24,7 +24,6 @@ falcon_cloud_urls: us-gov-1: "api.laggar.gcw.crowdstrike.com" falcon_os_arch_dict: - # exclude arm64 and s390x - x86_64: "\"+os_version:!~\"arm64\"+os_version:!~\"zLinux\"" - aarch64: "\"+os_version:~\"arm64\"" - s390x: "\"+os_version:~\"zLinux\"" + x86_64: "+os_version:!~'arm64'+os_version:!~'zLinux'" + aarch64: "+os_version:~'arm64'" + s390x: "+os_version:~'zLinux'"