Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Add CrowdStrike Falcon System Extension policy (#36994)

Browse source
This commit is contained in:
Steven Palmesano 2025-12-09 14:16:35 -06:00 committed by GitHub
parent def6f29781
commit e7291062ec
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
View file

@ -2143,4 +2143,22 @@ spec:
<integer>1</integer>
</dict>
</plist>
---
apiVersion: v1
kind: policy
spec:
name: CrowdStrike Falcon System Extension enabled and activated (macOS)
query: |
SELECT 1
WHERE (EXISTS (SELECT 1 FROM system_extensions WHERE identifier = 'com.crowdstrike.falcon.Agent'))
AND EXISTS (SELECT 1 FROM system_extensions WHERE state = 'activated_enabled');
bash: systemextensionsctl list | grep 'falcon' | grep 'activated enabled'
description: Checks to make sure that the CrowdStrike System Extension is enabled and activated on macOS devices.
resolution: "To activate the CrowdStrike Falcon System Extension, on the failing device, run the following command in the Terminal app: sudo /Applications/Falcon.app/Contents/Resources/falconctl load"
tags: compliance, hardening, critical
platform: darwin
contributors: spalmesano0
script: |
#!/bin/sh
/Applications/Falcon.app/Contents/Resources/falconctl load