Report CrowdStrike Agent ID

Can the Mac and Linux clients be updated to report the crowdstrike agent id?

When crowdstrike is installed, the payload should have the following:

{
  "data": {
    "external_os_identifiers": [
      ["crowdstrike_aid", "XXXXXXXXX"]
    ]
  }
}

Where XXXXXXXXX is the agent id.

The agent id can be found on linux with one of these methods:

jcstraff@oitde-jcs-ub20vm:~/Downloads/crowdstrike$ sudo /opt/CrowdStrike/falconctl -g --aid
aid="d3bcdcaf1604426b9ad6a421e1a5ad40".
jcstraff@oitde-jcs-ub20vm:~/Downloads/crowdstrike$ sudo xxd -p -l16 -s1718 /opt/CrowdStrike/falconstore
d3bcdcaf1604426b9ad6a421e1a5ad40

I believe there's a similar command available for macOS. @jcstraff would have more details.

Background

Some vendors ship machines with no serial numbers or generic serial numbers (like 'Default String'), so planisphere can only identify these machines by MAC Address. Unfortunately, crowdstrike presents mac address information in a way that planisphere can't directly use. As a result, there's a number of machines with no serial number that are showing up in planisphere as not running crowdstrike even though they are.

To improve the situation, planisphere has been updated to allow datasource to provide identifiers for other data sources. In this case, self report would be providing the crowdstrike agent id. Once that's done, planisphere will be able to correctly associate the crowdstrike record with the device and show that it is compliant.