From de71e2096c481159ecda471da57dbb7f2c48e71f Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 16 Mar 2026 16:53:59 -0400 Subject: [PATCH 1/2] fix(sensors): add error message when tamper protection blocks uninstall When tamper protection is enabled and no maintenance token is provided, the uninstall silently exits with the package manager's error code. Capture the exit code and surface an actionable error message pointing users to FALCON_MAINTENANCE_TOKEN or API credentials. Closes #491 --- bash/install/falcon-linux-uninstall.sh | 8 ++++++++ bash/migrate/falcon-linux-migrate.sh | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/bash/install/falcon-linux-uninstall.sh b/bash/install/falcon-linux-uninstall.sh index e60dd03..52cb7ba 100755 --- a/bash/install/falcon-linux-uninstall.sh +++ b/bash/install/falcon-linux-uninstall.sh @@ -157,7 +157,15 @@ cs_sensor_remove() { # Check for package manager lock prior to uninstallation check_package_manager_lock + # Temporarily disable exit-on-error to capture package removal exit code + set +e remove_package "falcon-sensor" + removal_exit_code=$? + set -e + + if [ "$removal_exit_code" -ne 0 ]; then + die "Failed to remove falcon-sensor package (exit code $removal_exit_code). This may indicate that tamper protection is enabled on the sensor. Please provide FALCON_MAINTENANCE_TOKEN or set FALCON_CLIENT_ID and FALCON_CLIENT_SECRET to retrieve a maintenance token via the API." + fi } cs_remove_host_from_console() { diff --git a/bash/migrate/falcon-linux-migrate.sh b/bash/migrate/falcon-linux-migrate.sh index e95d1bb..6974052 100755 --- a/bash/migrate/falcon-linux-migrate.sh +++ b/bash/migrate/falcon-linux-migrate.sh @@ -427,7 +427,15 @@ cs_sensor_remove() { # Check for package manager lock prior to uninstallation check_package_manager_lock + # Temporarily disable exit-on-error to capture package removal exit code + set +e remove_package "falcon-sensor" + removal_exit_code=$? + set -e + + if [ "$removal_exit_code" -ne 0 ]; then + die "Failed to remove falcon-sensor package (exit code $removal_exit_code). This may indicate that tamper protection is enabled on the sensor. Please provide FALCON_MAINTENANCE_TOKEN or set FALCON_CLIENT_ID and FALCON_CLIENT_SECRET to retrieve a maintenance token via the API." + fi } cs_remove_host_from_console() { From b62de1d289a8fa69c227d574a387a3459fc4ad28 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 16 Mar 2026 16:54:27 -0400 Subject: [PATCH 2/2] style(migrate): fix shfmt redirect spacing --- bash/migrate/falcon-linux-migrate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bash/migrate/falcon-linux-migrate.sh b/bash/migrate/falcon-linux-migrate.sh index 6974052..65835da 100755 --- a/bash/migrate/falcon-linux-migrate.sh +++ b/bash/migrate/falcon-linux-migrate.sh @@ -1320,7 +1320,7 @@ main() { # Start of migration touch "$log_file" echo "Migration file created at: $log_file" - echo "Migration started at $(date)" >> "$log_file" + echo "Migration started at $(date)" >>"$log_file" # auth with old credentials log "INFO" "Authenticating to old CID..."