From 5ae1267ba338996fe168583cbde5fe1620f61fc5 Mon Sep 17 00:00:00 2001
From: Carlos Matos <carlos.matos@crowdstrike.com>
Date: Mon, 8 Jun 2026 14:45:16 -0400
Subject: [PATCH] fix(sensors): use exact os_version match for Amazon Linux to
 prevent AL2023 package selection on AL2 hosts

---
 bash/install/falcon-linux-install.sh | 18 +++++++++++++++++-
 bash/migrate/falcon-linux-migrate.sh | 18 +++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/bash/install/falcon-linux-install.sh b/bash/install/falcon-linux-install.sh
index 543db71..3294d8d 100755
--- a/bash/install/falcon-linux-install.sh
+++ b/bash/install/falcon-linux-install.sh
@@ -344,7 +344,7 @@ cs_sensor_download() {
 
     existing_installers=$(
         curl_command -G "https://$(cs_cloud)/sensors/combined/installers/v3?sort=version|desc" \
-            --data-urlencode "filter=os:\"$cs_os_name\"+os_version:\"*$cs_os_version*\"$cs_api_version_filter$cs_os_arch_filter"
+            --data-urlencode "filter=os:\"$cs_os_name\"$cs_os_version_filter$cs_api_version_filter$cs_os_arch_filter"
     )
 
     handle_curl_error $?
@@ -938,6 +938,22 @@ cs_os_version=$(
     echo "$version"
 )
 
+cs_os_version_filter=$(
+    # Amazon Linux versions are exact whole numbers (1, 2, 2023). A wildcard match
+    # on Amazon Linux 2 ("*2*") also matches "2023", so AL2 hosts could be served an
+    # AL2023 installer. Use an exact match for Amazon Linux to avoid this. The API
+    # stores the arm64 os_version with a " - arm64" suffix, so match accordingly.
+    if [ "${os_name}" = "Amazon" ]; then
+        if [ "$cs_os_arch" = "aarch64" ]; then
+            echo "+os_version:\"$cs_os_version - arm64\""
+        else
+            echo "+os_version:\"$cs_os_version\""
+        fi
+    else
+        echo "+os_version:\"*$cs_os_version*\""
+    fi
+)
+
 cs_falcon_token=$(
     if [ -n "$FALCON_PROVISIONING_TOKEN" ]; then
         echo "$FALCON_PROVISIONING_TOKEN"
diff --git a/bash/migrate/falcon-linux-migrate.sh b/bash/migrate/falcon-linux-migrate.sh
index 4c63fd4..7473821 100755
--- a/bash/migrate/falcon-linux-migrate.sh
+++ b/bash/migrate/falcon-linux-migrate.sh
@@ -612,7 +612,7 @@ cs_sensor_download() {
 
     existing_installers=$(
         curl_command -G "https://$(cs_cloud)/sensors/combined/installers/v3?sort=version|desc" \
-            --data-urlencode "filter=os:\"$cs_os_name\"+os_version:\"*$cs_os_version*\"$cs_api_version_filter$cs_os_arch_filter"
+            --data-urlencode "filter=os:\"$cs_os_name\"$cs_os_version_filter$cs_api_version_filter$cs_os_arch_filter"
     )
 
     handle_curl_error $?
@@ -1211,6 +1211,22 @@ cs_os_version=$(
     echo "$version"
 )
 
+cs_os_version_filter=$(
+    # Amazon Linux versions are exact whole numbers (1, 2, 2023). A wildcard match
+    # on Amazon Linux 2 ("*2*") also matches "2023", so AL2 hosts could be served an
+    # AL2023 installer. Use an exact match for Amazon Linux to avoid this. The API
+    # stores the arm64 os_version with a " - arm64" suffix, so match accordingly.
+    if [ "${os_name}" = "Amazon" ]; then
+        if [ "$cs_os_arch" = "aarch64" ]; then
+            echo "+os_version:\"$cs_os_version - arm64\""
+        else
+            echo "+os_version:\"$cs_os_version\""
+        fi
+    else
+        echo "+os_version:\"*$cs_os_version*\""
+    fi
+)
+
 cs_falcon_token=$(
     if [ -n "$FALCON_PROVISIONING_TOKEN" ]; then
         echo "$FALCON_PROVISIONING_TOKEN"