Crowdstrike - Falcon sensor for Linux

📄 Requirements

Choose the Right Sensor

Choosing which sensor to deploy to protect your Linux environment depends on the answers to these questions:

• Are your Linux endpoints running supported distros and kernels?

  • If YES, then you should deploy the Falcon sensor for Linux (not the Falcon Container sensor for Linux).

• Are you running containerized applications?

  • If YES, then you can deploy the Falcon sensor for Linux as a DaemonSet on your cluster.

• Do you have restricted or no access to the underlying kernel, for example, when using managed cloud services?

  • If YES, then you can deploy the Falcon Container sensor for Linux to protect your container workloads running on Linux nodes.

⚙️ Installing the Falcon Sensor

Obtain an Access Token

To authenticate API requests, first generate an access token using your client ID and secret:

curl -X POST "https://api.us-2.crowdstrike.com/oauth2/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "client_id=YOUR_CLIENT_ID" \
     -d "client_secret=YOUR_CLIENT_SECRET"

List Available Installers

To view available Falcon sensor installers and their hashes for different operating systems, use:

curl -X GET "https://api.us-2.crowdstrike.com/sensors/queries/installers/v2" \
     -H "Authorization: Bearer <token>"

Below are some available hashes for different Linux distributions:

RHEL/CentOS Stream/Oracle

• Version: 7.21.17405

• Release Date: Feb. 6, 2025

• SHA256: 030ed4484bc20f6db5d7ed6ec4728f379bf3f6e0fd06749858b7960136929f02

Ubuntu

• Version: 7.21.17405 (18/20/22 IBM zLinux)

• Release Date: Feb. 6, 2025

• SHA256: 054325b762f1ecbacd8cc5d787c259276381ec150d55acaf00f5592c46f5788c

• Version: 7.21.17405 (16/18/20/22/24)

• Release Date: Feb. 6, 2025

• SHA256: 94972a0617e5786de9f74bc68d4a771816dc04281b43b3a7fa91f67ac7ed63a0

Amazon Linux

• Version: 7.21.17405 (Amazon Linux 2)

• Release Date: Feb. 6, 2025

• SHA256: a20f00921c2759ff40e1222b3bf63caac488f75bbe735a25930f5856c6ca096b

For a complete list, use the API query above.

Download the Falcon Sensor Installer

Once you have identified the correct hash for your system, use the following command to download the installer:

curl -X GET \
'https://api.us-2.crowdstrike.com/sensors/entities/download-installer/v2?id=<SHA256>' \
-H 'Authorization: Bearer <token>'

Replace <SHA256> with the appropriate hash from the list above.

Install the Falcon Sensor

1. Get your Customer ID Checksum (CID).

2. Run the installer, replacing <installer_filename> with the actual filename:

   • Ubuntu:

     sudo dpkg -i <installer_filename>

   • RHEL, CentOS, Amazon Linux:

     sudo yum install <installer_filename>

   • SLES:

     sudo zypper install <installer_filename>

3. Set your CID on the sensor:

   sudo /opt/CrowdStrike/falconctl -s --cid=<CID>

4. Start the sensor manually:

   • SysVinit Hosts:

     sudo service falcon-sensor start

   • Systemd Hosts:

     sudo systemctl start falcon-sensor

🛠️ Post-installation Steps

Verify Sensor Installation

To confirm that the Falcon sensor is running, execute:

ps -e | grep falcon-sensor

Expected output:

[root@centos6-installtest ~]# sudo ps -e | grep falcon-sensor
905 ?         00:00:02 falcon-sensor

⛔ Uninstalling the Falcon Sensor for Linux

If your sensor is offline, first retrieve a maintenance token from UPX and run:

sudo /opt/CrowdStrike/falconctl -s --maintenance-token=<your_maintenance_token>

Then, uninstall the Falcon sensor with the following commands:

• Ubuntu:

  sudo apt-get purge falcon-sensor

• RHEL, CentOS, Amazon Linux:

  sudo yum remove falcon-sensor

• SLES:

  sudo zypper remove falcon-sensor