Installing the CrowdStrike Falcon Sensor for Linux
Installing the CrowdStrike Falcon Sensor for Linux
NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned device will place the device under Duke policies and under Duke control.
You can install the CrowdStrike Falcon Sensor for Linux by completing these steps:
- Download the appropriate RHEL- or Debian-based Falcon sensor installer* from Duke Software Licensing or Duke OIT SSI OneGet (accessible only from Duke network).
* - CrowdStrike sensors for other Linux distributions may be available by request. Please contact the OIT Service Desk who will route your request to the proper group. - Retrieve the proper CrowdStrike "Customer ID with Checksum" (or "CCID") from the link below:
- Run the installer for your distribution, substituting <installer_filename> with your installer's file name. Installing the sensor requires sudo privileges.
- Debian, Ubuntu:
sudo dpkg -i <installer_filename>
- RHEL, CentOS, Alma, etc.:
sudo yum install <installer_filename>
- Debian, Ubuntu:
- Set the CCID on the sensor by running the command below, substituting <CCID> with the CCID string retrieved above. Configuring the sensor requires sudo privileges.
sudo /opt/CrowdStrike/falconctl -s --cid=<CCID>
- Start the sensor manually.
- Hosts with SysVinit:
service falcon-sensor start
- Hosts with Systemd:
systemctl start falcon-sensor
- Hosts with SysVinit:
Verifying sensor installation
To validate that the Falcon sensor for Linux is running on a host, run this command at a terminal:ps -e | grep falcon-sensor
You should see output similar to this:[root@localhost ~]# ps -e | grep falcon-sensor
905 ? 00:00:02 falcon-sensor
If you do not see output similar to this, please see Troubleshooting the CrowdStrike Falcon Sensor for Linux.
Advanced Installation OptionsConfiguring a proxy
If your hosts use a proxy, configure the Falcon sensor to use it. Configuring the sensor requires sudo privileges.
- Configure proxy:
sudo /opt/CrowdStrike/falconctl -s --aph=<proxy host> --app=<proxy port>
- Confirm config:
sudo /opt/CrowdStrike/falconctl -g --aph --app
- Enable proxy:
sudo /opt/CrowdStrike/falconctl -s --apd=FALSE
- Disable proxy:
sudo /opt/CrowdStrike/falconctl -s --apd=TRUE
Preparing a host as a master image
If you're preparing a host as a "master" device for cloning or virtualization, you must remove your "master" host's agent ID (AID).
After installing, run this falconctl command to remove the host's agent ID:sudo /opt/CrowdStrike/falconctl -d -f --aid
Uninstalling the Falcon sensor for Linux
Run these commands to uninstall the Falcon sensor from your host. Uninstalling the sensor requires sudo privileges.
- Debian, Ubuntu, etc.:
sudo apt-get purge falcon-sensor
- RHEL, CentOS, Alma, etc.:
sudo yum remove falcon-sensor
If you have questions or issues that Troubleshooting the CrowdStrike Falcon Sensor for Linux doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.
Article number: KB0035285
Valid to: January 16, 2025