Installing the CrowdStrike Falcon Sensor for Linux

 

 

 

Installing the CrowdStrike Falcon Sensor for Linux

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned device will place the device under Duke policies and under Duke control.

You can install the CrowdStrike Falcon Sensor for Linux by completing these steps:

  1. Download the appropriate RHEL- or Debian-based Falcon sensor installer* from Duke Software Licensing or Duke OIT SSI OneGet (accessible only from Duke network).
        * - CrowdStrike sensors for other Linux distributions may be available by request. Please contact the OIT Service Desk who will route your request to the proper group.

  2. Retrieve the proper CrowdStrike "Customer ID with Checksum" (or "CCID") from the link below:
  3. Run the installer for your distribution, substituting <installer_filename> with your installer's file name. Installing the sensor requires sudo privileges.
    • Debian, Ubuntu: sudo dpkg -i <installer_filename>
    • RHEL, CentOS, Alma, etc.: sudo yum install <installer_filename>

  4. Set the CCID on the sensor by running the command below, substituting <CCID> with the CCID string retrieved above. Configuring the sensor requires sudo privileges.
    • sudo /opt/CrowdStrike/falconctl -s --cid=<CCID>

  5. Start the sensor manually.
    • Hosts with SysVinit: service falcon-sensor start
    • Hosts with Systemd: systemctl start falcon-sensor

Verifying sensor installation

To validate that the Falcon sensor for Linux is running on a host, run this command at a terminal:
ps -e | grep falcon-sensor

You should see output similar to this:
[root@localhost ~]# ps -e | grep falcon-sensor
   905 ?         00:00:02 falcon-sensor

If you do not see output similar to this, please see Troubleshooting the CrowdStrike Falcon Sensor for Linux.

Advanced Installation Options

Configuring a proxy

If your hosts use a proxy, configure the Falcon sensor to use it. Configuring the sensor requires sudo privileges.

  • Configure proxy: sudo /opt/CrowdStrike/falconctl -s --aph=<proxy host> --app=<proxy port>
  • Confirm config: sudo /opt/CrowdStrike/falconctl -g --aph --app
  • Enable proxy: sudo /opt/CrowdStrike/falconctl -s --apd=FALSE
  • Disable proxy: sudo /opt/CrowdStrike/falconctl -s --apd=TRUE

Preparing a host as a master image

If you're preparing a host as a "master" device for cloning or virtualization, you must remove your "master" host's agent ID (AID).

After installing, run this falconctl command to remove the host's agent ID:
sudo /opt/CrowdStrike/falconctl -d -f --aid

Uninstalling the Falcon sensor for Linux

Run these commands to uninstall the Falcon sensor from your host. Uninstalling the sensor requires sudo privileges.

  • Debian, Ubuntu, etc.: sudo apt-get purge falcon-sensor
  • RHEL, CentOS, Alma, etc.: sudo yum remove falcon-sensor
Need assistance?

If you have questions or issues that Troubleshooting the CrowdStrike Falcon Sensor for Linux doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Article number: KB0035285

Valid to: January 16, 2025