Troubleshooting the CrowdStrike Falcon Sensor for Linux

Troubleshooting the CrowdStrike Falcon Sensor for Linux

NOTE: This software is NOT intended for use on computers that are NOT owned by Duke University or Duke Health. Please do NOT install this software on personally-owned devices. Installing this software on a personally-owned will place the device under Duke policies and under Duke control.

Full Documentation and Further Assistance

A recent copy of the full CrowdStrike Falcon Sensor for Linux documentation (from which most of this information is taken) can be found at https://duke.box.com/v/CrowdStrikeDocs (Duke NetID required).

If you have questions or issues that this document doesn't address, please submit a ServiceNow case to "Device Engineering - OIT" or send an email to oitderequest@duke.edu.

Troubleshooting Sensor Installation

Installation fails

Issue: Your sensor installation fails.

Solution: Verify that the SHA-256 checksum of the installer file you downloaded matches the SHA-256 checksum available from https://falcon-dl.oit.duke.edu.

Ubuntu installation fails: "Dependent Packages are not Installed"

Issue: Your Ubuntu installation fails with an error that "dependent packages are not installed."

Solution: Use this command to install the dependent packages:
$ apt-get -f install

SLES installation fails: "Nothing Provides Openssl"

Issue: Your SLES installation fails with an error that nothing provides openssl1 >= 1.0.1. This is most commonly caused by a SLES version that doesn't include a modern OpenSSL implementation.

Solution: Enable the SLES 11 security module:
$ sudo zypper mr --enable SLE11-Security-Module

Run the sensor installer again.

Verifying that dependencies are Installed

Issue: Your installation fails with an error message about missing dependencies of libssl, libc, or libcrypto.

--> Missing Dependency: libssl.so.10()(64bit) is needed by package falcon-sensor-1.0.3-1.e16x86_64 (/falcon-sensor-1.0.3-1.e16.x86_64)
Error Missing Dependency: libc.so.6(GLIBC_2.7)(64bit) is needed by package falcon-sensor-1.0.3-1.e16x86_64 (/falcon-sensor-1.0.3-1.e16.x86_64)
Error Missing Dependency: libcrypto.so.10()(64bit) is needed by package falcon-sensor-1.0.3-1.e16x86_64 (/falcon-sensor-1.0.3-1.e16.x86_64)

Solution: Install a supported version of OpenSSL.

Troubleshooting general sensor issues

Verify kernel compatibility

For hosts with the sensor already installed, verify kernel compatibility by checking RFM status. Run this command on the host:
sudo /opt/CrowdStrike/falconctl -g --rfm-state

For more info about RFM status, see "Appendix: Reduced Functionality Mode (RFM)" below.

Verifying that the sensor is running

  1. Check running processes to verify the Falcon sensor is running:
    ps -e | grep -e falcon-sensor
  2. Check kernel modules to verify the Falcon sensor's kernel modules are running:
    lsmod | grep falcon
  3. Check the Falcon sensor's configurable options:
    sudo /opt/CrowdStrike/falconctl -g GET_OPTIONS
    GET_OPTIONS parameters:
    • --cid for CustomerId
    • --aid for AgentId
    • --apd for App Proxy Disable
    • --aph for App Proxy Host
    • --app for App Proxy Port
    • --rfm-state for indicating whether the sensor is in Reduced Functionality Mode
    • --rfm-reason to determine reason for sensor running in Reduced Functionality Mode
    • --trace for determining the configured trace level
    • --feature to determine the configured sensor feature flags
    • --metadata-query to determine the configured sensor cloud provider metadata query flags
    • --version for version of sensor currently running
    • --message-log for logging messages to disk
    • --billing to configure the sensor billing type
    • --tags for sensor grouping tags
    • --provisioning-token for Provisioning Token
    • --systags for system tags currently applied to a running sensor

The sensor requires these runtime services:

  • network
  • systemd
    • local-fs
    • sysinit
    • multi-user
    • shutdown

Verifying the sensor files on disk

If the sensor is not running, verify that the sensor's application files exist on your host:

$ sudo ls -al /opt/CrowdStrike /opt/CrowdStrike/falcon-sensor

This should be a symlink to either:

  • the original sensor installation at /opt/CrowdStrike/falcon-sensor
  • a sensor update package with a release build number, such as /opt/CrowdStrike/falcon-sensor3000

Verifying the sensor is connected to the CrowdStrike cloud

You can verify that the host is connected to the cloud using Planisphere or a command line on the host.
  • Planisphere: If a device is communicating with the CrowdStrike Cloud, Planisphere will collect information about that device on its regular polling of the CrowdStrike service. You can see the timing of the last and next polling on the Planisphere Data Sources tab. You can see the specific information for your device on the device's Details tab.

  • Host: Enter the following command in a terminal:

$ sudo netstat -tapn | grep falcon

If the Falcon sensor is communicating with the cloud, you'll see output like this:
tcp        0      0    192.0.2.176:35382       ec2-54-148-96-12:443          
ESTABLISHED 3228/falcon-sensor

Providing troubleshooting info to Support

If OIT needs to forward a sensor issue to CrowdStrike Support, you will need to collect data using the falcon-diagnostic script.

Logs

Logs are stored within your host's syslog. The syslog locations vary but are specified in /etc/syslog.conf or rsyslog.conf, with these being the most common:

  • /var/log/messages
  • /var/log/syslog
  • /var/log/rsyslog
  • /var/log/daemon

grep for the string falcon for sensor logs, similar to this example:
sudo grep falcon /var/log/messages | tail -n 100

Logs are kept according to your host's log rotation settings.

Appendix: Reduced functionality mode (RFM)

Reduced functionality mode (RFM) is a safe mode for the sensor that prevents compatibility issues if the host’s kernel is unsupported by the sensor. Both Windows and Linux sensors can enter RFM, but RFM behaves differently on each platform. RFM is a protective state to prevent damage to incompatible hosts.

Hosts in RFM are unprotected by Falcon. When installing the sensor and upgrading hosts, ensure that kernels are compatible. Check regularly to verify your hosts aren’t in RFM.

A sensor enters RFM when it’s installed on a host that has an incompatible kernel on a supported Linux distro. Sensors can enter RFM if their kernels are updated to an unsupported kernel version.

What happens to sensors in RFM?

Linux sensors in RFM do very little, due to their strong dependency on the host's kernel. They don’t have detections or process execution events, but continue sending SensorHeartBeat events to indicate that a sensor is installed on the host.

How can I tell if my sensor's in RFM?

You can run the following command in terminal to verify RFM status:
/opt/CrowdStrike/falconctl -g --rfm-state

Returning an RFM sensor to full functionality

Upgrade the sensor to a version that supports your installed kernel, or change the host’s kernel to one supported by the sensor. While newly released long-term support (LTS) kernels for supported distros aren’t immediately compatible with the sensor, we add support as quickly as possible.

To prevent existing sensors from entering RFM, CrowdStrike recommends disabling automatic kernel updates and upgrading your kernel when it is supported by the Falcon sensor. Consult your distro’s support documentation for pinning the existing kernel or configuring regular updates to leave the existing kernel in place.

Appendix: Falcon-Kernel-Check tool

The falcon-kernel-check tool ensures the Falcon sensor will be fully operational on a host by verifying host kernels are compatible with Falcon. It’s intended to be run before the sensor is installed. If a kernel is incompatible, the sensor might still install on a host but will be in Reduced Functionality Mode (RFM). While in RFM, the sensor is in a safety mode that protects it from severe compatibility errors. The sensor generates a heartbeat event, but does not perform any monitoring or prevention actions.

Falcon sensor for Linux version 5.38 and later includes a feature to add support for new kernels without requiring a sensor update. Support for new kernels is added through Zero Touch Linux (ZTL) channel files that are deployed to hosts. The falcon-kernel-check tool currently only verifies kernel support for the initial release of the sensor version. As a result, kernel support that has been added through channel files for a sensor version are not reflected in the results of the falcon-kernel-check tool. For an up-to-date list of kernel support, including kernel support added through channel files, see Supported kernels.

For hosts with the sensor already installed, verify kernel compatibility by checking RFM status. Run this command on the host:
sudo /opt/CrowdStrike/falconctl -g --rfm-state

For more info about RFM status, see "Appendix: Reduced Functionality Mode (RFM)" above.

Before you begin

Download the appropriate sensor package for your host from falcon-dl.oit.duke.edu.

New kernel support is added regularly, so it is important to ensure that you have the latest sensor installer before running falcon-kernel-check.

System requirements: Supported Linux distro, Rpm2cpio (RPM-based distros only)

Extracting the tool

Follow the appropriate extraction instructions for your distro:

RPM-based distros:
$ mkdir -p /tmp/crowdstrike
$ rpm2cpio <installer_filename>.rpm | (cd /tmp/crowdstrike; cpio -idv)

DEB-based distros: 
$ mkdir -p /tmp/crowdstrike
$ dpkg -x <installer_filename>.deb /tmp/crowdstrike

Checking kernel compatibility

If extracted with one of the commands above, the falcon-kernel-check tool will be located in the /tmp/crowdstrike/opt/CrowdStrike/ directory and can be used two ways.

To check the host's active kernel, run falcon-kernel-check with no parameters

$ falcon-kernel-check
Host OS Linux 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 is not supported by Sensor version 12606.

To check any other kernel, run falcon-kernel-check with the -k parameter. For example:

$ sudo /opt/CrowdStrike/falcon-kernel-check -k 5.11.0-46-generic
5.11.0-46-generic matches:
5.11.0-46-generic #51~20.04.1-Ubuntu SMP Fri Jan 7 06:51:40 UTC 2022

If a kernel version is available in multiple distributions, falcon-kernel-check displays the list of all kernels that match the specified parameter. For example:

$ sudo /opt/CrowdStrike/falcon-kernel-check -k 5.11.0-1009
5.11.0-1009 matches:
5.11.0-1009-aws #9~20.04.2-Ubuntu SMP Tue Jun 22 11:32:51 UTC 2021
5.11.0-1009-gcp #10~20.04.1-Ubuntu SMP Tue Jun 22 15:57:39 UTC 2021

Command-line options

Usage: $ falcon-kernel-check [options]

  • -h print usage.
  • -v print version.
  • -k input kernel release to see if it is supported.


Article number: KB0035319

Valid to: March 23, 2024