Deploy Falcon Sensor for Linux Using CLI

Back

Deploy Falcon Sensor for Linux Using CLI

Installation Guides5 min

Overview

Deploying Falcon sensor for Linux on the host provides runtime protection for the host and, if applicable, the containers running on the host.

To install the Falcon sensor on an endpoint or node, perform these procedures:

1. Install the Falcon sensor
2. Verify the installation
3. Optionally, configure the Falcon sensor with post-installation options

For information about other installation considerations, see Installation Options for Falcon Sensor for Linux.

Before you begin

Before you install the Falcon sensor for Linux, refer to these topics to make sure you are installing the correct sensor, your environment meets system requirements, you are using the correct deployment method and installation type, you are aware of any additional installation options your installation requires:

• Choosing the right sensor
• Falcon sensor for Linux system requirements
• Planning your Falcon sensor for Linux deployment
• Installation Options for Falcon Sensor for Linux

Installing the Falcon sensor

1. Download the Falcon sensor installer from Host setup and management > Deploy > Sensor Downloads.

   You have these types of sensor installers to choose from:

   Important: The unified installer is available starting with Falcon sensor for Linux version 7.28 and is the only installer available. Any previously released, cloud-specific installers will remain available as long as the associated sensors are supported. We recommend using the unified installer whenever possible.

   • Unified installer. A single installer that works for these CrowdStrike clouds: US-1, US-2, EU-1, US-GOV-1, and US-GOV-2.
   • Cloud-specific installer. The installer works for only one of the CrowdStrike clouds: US-1, US-2, EU-1, US-GOV-1, or US-GOV-2.

2. Copy your Customer ID Checksum (CID), displayed on Sensor Downloads.

3. Run the installer, substituting <installer_filename> with your installer's file name.

   Installing the sensor requires sudo privileges.

   • Ubuntu: sudo dpkg -i <installer_filename>
   • For RHEL, CentOS, Amazon Linux, choose either:
     • sudo yum install <installer_filename>
     • sudo dnf install <installer_filename>
   • SLES: sudo zypper install <installer_filename>

4. Set your CID on the sensor, substituting <CID> with your CID.

   • All OSes: sudo /opt/CrowdStrike/falconctl -s --cid=<CID>

5. Optional. Set the cloud where the endpoint's CID resides.

   After installation, the sensor must connect to the CrowdStrike cloud where the endpoint's CID resides.

   With a cloud-specific install package, the sensor connects directly to the matching cloud.

   With the unified installer, you can let the sensor discover the CID's cloud automatically, or you can specify the cloud where the CID resides. To specify the CrowdStrike cloud, run this command, choosing exactly one value for the --cloud option:

   • All OSes: sudo /opt/CrowdStrike/falconctl -s --cloud {us-1 | us-2 | eu-1 | us-gov-1 | us-gov-2}

6. Start the sensor manually.

   • Hosts with SysVinit: sudo service falcon-sensor start
   • Hosts with Systemd: sudo systemctl start falcon-sensor

Verifying sensor installation

You can verify the sensor installation by using the Falcon console or a terminal on the host:

• Falcon Console: After the sensor is installed, the host connects to the CrowdStrike cloud. You can confirm a sensor installation by reviewing your hosts in the Falcon console. Search for the host in Host setup and management > Manage endpoints > Host management. To view a complete list of newly installed sensors, use Dashboards and reports > Reports > Sensor report.
• Host: To validate that the Falcon sensor for Linux is running on a host, run this command at a terminal: ps -e | grep falcon-sensor You'll see output similar to this:

[root@centos6-installtest ~]# sudo ps -e | grep falcon-sensor 905 ? 00:00:02 falcon-sensor

Frequently Asked Questions

General

Can the sensor run without an internet connection?

No, the sensor requires an internet connection to run. The sensor needs to be connected to the internet in order to perform checks, receive policy updates, and report results. Without an internet connection, the sensor cannot function properly.

How often do tasks run?

The sensor performs checks at regular intervals to maintain up-to-date system security. Tasks typically run anywhere from once every few minutes to once per day, depending on configuration settings and requirements. Tasks follow a schedule for prompt issue detection and can also be triggered manually or by specific events like system reboots or policy updates.

What is Endpoint Security?

Endpoint security refers to the protection of individual devices (endpoints) such as computers, laptops, and servers from cybersecurity threats. It involves security measures like antivirus software, firewalls, encryption, and monitoring tools to detect vulnerabilities and prevent attacks. The sensor helps enforce endpoint security by checking for misconfigurations, inactive security software, and other risks that could compromise the system.

Which operating systems are supported?

The Rotate Sensor supports Windows and macOS operating systems.

Sensor

What’s the difference between Unauthorized, Paused, Deactivated and Uninstalled?

• Unauthorized - The sensor is not logged in using the company’s SSO. This potentially could affect identifying the user of the sensor. The “Disconnect” button will unauthorize the sensor’s logged user.
• Paused - The sensor is temporarily halted but can be easily resumed. This state is often used for maintenance or troubleshooting purposes.
• Deactivated - The sensor is not running and not collecting data. This should be used when a device is no longer relevant, but might be in the future. The sensor will still be installed on the user’s device.
• Uninstalled - The sensor will be removed from the user’s device. This should be used when a device is no longer relevant and never will. This is irreversible.

On this page