Install CrowdStrike Falcon Sensor for Linux

This guide outlines the process to deploy the CrowdStrike Falcon sensor on Linux devices using the Hexnode UEM platform. This deployment utilizes custom scripting to automate the installation and activation of the Falcon agent on supported Linux distributions.

What is CrowdStrike Falcon?

Core Functions:

• Malware Prevention: Stops both known and zero-day exploit-based attacks.
• Behavioral Detection: Identifies malicious indicators of attack (IOAs).
• Response & Visibility: Provides continuous monitoring and rapid response capabilities via the cloud.

Key Capabilities on Linux:

How to Deploy CrowdStrike Falcon on Linux Devices?

The deployment process is broken down into three primary stages:

1. Download the installer.
2. Executing the deployment script via Hexnode UEM.
3. Verify the installation.

Step 1: Download the Falcon Sensor installer

1. Log in to your CrowdStrike Falcon portal.
2. Open the menu and navigate to Host setup and management > Deploy > Sensor downloads.
3. Locate the Linux (Ubuntu/Debian) sensor and click Download to get the .deb file.
4. Copy the Customer ID (CID) provided on the download page; you will need this for activation.
5. Upload the .deb file to a secure cloud storage or file-sharing service and generate a direct Download URL.

Step 2: Deploy via Hexnode UEM

The deployment is executed using a Bash script through the Hexnode “Execute Custom Script” action.

Execution Steps:

1. Log in to the Hexnode UEM portal.
2. Go to the Manage tab and select your target Linux devices.
3. Select Actions > Execute Custom Script.
4. Set the platform to Linux and choose Upload file/Hexnode Repository as the script source.
5. Upload a .sh file containing the following code:
   Script to deploy CrowdStrike Falcon

   #!/bin/sh set -euo DOWNLOAD_URL="${1:-}" CID="${2:-}" # Exit if arguments are missing if [ -z "$DOWNLOAD_URL" ] || [ -z "$CID" ]; then echo "Usage: $0 <download_url> <cid>" exit 1 fi echo "Running pre-flight package repair..." # Finishes configuring partially installed packages sudo DEBIAN_FRONTEND=noninteractive dpkg --configure -a || echo "No interrupted packages to fix." echo "Downloading installer..." curl -L -o crowdstrike.deb "$DOWNLOAD_URL" echo "Installing crowd strike..." sudo DEBIAN_FRONTEND=noninteractive apt-get install -y ./crowdstrike.deb echo "Configuring CID..." if [ -f "/opt/CrowdStrike/falconctl" ]; then sudo /opt/CrowdStrike/falconctl -s -f --cid="$CID" else echo "Error: falconctl not found!" && exit 1 fi echo "Starting falcon service..." sudo systemctl enable falcon-sensor sudo systemctl start falcon-sensor echo "Verifying service status..." sudo systemctl is-active falcon-sensor echo "Successfully installed crowdstrike"

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

   #!/bin/sh   set -euo   DOWNLOAD_URL="${1:-}" CID="${2:-}"   # Exit if arguments are missing if [ -z "$DOWNLOAD_URL" ] || [ -z "$CID" ]; then     echo "Usage: $0 <download_url> <cid>"     exit 1 fi   echo "Running pre-flight package repair..." # Finishes configuring partially installed packages sudo DEBIAN_FRONTEND=noninteractive dpkg --configure -a || echo "No interrupted packages to fix."   echo "Downloading installer..." curl -L -o crowdstrike.deb "$DOWNLOAD_URL"   echo "Installing crowd strike..." sudo DEBIAN_FRONTEND=noninteractive apt-get install -y ./crowdstrike.deb   echo "Configuring CID..." if [ -f "/opt/CrowdStrike/falconctl" ]; then     sudo /opt/CrowdStrike/falconctl -s -f --cid="$CID" else     echo "Error: falconctl not found!" && exit 1 fi   echo "Starting falcon service..." sudo systemctl enable falcon-sensor sudo systemctl start falcon-sensor   echo "Verifying service status..." sudo systemctl is-active falcon-sensor   echo "Successfully installed crowdstrike"

   Script Arguments:

   In the Arguments field in Hexnode, enter the following (separated by a space):

   • The Download URL for your .deb file.
   • The Customer ID (CID) copied from CrowdStrike.
6. Click Execute to begin the rollout.

Step 3: Verification

Once the script has finished running, verify the installation through both platforms:

In Hexnode UEM:

Check the Action History tab for the specific devices. A status of “Success” indicates the script was executed without errors.

In CrowdStrike Falcon Portal:

Navigate to Host setup and management > Manage endpoints > Host management. The newly deployed Linux devices should appear in the list with an Active status.

Once verified, the sensor will begin reporting telemetry, and the device will be ready to receive security policies from the CrowdStrike cloud.