Skip to main content
Red Canary help

Installing and uninstalling the Crowdstrike Falcon sensor on Linux

  • Updated .

Prerequisites

Prior to deploying the CrowdStrike Falcon sensor, please ensure you have accounted for the following:

Configure the necessary network connectivity

The CrowdStrike sensor communicates with the CrowdStrike cloud using bidirectionally authenticated Transport Layer Security (TLS) via port 443. All communications are outbound, sensor-to-server.

You can find your CrowdStrike cloud’s IP addresses by clicking Support > Docs > Cloud IP Addresses in your Falcon console.

Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception.

Installing CrowdStrike Falcon using a deployment tool

Use this installation method if you want to automate silent installations on many devices, including installations via a gold/master image.

To automatically install the CrowdStrike Falcon sensor for Linux:

  1. Prepare your master image instance, including any software configuration or updates.
  2. Download the Falcon sensor installer from Hosts > Sensor Downloads or via sensor download APIs.
  3. Copy your Customer ID Checksum (CID), displayed on Sensor Downloads.
  4. Run the installer, substituting <installer_filename> with your installer's file name.
    • Ubuntu: 
      sudo dpkg -i <installer_filename>
    • RHEL, CentOS, Amazon Linux: 
      sudo yum install <installer_filename>
    • SLES: 
      sudo zypper install <installer_filename>
  5. After installing, run these falconctl commands to remove the host's agent ID, set your CID, and configure the sensor for Pay-As-You-Go billing:
    sudo /opt/CrowdStrike/falconctl -d -f --aid
    sudo /opt/CrowdStrike/falconctl -s --cid=<CID>
    sudo /opt/CrowdStrike/falconctl -s --billing=metered
  6. Configure your cloud workloads to create ephemeral images based on this master image.
  7. According to your organization's update policies, plan to regularly recreate this master image using an up-to-date Falcon sensor installer.

To automate this more effectively, consider using sensor download APIs to automatically retrieve new versions of the Falcon sensor. Then, use your organization's existing automation tools to install the newer version on your master image without an agent ID.

To change an existing Falcon sensor to use Pay-As-You-Go billing, run this falconctl command, then restart the sensor:

sudo /opt/CrowdStrike/falconctl -s --billing=metered

When your cloned devices or virtual machines first contact the CrowdStrike cloud, they'll be automatically assigned a unique AID. If multiple devices use the same AID, the Falcon console will process all their events as though they came from a single device.

Installing CrowdStrike Falcon manually

Use this installation method if you want to install the sensor manually on a single endpoint.

To manually install the CrowdStrike Falcon sensor for Linux:

  1. Login to your CrowdStrike Falcon console.
  2. Download the sensor installer from Hosts > Sensor Downloads.
  3. Copy your CID, displayed on Sensor Downloads.
  4. Run the installer, substituting <installer_filename> with your installer's file name.
    • Ubuntu: 
      sudo dpkg -i <installer_filename>
    • RHEL, CentOS, Amazon Linux: 
      sudo yum install
     <installer_filename>
  5. SLES: 
    sudo zypper install <installer_filename>
  6. Set your CID on the sensor, substituting <CID> with your CID.This step is not required for versions 4.0 and earlier. 
    sudo /opt/CrowdStrike/falconctl -s --cid=<CID>
  7. Start the sensor manually. This step is not required for versions 4.0 and earlier.
    • Hosts with SysVinit: 
      service falcon-sensor start
    • Hosts with Systemd: 
      systemctl start falcon-sensor
  8. Confirm the sensor is running.
    ps -e | grep falcon-sensor
    You'll see output similar to this: 
    [root@centos6-installtest ~]# sudo ps -e | grep falcon-sensor
    905 ?         00:00:02 falcon-sensor

For more information on advanced installation types, please visit Support > Docs.

Uninstalling CrowdStrike Falcon

To uninstall via the command line:

  1. Run these commands to uninstall the Falcon sensor from your endpoint:
    1. Ubuntu: 
      sudo apt-get purge falcon-sensor
    2. RHEL, CentOS, Amazon Linux: 
      sudo yum remove falcon-sensor
    3. SLES: 
      sudo zypper remove falcon-sensor