Arch Linux User Repository

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

If you need the binary you need to have a valid license and download the package from the portal using your credentials.

Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.

https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.

You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)

For anyone trying to install the latest version, I had success with version 7.25.0-17804. The key was creating a custom PKGBUILD that correctly handles the /lib directory conflict by moving the files to /usr/lib during the build process. I can upload the .deb package if someone can assist, sorry I'm new here ;)

I also recommend not embedding the CID inside the PKGBUILD, I have been a Falcon Admin for years and we are used to updating that post deployment...

Here is the final PKGBUILD that worked for me:

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>

# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.25.0'
_pkgrel='17804'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib"

  # Now, move the contents of the extracted 'lib' directory into it
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Finally, remove the now-empty 'lib' directory
  rmdir "${pkgdir}/lib"
}

Thanks @je-vv that is really useful.

I managed to work around it in a more messy way by...

# Manually extract package contents and move to src/
ar x falcon-sensor_*.**.*-*****_amd64.deb
mv {control.tar.xz,data.tar.xz,debian-binary} src/.
#+end_src

Edited the ~PKGBUILD~ and...

• Make sure the version matches that of the .deb file you have.
• Comment out the first item in the source list (i.e. # "manual://${pkgname}${pkgver//-}_amd64.deb"
• comment out the corresponding sha256sums (i.e. # "SKIP#)

I could then makepkg -sri

I've gone through your instructions and they've worked too and are far less hacky :-)

Haven't got the CID yet but your instructions are really useful. IT support is non-existant and unfortunately I may be forced to switch OS :-(

I'm hoping if I can get this installed and working it may grant a stay of execution.

@nshephard the package requires more changes, first you can not comment out the source, you need to include one that satisfies the possible sources, I used this fake one:

source=(
  "https://${pkgname}_${_pkgver}_amd64.deb"
  "LICENSE"
)

I also included its SHA check:

sha256sums=(
  "<your_deb_sha>"
  "323c9971c5f7e3b360783601922c063801e0bbd425351faaafaf476b5b29fecb"
)

And the deb version provided where I work required change as well, but it depends on what your company provides to you:

pkgver=7.21.0.17405
_pkgver=7.21.0-17405

To answer your question, data.tar.xz comes from decompressing the deb package, which when decompressed includes two tarballs, the data one with the binaries, and the control one with instructions on what to do with the binaries included in the data tarball and more stuff to follow the distro policies and stuff.

The problem is that when you commented out the source, even though it's there besides the PGKGBUILD, it won't use it at all, and therefore this will fail:

prepare() {
  mkdir "${srcdir}/${pkgname}"
  cd "${srcdir}/${pkgname}"

  bsdtar -xf "${srcdir}/data.tar.xz" -C .

I modified the package to my purposes, and it's working flawlessly, :)

Hope this helps you.

BTW, installing the package is not enough. What's in falcon-sensor.install gives you a hint, but it was left commented out by the last update on this package because the instructions are pretty dependent on the falcon-sensor version and your company. The deb I was provided required different commands which are provided by the of:

/opt/CrowdStrike/falconctl -s --cid=<cid_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --cid
/opt/CrowdStrike/falconctl -s --tags=<tag_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --tags

The other pre-instructions and post instructions are fine, just the falconctl stuff is particular. I can't tell if those required where I work are the ones you need, or the ones in this package falcon-sensor.install, you need to find out with the instructions provided to you...

I've been asked to install this by employers and have been provided with a more recent .deb archive.

I've...

• updated the PKGBUILD to reflect this version
• commented out the manual:// and associated "SKIP" lines so no attempt is made to download and checksum the file.
• placed the .deb alongside the PKGBUILD in the cloned directory.

On running makepkg -sri I find...

❱ makepkg -sri
==> Making package: falcon-sensor 7.20.0.17306-1 (Wed 14 May 2025 16:50:05 BST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found LICENSE
==> Validating source files with sha256sums...
    LICENSE ... Passed
==> Extracting sources...
==> Starting prepare()...
bsdtar: Error opening archive: Failed to open '/home/user/tmp/falcon-sensor/src/data.tar.xz'
==> ERROR: A failure occurred in prepare().
    Aborting...

Not sure where data.tar.xz should be coming from?

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

@sipak I do not have this software, so I can't check myself. Could you please run namcap on existing software to check dependencies and/or other packaging issues?

Nope, first, that gets overwritten later by falcon-sensor, but most importantly, there's a KernelModuleArchive with a bunch of linux modules per linux version in the array kernels. So the linux version used must match one of the supported ones by falcon-sensor (being part of the array kernels).

This is so sad, :( Any hints how to make falcon-sensor work on arch/artix? Any way to download a more up to date version perhaps, from upstream, without registering (I'm using the one provided by the company I work for, and I doubt I can just simply register as a some company representative, whom I'm not)... Perhaps there's a newer version supporting at least the LTS...

I don't know, how sad to be forced to use proprietary and closed code, :(

OK, my patch, so that the linux (kernel) version doesn't fail:

diff -Naur falcon-sensor-old/PKGBUILD falcon-sensor/PKGBUILD
--- falcon-sensor-old/PKGBUILD   2023-08-14 18:46:39.000000000 -0600
+++ falcon-sensor/PKGBUILD 2024-05-14 21:26:14.411904645 -0600
@@ -1,7 +1,8 @@
 # Maintainer: Fredy García <frealgagu at gmail dot com>

 pkgname=falcon-sensor
-pkgver=7.01.0_15604
+pkgver=7.11.0_16404
+_pkg_patch=16404
 pkgrel=1
 pkgdesc="Crowdstrike Falcon Sensor daemon and kernel modules"
 arch=("x86_64")
@@ -11,11 +12,11 @@
 backup=("etc/logrotate.d/falcon-sensor")
 install="${pkgname}.install"
 source=(
-  "manual://${pkgname}_${pkgver/_/-}_amd64.deb"
+  "https://${pkgname}_${pkgver/_/-}_amd64.deb"
   "LICENSE"
 )
 sha256sums=(
-  "SKIP"
+  "19c70ecb57c71522e9e43142ff61152d1098832b712a30f9973ea38e9d26980e"
   "76dbcf8027846d9a8c2fbd9ca2a163c171bbc75161b46a24f59bf64dd44fc6e9"
 )

@@ -27,6 +28,13 @@

   # Remove unnecessary .deb related directory
   rm -rf "${srcdir}/${pkgname}/etc/init.d"
+
+  # Add support for the Arch/Artix linux version
+  sed -i "s|\(kernels=\".*\)\([ \t]*\"[ \t]*$\)|\1$(uname -r)\\\n\2|" "${srcdir}/${pkgname}/opt/CrowdStrike/falcon-kernel-check${_pkg_patch}"
 }

 package() {

Not sure if working, neither what it's doing, but:

% ps auxww | 'grep' falcon
root     12791  0.0  0.0   2620  1152 ?        Ss   21:16   0:00 /opt/CrowdStrike/falcond
root     12792  0.8  1.5 3454876 250120 ?      Sl   21:16   0:09 falcon-sensor-bpf

@micwoj92, I believe this package actually requires libnl1 from AUR, since the package is really a -bin one, since it's using a binary package for another distro, which might probably be not as up to date as Ach/derivatives are. That said, libnl1 doesn't conflict with libnl, so that's great..