Package Details: falcon-sensor 7.32.0-18504

Git Clone URL: https://aur.archlinux.org/falcon-sensor.git (read-only, click to copy)
Package Base: falcon-sensor
Description: CrowdStrike Falcon Sensor for Linux
Upstream URL: https://falcon.crowdstrike.com/
Licenses: custom
Conflicts: falcon-sensor
Provides: falcon-sensor
Submitter: frealgagu
Maintainer: kylethompson (evanstucker)
Last Packager: kylethompson
Votes: 8
Popularity: 0.22
First Submitted: 2020-12-06 04:56 (UTC)
Last Updated: 2026-01-04 23:34 (UTC)

Pinned Comments

kylethompson commented on 2026-01-04 23:29 (UTC)

falcon-sensor 7.32 Upgrade Notice
Issue: File Conflict on Upgrade

Users upgrading from falcon-sensor versions prior to 7.32 WILL encounter the following error:

error: failed to commit transaction (conflicting files)
falcon-sensor: /opt/CrowdStrike/falcon-flow exists in filesystem
Errors occurred, no packages were upgraded.
Root Cause

The CrowdStrike Falcon sensor creates runtime files in /opt/CrowdStrike/ after installation. Specifically, the sensor creates an unversioned symlink or file at /opt/CrowdStrike/falcon-flow that points to the versioned binary (e.g., falcon-flow18504).

Starting with version 7.32, CrowdStrike's upstream .deb package now includes /opt/CrowdStrike/falcon-flow as a packaged file. When pacman attempts the upgrade, it detects that this file already exists on the filesystem but is not owned by the currently installed package (since the old package didn't include it). This triggers a file conflict error.

One-Time Fix

For users upgrading to version 7.32 from any earlier version, use the --overwrite flag:

# Using yay
yay -S falcon-sensor --overwrite '/opt/CrowdStrike/*'

# Using paru
paru -S falcon-sensor --overwrite '/opt/CrowdStrike/*'

# Using pacman directly (if package is already built)
sudo pacman -U /path/to/falcon-sensor-7.32.0-18504-x86_64.pkg.tar.zst --overwrite '/opt/CrowdStrike/*'

Note: The path is case-sensitive. Use CrowdStrike, not Crowdstrike.

Long-Term Fix

Starting with version 7.32, the package now includes a pacman alpm hook (/usr/share/libalpm/hooks/falcon-sensor.hook) that automatically removes runtime-generated files before future upgrades. This hook runs PreTransaction, which executes before pacman's file conflict check.

Once you've successfully upgraded to 7.32, future upgrades (7.34, 7.36, etc.) should work without requiring --overwrite.

Technical Details
Why .install hooks don't help

Pacman's install hooks (pre_upgrade, post_upgrade, etc.) run after the file conflict check has already passed. The conflict detection happens during the "checking for file conflicts" phase, which occurs before any package transaction begins. Therefore, cleanup code in .install scripts cannot prevent this error.

The alpm hook solution

Pacman supports alpm hooks that can run at different points in the transaction lifecycle. By using When = PreTransaction, the hook executes before pacman performs its conflict check:

[Trigger]
Operation = Upgrade
Type = Package
Target = falcon-sensor

[Action]
Description = Cleaning up falcon-sensor runtime files...
When = PreTransaction
Exec = /usr/bin/rm -f /opt/CrowdStrike/falcon-flow
Why the hook doesn't help for the initial 7.32 upgrade

The hook is bundled inside the 7.32 package itself. When upgrading from an older version (e.g., 7.28 or 7.30), the hook doesn't exist on the system yet because the old package didn't include it. This is a chicken-and-egg problem inherent to packaging runtime-generated files.

Affected Versions
  • Upgrading from: Any version prior to 7.32 (confirmed: 7.28, 7.30)
  • Upgrading to: 7.32.0-18504 and likely future versions
Questions?

Feel free to comment below or flag the package on the AUR if you encounter additional issues.

Latest Comments

1 2 3 4 Next › Last »

kylethompson commented on 2026-01-09 01:33 (UTC)

Good catch mklein994, my WAF rules were obfuscating the download hash and serving the indext.html sha256 - I fixed and now you can curl to see correct values are presented:

[kthompson ~]$ curl -sL https://socfoundry.com/downloads/falcon-sensor_7.32.0-18504_amd64.deb | sha256sum 
0c3ac12e749647cd05a8e8bd6281541e5ba8496ca1ba042eda6637f547db5dc0  -
[kthompson ~]$ curl -sL https://socfoundry.com/downloads/index.html | sha256sum 
902d329a0ac248bace3869427d4598c2bdf20b2f52b1d60a405abbd1db8354f6  -
[kthompson@auraX9cos ~]$

And for kirinthos - socfoundry.com is a site I own, if anyone has any recommendations for a better place to host them I will gladly relocate.

mklein994 commented on 2026-01-08 23:12 (UTC) (edited on 2026-01-08 23:16 (UTC) by mklein994)

The sha256sum of the downloaded .deb file doesn't match the PKGBUILD:

902d329a0ac248bace3869427d4598c2bdf20b2f52b1d60a405abbd1db8354f6  ./falcon-sensor_7.32.0-18504_amd64.deb # from socfoundry.com
0c3ac12e749647cd05a8e8bd6281541e5ba8496ca1ba042eda6637f547db5dc0  ./falcon-sensor_7.32.0-18504_amd64.deb # from the PKGBUILD

The package also used to remove /etc/init.d, but now it's back for some reason?

EDIT:

The link to the .deb file doesn't resolve to a .deb file, just the socfoundry.com website. 😕

kirinthos commented on 2026-01-05 15:14 (UTC)

Could anyone point me to some information on what socfoundry.com is? I cannot find any information on this and Crowdstrike doesn't seem to point to this url as a safe location to download the falcon-sensor binary.

kylethompson commented on 2026-01-04 23:45 (UTC)

Latest PKGBUILD January 4th, 2026:

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>
#
# --- DISCLAIMER ---
# This PKGBUILD is an unofficial community contribution. It is not affiliated with,
# endorsed, or supported by CrowdStrike, Inc.
#
# The CrowdStrike Falcon sensor is proprietary software. By building and installing
# this package, you acknowledge that you are downloading software directly from
# CrowdStrike and agree to be bound by their End User License Agreement and
# Privacy Notice. You are solely responsible for ensuring you have a valid
# license to use the software.
#
# This installation script is provided "AS IS" without warranty of any kind,
# express or implied. The user assumes all risk and responsibility for its use.
#
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/


# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.32.0'
_pkgrel='18504'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")
install="${pkgname}.install"

# --- Source Files ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb::https://socfoundry.com/downloads/falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb"
        "falcon-sensor.hook")
sha256sums=('0c3ac12e749647cd05a8e8bd6281541e5ba8496ca1ba042eda6637f547db5dc0'
            'SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib/"

  # Move the contents of the extracted 'lib' directory to '/usr/lib' inside the package
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Remove the now-empty 'lib' directory from the package
  rmdir "${pkgdir}/lib"

  # Install pacman hook to clean up runtime-generated files before upgrades
  install -Dm644 "${srcdir}/falcon-sensor.hook" "${pkgdir}/usr/share/libalpm/hooks/falcon-sensor.hook"
}

kylethompson commented on 2026-01-04 23:29 (UTC)

falcon-sensor 7.32 Upgrade Notice
Issue: File Conflict on Upgrade

Users upgrading from falcon-sensor versions prior to 7.32 WILL encounter the following error:

error: failed to commit transaction (conflicting files)
falcon-sensor: /opt/CrowdStrike/falcon-flow exists in filesystem
Errors occurred, no packages were upgraded.
Root Cause

The CrowdStrike Falcon sensor creates runtime files in /opt/CrowdStrike/ after installation. Specifically, the sensor creates an unversioned symlink or file at /opt/CrowdStrike/falcon-flow that points to the versioned binary (e.g., falcon-flow18504).

Starting with version 7.32, CrowdStrike's upstream .deb package now includes /opt/CrowdStrike/falcon-flow as a packaged file. When pacman attempts the upgrade, it detects that this file already exists on the filesystem but is not owned by the currently installed package (since the old package didn't include it). This triggers a file conflict error.

One-Time Fix

For users upgrading to version 7.32 from any earlier version, use the --overwrite flag:

# Using yay
yay -S falcon-sensor --overwrite '/opt/CrowdStrike/*'

# Using paru
paru -S falcon-sensor --overwrite '/opt/CrowdStrike/*'

# Using pacman directly (if package is already built)
sudo pacman -U /path/to/falcon-sensor-7.32.0-18504-x86_64.pkg.tar.zst --overwrite '/opt/CrowdStrike/*'

Note: The path is case-sensitive. Use CrowdStrike, not Crowdstrike.

Long-Term Fix

Starting with version 7.32, the package now includes a pacman alpm hook (/usr/share/libalpm/hooks/falcon-sensor.hook) that automatically removes runtime-generated files before future upgrades. This hook runs PreTransaction, which executes before pacman's file conflict check.

Once you've successfully upgraded to 7.32, future upgrades (7.34, 7.36, etc.) should work without requiring --overwrite.

Technical Details
Why .install hooks don't help

Pacman's install hooks (pre_upgrade, post_upgrade, etc.) run after the file conflict check has already passed. The conflict detection happens during the "checking for file conflicts" phase, which occurs before any package transaction begins. Therefore, cleanup code in .install scripts cannot prevent this error.

The alpm hook solution

Pacman supports alpm hooks that can run at different points in the transaction lifecycle. By using When = PreTransaction, the hook executes before pacman performs its conflict check:

[Trigger]
Operation = Upgrade
Type = Package
Target = falcon-sensor

[Action]
Description = Cleaning up falcon-sensor runtime files...
When = PreTransaction
Exec = /usr/bin/rm -f /opt/CrowdStrike/falcon-flow
Why the hook doesn't help for the initial 7.32 upgrade

The hook is bundled inside the 7.32 package itself. When upgrading from an older version (e.g., 7.28 or 7.30), the hook doesn't exist on the system yet because the old package didn't include it. This is a chicken-and-egg problem inherent to packaging runtime-generated files.

Affected Versions
  • Upgrading from: Any version prior to 7.32 (confirmed: 7.28, 7.30)
  • Upgrading to: 7.32.0-18504 and likely future versions
Questions?

Feel free to comment below or flag the package on the AUR if you encounter additional issues.

kylethompson commented on 2025-10-10 13:52 (UTC) (edited on 2025-10-10 17:43 (UTC) by kylethompson)

Due to licensing restrictions, you will need to manually download\ obtain the latest.deb falcon sensor software.

Download the falcon .deb file, then run this command inside same folder:

yay -S falcon-sensor

Customer CID number required in this command to unlock service:

sudo /opt/CrowdStrike/falconctl -s --cid=<YOUR CUSTOMER ID>

Enable the service:

sudo systemctl enable --now falcon-sensor.service

Start the service:

sudo systemctl start falcon-sensor.service

Verify service state:

systemctl status falcon-sensor.service

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>
#
# --- DISCLAIMER ---
# This PKGBUILD is an unofficial community contribution. It is not affiliated with,
# endorsed, or supported by CrowdStrike, Inc.
#
# The CrowdStrike Falcon sensor is proprietary software. By building and installing
# this package, you acknowledge that you are downloading software directly from
# CrowdStrike and agree to be bound by their End User License Agreement and
# Privacy Notice. You are solely responsible for ensuring you have a valid
# license to use the software.
#
# This installation script is provided "AS IS" without warranty of any kind,
# express or implied. The user assumes all risk and responsibility for its use.
#
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/


# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.30.0'
_pkgrel='18306'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib/"

  # Move the contents of the extracted 'lib' directory to '/usr/lib' inside the package
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Remove the now-empty 'lib' directory from the package
  rmdir "${pkgdir}/lib"
}

muidev commented on 2025-09-23 08:36 (UTC) (edited on 2025-09-23 08:39 (UTC) by muidev)

I managed to install the version by: - Downloading the .deb file from Crowdstrike Admin Panel (version 7.29).

  • Downloading the package locally with yay -G falcon-sensor.

  • Placing the .deb file into the build dir that was created by yay.

  • Updating the PKGBUILD file to expect this version (you can see the content of PKGBUILD below.

  • Run makepkg -si inside the dir.

I am new to Arch so if someone knows a better way to do it pls tell me.

# Maintainer: Jan Muixi <janmuixi7@gmail.com>
# This script is not official and it is provided as a helper. You are solely responsible for the use of this installer.

# By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/

pkgname=falcon-sensor
pkgver=7.29.0
_pkgver=7.29.0
pkgrel=18202
pkgdesc="Crowdstrike Falcon Sensor daemon and kernel modules"
arch=("x86_64")
url="https://crowdstrike.com"
license=("custom")
depends=("openssl" "libnl1")
backup=("etc/logrotate.d/falcon-sensor")
source=(
  "manual://${pkgname}_${pkgver}-${pkgrel}_amd64.deb"
  "LICENSE"
)
sha256sums=(
  "SKIP"
  "SKIP"
)

prepare() {
  mkdir "${srcdir}/${pkgname}"
  cd "${srcdir}/${pkgname}"

  bsdtar -xf "${srcdir}/data.tar.xz" -C .

  # Remove unnecessary .deb related directory
  rm -rf "${srcdir}/${pkgname}/etc/init.d"
}

package() {
  warning "You may need to uninstall the package first and remove the folder /opt/CrowdStrike"

  cd "${srcdir}/${pkgname}"
  cp -r "${srcdir}/${pkgname}/"* "${pkgdir}"
  install -dm755 "${pkgdir}/usr"
  mv "${pkgdir}/lib" "${pkgdir}/usr/lib"
  install -Dm644 "${srcdir}/LICENSE" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

  chmod a+x "${pkgdir}/opt/CrowdStrike"
  chmod -R a+r "${pkgdir}/opt/CrowdStrike"

  #/opt/CrowdStrike/falconctl -s --cid=<your CID here>
}

kylethompson commented on 2025-06-12 15:41 (UTC)

For anyone trying to install the latest version, I had success with version 7.25.0-17804. The key was creating a custom PKGBUILD that correctly handles the /lib directory conflict by moving the files to /usr/lib during the build process. I can upload the .deb package if someone can assist, sorry I'm new here ;)

I also recommend not embedding the CID inside the PKGBUILD, I have been a Falcon Admin for years and we are used to updating that post deployment...

Here is the final PKGBUILD that worked for me:


# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>

# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.25.0'
_pkgrel='17804'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib"

  # Now, move the contents of the extracted 'lib' directory into it
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Finally, remove the now-empty 'lib' directory
  rmdir "${pkgdir}/lib"
}

nshephard commented on 2025-05-15 09:26 (UTC)

Thanks @je-vv that is really useful.

I managed to work around it in a more messy way by...

# Manually extract package contents and move to src/
ar x falcon-sensor_*.**.*-*****_amd64.deb
mv {control.tar.xz,data.tar.xz,debian-binary} src/.
#+end_src

Edited the ~PKGBUILD~ and...

  • Make sure the version matches that of the .deb file you have.
  • Comment out the first item in the source list (i.e. # "manual://${pkgname}${pkgver//-}_amd64.deb"
  • comment out the corresponding sha256sums (i.e. # "SKIP#)

I could then makepkg -sri

I've gone through your instructions and they've worked too and are far less hacky :-)

Haven't got the CID yet but your instructions are really useful. IT support is non-existant and unfortunately I may be forced to switch OS :-(

I'm hoping if I can get this installed and working it may grant a stay of execution.

1 2 3 4 Next › Last »