Arch Linux User Repository

Due to licensing restrictions, you will need to manually download\ obtain the latest.deb falcon sensor software.

Download the falcon .deb file, then run this command inside same folder:

yay -S falcon-sensor

Customer CID number required in this command to unlock service:

sudo /opt/CrowdStrike/falconctl -s --cid=<YOUR CUSTOMER ID>

Enable the service:

sudo systemctl enable --now falcon-sensor.service

Start the service:

sudo systemctl start falcon-sensor.service

Verify service state:

systemctl status falcon-sensor.service

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>
#
# --- DISCLAIMER ---
# This PKGBUILD is an unofficial community contribution. It is not affiliated with,
# endorsed, or supported by CrowdStrike, Inc.
#
# The CrowdStrike Falcon sensor is proprietary software. By building and installing
# this package, you acknowledge that you are downloading software directly from
# CrowdStrike and agree to be bound by their End User License Agreement and
# Privacy Notice. You are solely responsible for ensuring you have a valid
# license to use the software.
#
# This installation script is provided "AS IS" without warranty of any kind,
# express or implied. The user assumes all risk and responsibility for its use.
#
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/


# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.30.0'
_pkgrel='18306'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib/"

  # Move the contents of the extracted 'lib' directory to '/usr/lib' inside the package
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Remove the now-empty 'lib' directory from the package
  rmdir "${pkgdir}/lib"
}

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

If you need the binary you need to have a valid license and download the package from the portal using your credentials.

Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.

https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.

You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)

Due to licensing restrictions, you will need to manually download\ obtain the latest.deb falcon sensor software.

Download the falcon .deb file, then run this command inside same folder:

yay -S falcon-sensor

Customer CID number required in this command to unlock service:

sudo /opt/CrowdStrike/falconctl -s --cid=<YOUR CUSTOMER ID>

Enable the service:

sudo systemctl enable --now falcon-sensor.service

Start the service:

sudo systemctl start falcon-sensor.service

Verify service state:

systemctl status falcon-sensor.service

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>
#
# --- DISCLAIMER ---
# This PKGBUILD is an unofficial community contribution. It is not affiliated with,
# endorsed, or supported by CrowdStrike, Inc.
#
# The CrowdStrike Falcon sensor is proprietary software. By building and installing
# this package, you acknowledge that you are downloading software directly from
# CrowdStrike and agree to be bound by their End User License Agreement and
# Privacy Notice. You are solely responsible for ensuring you have a valid
# license to use the software.
#
# This installation script is provided "AS IS" without warranty of any kind,
# express or implied. The user assumes all risk and responsibility for its use.
#
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/


# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.30.0'
_pkgrel='18306'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib/"

  # Move the contents of the extracted 'lib' directory to '/usr/lib' inside the package
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Remove the now-empty 'lib' directory from the package
  rmdir "${pkgdir}/lib"
}

I managed to install the version by: - Downloading the .deb file from Crowdstrike Admin Panel (version 7.29).

• Downloading the package locally with yay -G falcon-sensor.

• Placing the .deb file into the build dir that was created by yay.

• Updating the PKGBUILD file to expect this version (you can see the content of PKGBUILD below.

• Run makepkg -si inside the dir.

I am new to Arch so if someone knows a better way to do it pls tell me.

# Maintainer: Jan Muixi <janmuixi7@gmail.com>
# This script is not official and it is provided as a helper. You are solely responsible for the use of this installer.

# By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
# Terms of Use: https://www.crowdstrike.com/software-terms-of-use/
# Privacy Notice: https://www.crowdstrike.com/privacy-notice/

pkgname=falcon-sensor
pkgver=7.29.0
_pkgver=7.29.0
pkgrel=18202
pkgdesc="Crowdstrike Falcon Sensor daemon and kernel modules"
arch=("x86_64")
url="https://crowdstrike.com"
license=("custom")
depends=("openssl" "libnl1")
backup=("etc/logrotate.d/falcon-sensor")
source=(
  "manual://${pkgname}_${pkgver}-${pkgrel}_amd64.deb"
  "LICENSE"
)
sha256sums=(
  "SKIP"
  "SKIP"
)

prepare() {
  mkdir "${srcdir}/${pkgname}"
  cd "${srcdir}/${pkgname}"

  bsdtar -xf "${srcdir}/data.tar.xz" -C .

  # Remove unnecessary .deb related directory
  rm -rf "${srcdir}/${pkgname}/etc/init.d"
}

package() {
  warning "You may need to uninstall the package first and remove the folder /opt/CrowdStrike"

  cd "${srcdir}/${pkgname}"
  cp -r "${srcdir}/${pkgname}/"* "${pkgdir}"
  install -dm755 "${pkgdir}/usr"
  mv "${pkgdir}/lib" "${pkgdir}/usr/lib"
  install -Dm644 "${srcdir}/LICENSE" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

  chmod a+x "${pkgdir}/opt/CrowdStrike"
  chmod -R a+r "${pkgdir}/opt/CrowdStrike"

  #/opt/CrowdStrike/falconctl -s --cid=<your CID here>
}

For anyone trying to install the latest version, I had success with version 7.25.0-17804. The key was creating a custom PKGBUILD that correctly handles the /lib directory conflict by moving the files to /usr/lib during the build process. I can upload the .deb package if someone can assist, sorry I'm new here ;)

I also recommend not embedding the CID inside the PKGBUILD, I have been a Falcon Admin for years and we are used to updating that post deployment...

Here is the final PKGBUILD that worked for me:

# Maintainer: Kyle Thompson <kylejeromethompson@gmail.com>

# --- Package Information ---
pkgname='falcon-sensor'
pkgdesc="CrowdStrike Falcon Sensor for Linux"
arch=('x86_64')
url="https://falcon.crowdstrike.com/"
license=('custom')

# --- Versioning ---
_pkgver='7.25.0'
_pkgrel='17804'
pkgver=${_pkgver}
pkgrel=${_pkgrel}

# --- Dependencies and Conflicts ---
depends=('glibc' 'openssl')
provides=("${pkgname}")
conflicts=("${pkgname}")

# --- Source File ---
source=("falcon-sensor_${_pkgver}-${_pkgrel}_amd64.deb")
sha256sums=('SKIP')

# --- Packaging Function ---
package() {
  # Extract the data archive from the .deb file
  tar -xf "${srcdir}/data.tar.xz" -C "${pkgdir}/"

  # Create the destination directory structure first (-p creates parent dirs if needed)
  mkdir -p "${pkgdir}/usr/lib"

  # Now, move the contents of the extracted 'lib' directory into it
  mv "${pkgdir}/lib"/* "${pkgdir}/usr/lib/"

  # Finally, remove the now-empty 'lib' directory
  rmdir "${pkgdir}/lib"
}

Thanks @je-vv that is really useful.

I managed to work around it in a more messy way by...

# Manually extract package contents and move to src/
ar x falcon-sensor_*.**.*-*****_amd64.deb
mv {control.tar.xz,data.tar.xz,debian-binary} src/.
#+end_src

Edited the ~PKGBUILD~ and...

• Make sure the version matches that of the .deb file you have.
• Comment out the first item in the source list (i.e. # "manual://${pkgname}${pkgver//-}_amd64.deb"
• comment out the corresponding sha256sums (i.e. # "SKIP#)

I could then makepkg -sri

I've gone through your instructions and they've worked too and are far less hacky :-)

Haven't got the CID yet but your instructions are really useful. IT support is non-existant and unfortunately I may be forced to switch OS :-(

I'm hoping if I can get this installed and working it may grant a stay of execution.

@nshephard the package requires more changes, first you can not comment out the source, you need to include one that satisfies the possible sources, I used this fake one:

source=(
  "https://${pkgname}_${_pkgver}_amd64.deb"
  "LICENSE"
)

I also included its SHA check:

sha256sums=(
  "<your_deb_sha>"
  "323c9971c5f7e3b360783601922c063801e0bbd425351faaafaf476b5b29fecb"
)

And the deb version provided where I work required change as well, but it depends on what your company provides to you:

pkgver=7.21.0.17405
_pkgver=7.21.0-17405

To answer your question, data.tar.xz comes from decompressing the deb package, which when decompressed includes two tarballs, the data one with the binaries, and the control one with instructions on what to do with the binaries included in the data tarball and more stuff to follow the distro policies and stuff.

The problem is that when you commented out the source, even though it's there besides the PGKGBUILD, it won't use it at all, and therefore this will fail:

prepare() {
  mkdir "${srcdir}/${pkgname}"
  cd "${srcdir}/${pkgname}"

  bsdtar -xf "${srcdir}/data.tar.xz" -C .

I modified the package to my purposes, and it's working flawlessly, :)

Hope this helps you.

BTW, installing the package is not enough. What's in falcon-sensor.install gives you a hint, but it was left commented out by the last update on this package because the instructions are pretty dependent on the falcon-sensor version and your company. The deb I was provided required different commands which are provided by the of:

/opt/CrowdStrike/falconctl -s --cid=<cid_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --cid
/opt/CrowdStrike/falconctl -s --tags=<tag_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --tags

The other pre-instructions and post instructions are fine, just the falconctl stuff is particular. I can't tell if those required where I work are the ones you need, or the ones in this package falcon-sensor.install, you need to find out with the instructions provided to you...

I've been asked to install this by employers and have been provided with a more recent .deb archive.

I've...

• updated the PKGBUILD to reflect this version
• commented out the manual:// and associated "SKIP" lines so no attempt is made to download and checksum the file.
• placed the .deb alongside the PKGBUILD in the cloned directory.

On running makepkg -sri I find...

❱ makepkg -sri
==> Making package: falcon-sensor 7.20.0.17306-1 (Wed 14 May 2025 16:50:05 BST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found LICENSE
==> Validating source files with sha256sums...
    LICENSE ... Passed
==> Extracting sources...
==> Starting prepare()...
bsdtar: Error opening archive: Failed to open '/home/user/tmp/falcon-sensor/src/data.tar.xz'
==> ERROR: A failure occurred in prepare().
    Aborting...

Not sure where data.tar.xz should be coming from?

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

@sipak I do not have this software, so I can't check myself. Could you please run namcap on existing software to check dependencies and/or other packaging issues?

Nope, first, that gets overwritten later by falcon-sensor, but most importantly, there's a KernelModuleArchive with a bunch of linux modules per linux version in the array kernels. So the linux version used must match one of the supported ones by falcon-sensor (being part of the array kernels).

This is so sad, :( Any hints how to make falcon-sensor work on arch/artix? Any way to download a more up to date version perhaps, from upstream, without registering (I'm using the one provided by the company I work for, and I doubt I can just simply register as a some company representative, whom I'm not)... Perhaps there's a newer version supporting at least the LTS...

I don't know, how sad to be forced to use proprietary and closed code, :(