Package Details: falcon-sensor 7.14.0.16703-1

Git Clone URL: https://aur.archlinux.org/falcon-sensor.git (read-only, click to copy)
Package Base: falcon-sensor
Description: Crowdstrike Falcon Sensor daemon and kernel modules
Upstream URL: https://crowdstrike.com
Licenses: custom
Submitter: frealgagu
Maintainer: sipak
Last Packager: sipak
Votes: 6
Popularity: 0.30
First Submitted: 2020-12-06 04:56 (UTC)
Last Updated: 2024-05-21 13:33 (UTC)

Dependencies (2)

Required by (0)

Sources (2)

Pinned Comments

sipak commented on 2024-12-04 08:32 (UTC) (edited on 2024-12-04 08:36 (UTC) by sipak)

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

frealgagu commented on 2023-02-02 00:17 (UTC)

@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

If you need the binary you need to have a valid license and download the package from the portal using your credentials.

Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.

https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.

You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)

Latest Comments

1 2 3 Next › Last »

nshephard commented on 2025-05-15 09:26 (UTC)

Thanks @je-vv that is really useful.

I managed to work around it in a more messy way by...

# Manually extract package contents and move to src/
ar x falcon-sensor_*.**.*-*****_amd64.deb
mv {control.tar.xz,data.tar.xz,debian-binary} src/.
#+end_src

Edited the ~PKGBUILD~ and...

  • Make sure the version matches that of the .deb file you have.
  • Comment out the first item in the source list (i.e. # "manual://${pkgname}${pkgver//-}_amd64.deb"
  • comment out the corresponding sha256sums (i.e. # "SKIP#)

I could then makepkg -sri

I've gone through your instructions and they've worked too and are far less hacky :-)

Haven't got the CID yet but your instructions are really useful. IT support is non-existant and unfortunately I may be forced to switch OS :-(

I'm hoping if I can get this installed and working it may grant a stay of execution.

je-vv commented on 2025-05-14 18:01 (UTC) (edited on 2025-05-14 18:10 (UTC) by je-vv)

@nshephard the package requires more changes, first you can not comment out the source, you need to include one that satisfies the possible sources, I used this fake one:

source=(
  "https://${pkgname}_${_pkgver}_amd64.deb"
  "LICENSE"
)

I also included its SHA check:

sha256sums=(
  "<your_deb_sha>"
  "323c9971c5f7e3b360783601922c063801e0bbd425351faaafaf476b5b29fecb"
)

And the deb version provided where I work required change as well, but it depends on what your company provides to you:

pkgver=7.21.0.17405
_pkgver=7.21.0-17405

To answer your question, data.tar.xz comes from decompressing the deb package, which when decompressed includes two tarballs, the data one with the binaries, and the control one with instructions on what to do with the binaries included in the data tarball and more stuff to follow the distro policies and stuff.

The problem is that when you commented out the source, even though it's there besides the PGKGBUILD, it won't use it at all, and therefore this will fail:

prepare() {
  mkdir "${srcdir}/${pkgname}"
  cd "${srcdir}/${pkgname}"

  bsdtar -xf "${srcdir}/data.tar.xz" -C .

I modified the package to my purposes, and it's working flawlessly, :)

Hope this helps you.

BTW, installing the package is not enough. What's in falcon-sensor.install gives you a hint, but it was left commented out by the last update on this package because the instructions are pretty dependent on the falcon-sensor version and your company. The deb I was provided required different commands which are provided by the of:

/opt/CrowdStrike/falconctl -s --cid=<cid_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --cid
/opt/CrowdStrike/falconctl -s --tags=<tag_provided_by_your_corp>
/opt/CrowdStrike/falconctl -g --tags

The other pre-instructions and post instructions are fine, just the falconctl stuff is particular. I can't tell if those required where I work are the ones you need, or the ones in this package falcon-sensor.install, you need to find out with the instructions provided to you...

nshephard commented on 2025-05-14 15:59 (UTC) (edited on 2025-05-14 15:59 (UTC) by nshephard)

I've been asked to install this by employers and have been provided with a more recent .deb archive.

I've...

  • updated the PKGBUILD to reflect this version
  • commented out the manual:// and associated "SKIP" lines so no attempt is made to download and checksum the file.
  • placed the .deb alongside the PKGBUILD in the cloned directory.

On running makepkg -sri I find...

❱ makepkg -sri
==> Making package: falcon-sensor 7.20.0.17306-1 (Wed 14 May 2025 16:50:05 BST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found LICENSE
==> Validating source files with sha256sums...
    LICENSE ... Passed
==> Extracting sources...
==> Starting prepare()...
bsdtar: Error opening archive: Failed to open '/home/user/tmp/falcon-sensor/src/data.tar.xz'
==> ERROR: A failure occurred in prepare().
    Aborting...

Not sure where data.tar.xz should be coming from?

sipak commented on 2024-12-04 08:32 (UTC) (edited on 2024-12-04 08:36 (UTC) by sipak)

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

micwoj92 commented on 2024-05-22 20:21 (UTC)

@sipak I do not have this software, so I can't check myself. Could you please run namcap on existing software to check dependencies and/or other packaging issues?

je-vv commented on 2024-05-16 03:11 (UTC)

Nope, first, that gets overwritten later by falcon-sensor, but most importantly, there's a KernelModuleArchive with a bunch of linux modules per linux version in the array kernels. So the linux version used must match one of the supported ones by falcon-sensor (being part of the array kernels).

This is so sad, :( Any hints how to make falcon-sensor work on arch/artix? Any way to download a more up to date version perhaps, from upstream, without registering (I'm using the one provided by the company I work for, and I doubt I can just simply register as a some company representative, whom I'm not)... Perhaps there's a newer version supporting at least the LTS...

I don't know, how sad to be forced to use proprietary and closed code, :(

je-vv commented on 2024-05-15 03:35 (UTC) (edited on 2024-05-15 09:32 (UTC) by je-vv)

OK, my patch, so that the linux (kernel) version doesn't fail:

diff -Naur falcon-sensor-old/PKGBUILD falcon-sensor/PKGBUILD
--- falcon-sensor-old/PKGBUILD   2023-08-14 18:46:39.000000000 -0600
+++ falcon-sensor/PKGBUILD 2024-05-14 21:26:14.411904645 -0600
@@ -1,7 +1,8 @@
 # Maintainer: Fredy García <frealgagu at gmail dot com>

 pkgname=falcon-sensor
-pkgver=7.01.0_15604
+pkgver=7.11.0_16404
+_pkg_patch=16404
 pkgrel=1
 pkgdesc="Crowdstrike Falcon Sensor daemon and kernel modules"
 arch=("x86_64")
@@ -11,11 +12,11 @@
 backup=("etc/logrotate.d/falcon-sensor")
 install="${pkgname}.install"
 source=(
-  "manual://${pkgname}_${pkgver/_/-}_amd64.deb"
+  "https://${pkgname}_${pkgver/_/-}_amd64.deb"
   "LICENSE"
 )
 sha256sums=(
-  "SKIP"
+  "19c70ecb57c71522e9e43142ff61152d1098832b712a30f9973ea38e9d26980e"
   "76dbcf8027846d9a8c2fbd9ca2a163c171bbc75161b46a24f59bf64dd44fc6e9"
 )

@@ -27,6 +28,13 @@

   # Remove unnecessary .deb related directory
   rm -rf "${srcdir}/${pkgname}/etc/init.d"
+
+  # Add support for the Arch/Artix linux version
+  sed -i "s|\(kernels=\".*\)\([ \t]*\"[ \t]*$\)|\1$(uname -r)\\\n\2|" "${srcdir}/${pkgname}/opt/CrowdStrike/falcon-kernel-check${_pkg_patch}"
 }

 package() {

Not sure if working, neither what it's doing, but:

% ps auxww | 'grep' falcon
root     12791  0.0  0.0   2620  1152 ?        Ss   21:16   0:00 /opt/CrowdStrike/falcond
root     12792  0.8  1.5 3454876 250120 ?      Sl   21:16   0:09 falcon-sensor-bpf

je-vv commented on 2024-05-14 22:10 (UTC)

@micwoj92, I believe this package actually requires libnl1 from AUR, since the package is really a -bin one, since it's using a binary package for another distro, which might probably be not as up to date as Ach/derivatives are. That said, libnl1 doesn't conflict with libnl, so that's great..

je-vv commented on 2024-05-14 22:00 (UTC) (edited on 2024-05-15 09:31 (UTC) by je-vv)

Hi @frealgagu, I Haven't ever used falcon-sensor, and even less on Arch or derivatives. Is it still working on Arch? Should falcon-kernel-check be adjusted, to add the linux version and distro used? I'm forced to use it...

I'm asking because it's supposed to be tightly related to linux (kernel).

Is current Arch still able to use falcon-sensor? The installer provided by the company I work for comes with a deb package 7.11.0-16404 and a bunch rpm packages with the same version.

Looking at falcon-kernel-check16404 the latest linux version supported seems to be:

6.2.0-1021-gcp #23~22.04.1-Ubuntu SMP Sat Jan 20 00:57:09 UTC 2024\n

I don't see any linux version available that old, :( Current linux-lts I see is 6.6.30, way more recent than 6.2.0, and besides the checker might match for the whole string. The non ubuntu strings are even older... And this deb package is way newer than the one specified in the out of date flag.

There are some executables:

falcon-sensor16404
falcon-sensor-bpf16404

Though there are as well linux modules compressed on:

KernelModuleArchive16404

For example:

ubuntu22 6.2.0-26-generic@#26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC

And it seems the linux version check is performed in both executables:

% grep -r falcon-kernel-check pkg/falcon-sensor/
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor16404: binary file matches
pkg/falcon-sensor/opt/CrowdStrike/falcon-kernel-check16404:2:# @file      falcon-kernel-check
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor-bpf16404: binary file matches

So it seems this newer falcon-sensor doesn't support even the older linux version supported by Arch, not even linux-lts. Starting for the fact the linux version checker should then need to be modified.

Is that what is been done by current users? Modifying the checker, so some code is actually tried by linux (perhaps some eBPF one)? Weird that the AUR package doesn't include any modification to the linux version checker...

Many thanks !

micwoj92 commented on 2024-04-03 14:39 (UTC)

Hello, are you sure this needs libnl1 and not libnl?

1 2 3 Next › Last »