Package Details: falcon-sensor 7.14.0.16703-1

Git Clone URL: https://aur.archlinux.org/falcon-sensor.git (read-only, click to copy)
Package Base: falcon-sensor
Description: Crowdstrike Falcon Sensor daemon and kernel modules
Upstream URL: https://crowdstrike.com
Licenses: custom
Submitter: frealgagu
Maintainer: sipak
Last Packager: sipak
Votes: 6
Popularity: 0.195893
First Submitted: 2020-12-06 04:56 (UTC)
Last Updated: 2024-05-21 13:33 (UTC)

Dependencies (2)

Required by (0)

Sources (2)

Pinned Comments

sipak commented on 2024-12-04 08:32 (UTC) (edited on 2024-12-04 08:36 (UTC) by sipak)

The installer was updated and proven to be working on Arch as of a month now. I no longer have access to a licensed product to test it anymore, so feel free to update/adopt.

By using CrowdStrike, you are bound by CrowdStrike license terms that may change without notice.
Terms of Use: https://www.crowdstrike.com/software-terms-of-use/ Privacy Notice: https://www.crowdstrike.com/privacy-notice/ License: https://www.crowdstrike.com/en-us/crowdstrike-sensor-licensing-faq/ Documentation: https://www.crowdstrike.com/tech-hub/endpoint-security/installing-falcon-sensor-for-linux/

frealgagu commented on 2023-02-02 00:17 (UTC)

@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

If you need the binary you need to have a valid license and download the package from the portal using your credentials.

Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.

https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.

You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)

Latest Comments

« First ‹ Previous 1 2 3 Next › Last »

je-vv commented on 2024-05-14 22:00 (UTC) (edited on 2024-05-15 09:31 (UTC) by je-vv)

Hi @frealgagu, I Haven't ever used falcon-sensor, and even less on Arch or derivatives. Is it still working on Arch? Should falcon-kernel-check be adjusted, to add the linux version and distro used? I'm forced to use it...

I'm asking because it's supposed to be tightly related to linux (kernel).

Is current Arch still able to use falcon-sensor? The installer provided by the company I work for comes with a deb package 7.11.0-16404 and a bunch rpm packages with the same version.

Looking at falcon-kernel-check16404 the latest linux version supported seems to be:

6.2.0-1021-gcp #23~22.04.1-Ubuntu SMP Sat Jan 20 00:57:09 UTC 2024\n

I don't see any linux version available that old, :( Current linux-lts I see is 6.6.30, way more recent than 6.2.0, and besides the checker might match for the whole string. The non ubuntu strings are even older... And this deb package is way newer than the one specified in the out of date flag.

There are some executables:

falcon-sensor16404
falcon-sensor-bpf16404

Though there are as well linux modules compressed on:

KernelModuleArchive16404

For example:

ubuntu22 6.2.0-26-generic@#26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC

And it seems the linux version check is performed in both executables:

% grep -r falcon-kernel-check pkg/falcon-sensor/
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor16404: binary file matches
pkg/falcon-sensor/opt/CrowdStrike/falcon-kernel-check16404:2:# @file      falcon-kernel-check
grep: pkg/falcon-sensor/opt/CrowdStrike/falcon-sensor-bpf16404: binary file matches

So it seems this newer falcon-sensor doesn't support even the older linux version supported by Arch, not even linux-lts. Starting for the fact the linux version checker should then need to be modified.

Is that what is been done by current users? Modifying the checker, so some code is actually tried by linux (perhaps some eBPF one)? Weird that the AUR package doesn't include any modification to the linux version checker...

Many thanks !

micwoj92 commented on 2024-04-03 14:39 (UTC)

Hello, are you sure this needs libnl1 and not libnl?

ZetaRevan commented on 2023-02-03 06:08 (UTC) (edited on 2023-02-03 06:10 (UTC) by ZetaRevan)

Thanks for confirming. I ended up pulling a copy provided by my employer & ran my own checksum & changed that in the PKGBUILD & .SRCINFO files.

Note to other users: also make sure you're updating the version number in these files to whatever version you're getting from Crowdstrike.

frealgagu commented on 2023-02-02 00:17 (UTC)

@ZetaRevan downloading from CrowdStrike portal is the only allowed method to get the required binaries as stated here: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor/

If you need the binary you need to have a valid license and download the package from the portal using your credentials.

Verification sums may differ from the source you obtain (with the valid license) so I'm leaving the checksum SKIPPED in order to allow you install the sensor without modification.

https://github.com/frealgagu/archlinux.falcon-sensor won't be available again and I recommend to not upload CrowdStrike binaries (even the ones generated for ArchLinux) publicly to avoid legal issues.

You can put your binary directly in the same folder of PKGBUILD and run makepkg (or extra-x86_64-build if you want a clean chroot environment), this way the command will recognize your binary and it will use it to make the ArchLinux package properly (avoiding the unknown manual:// protocol)

ZetaRevan commented on 2023-02-01 15:03 (UTC)

https://github.com/frealgagu/archlinux.falcon-sensor/releases returns a 404. either the repo was removed or made private. I haven't found another source.

33Fraise33 commented on 2022-09-15 09:09 (UTC)

I created a new PR for 6.45.

DenisBY commented on 2022-08-02 15:40 (UTC) (edited on 2022-08-02 15:58 (UTC) by DenisBY)

Please update to 6.41.

Nevermind. I adjusted PKGBUILD and installed it manually

sarmong commented on 2022-06-06 09:39 (UTC)

Seems to be working well for me with linux-lts kernel.

But please, add a link to the github releases directly into the source field in PKGBUILD instead of the manual://... stuff

Iiridayn commented on 2022-04-08 21:49 (UTC)

c6bc3af02e913442856b741db4e04de1a49bf204cf695a1456bb265fecdb547b falcon-sensor_6.37.0-13402_amd64.deb

@squatched - doing next to nothing on my desktop is okay with me, since IT is mandating this.