This article discusses the behavior where Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent.
This causes hosts running CrowdStrike Falcon to incorrectly fail scans.
The following changes were made in Crowdstrike version 6.11+:
- The service now runs as root. The agent does not have permission to validate the service is running.
- Directory capitilization has changed from 'Crowdstrike' to 'CrowdStrike'.
This prevents the appliance from searching for the correct service name.
|Scope||Agent 5.2.6 and greater.|
- Add this to the file:
- Restart the agent
This creates a file in /etc/systemd/system/bndaemon.service that could be deployed if they're managing machines.
- Change DAEMON_USER appropriately.
DAEMON_USER=(Insert user with high enough permissions ex. root).