Description |
This article discusses the behavior where Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent. This causes hosts running CrowdStrike Falcon to incorrectly fail scans.
The following changes were made in Crowdstrike version 6.11+:
- The service now runs as root. The agent does not have permission to validate the service is running.
- Directory capitilization has changed from 'Crowdstrike' to 'CrowdStrike'.
This prevents the appliance from searching for the correct service name. |
Scope | Agent 5.2.6 and greater. |
Solution |
Workaround:
Find entry
Change to: script="/opt/CrowdStrike/falconctl -g
RPM/systemd installs: - Add this to the file: - Restart the agent
This creates a file in /etc/systemd/system/bndaemon.service that could be deployed if they're managing machines.
dpkg installs: - Change DAEMON_USER appropriately. DAEMON_USER=(Insert user with high enough permissions ex. root). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.