FortiNAC
FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Description

This article discusses the behavior where Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent.

This causes hosts running CrowdStrike Falcon to incorrectly fail scans.

 

The following changes were made in Crowdstrike version 6.11+:

 

- The service now runs as root. The agent does not have permission to validate the service is running.

 

- Directory capitilization has changed from 'Crowdstrike' to 'CrowdStrike'.

 

This prevents the appliance from searching for the correct service name.

Scope Agent 5.2.6 and greater.
Solution

Workaround:


1) Make modifications in the appliance such that it looks for the correct service.


- Login to the appliance CLI as root.
- Modify /bsc/campusMgr/agent/templates/Linux/Anti-Virus/Crowdstrike-Falcon/crowdstrike.xml to look for /opt/CrowdStrike/falconctl

 

Find entry
script="/opt/Crowdstrike/falconctl -g

 

Change to:

script="/opt/CrowdStrike/falconctl -g


2) Clear the cached policies to re-read from the templates. Type
AgentTool policy -refresh


Contact Support if assistance is required.


3) In Host System For Agent 5.2.6

 

RPM/systemd installs:
- Type
sudo systemctl edit bndaemon.service

- Add this to the file:
[Service]
User=(Insert user with high enough permissions ex. root)

- Restart the agent
sudo systemctl restart bndaemon

 

This creates a file in /etc/systemd/system/bndaemon.service that could be deployed if they're managing machines.

 

dpkg installs:
- Type
edit /etc/default/bndaemon

- Change DAEMON_USER appropriately.

DAEMON_USER=(Insert user with high enough permissions ex. root).

Contributors