Troubleshooting Tip: Linux hosts running CrowdStrike Falcon sensor 6.11 and later failing scans

This article discusses the behavior where Linux hosts running CrowdStrike Falcon sensor 6.11 and later are not being detected by the agent.

This causes hosts running CrowdStrike Falcon to incorrectly fail scans.

The following changes were made in Crowdstrike version 6.11+:

- The service now runs as root. The agent does not have permission to validate the service is running.

- Directory capitilization has changed from 'Crowdstrike' to 'CrowdStrike'.

This prevents the appliance from searching for the correct service name.

Workaround:

1) Make modifications in the appliance such that it looks for the correct service.

- Login to the appliance CLI as root.
- Modify /bsc/campusMgr/agent/templates/Linux/Anti-Virus/Crowdstrike-Falcon/crowdstrike.xml to look for /opt/CrowdStrike/falconctl

Find entry
script="/opt/Crowdstrike/falconctl -g

Change to:

script="/opt/CrowdStrike/falconctl -g

2) Clear the cached policies to re-read from the templates. Type
AgentTool policy -refresh

Contact Support if assistance is required.

3) In Host System For Agent 5.2.6

RPM/systemd installs:
- Type
sudo systemctl edit bndaemon.service

- Add this to the file:
[Service]
User=(Insert user with high enough permissions ex. root)

- Restart the agent
sudo systemctl restart bndaemon

This creates a file in /etc/systemd/system/bndaemon.service that could be deployed if they're managing machines.

dpkg installs:
- Type
edit /etc/default/bndaemon

- Change DAEMON_USER appropriately.

DAEMON_USER=(Insert user with high enough permissions ex. root).