By: Owen Dubiel
April 22, 2021
Crowdstrike Falcon Sensor Awareness for Linux
By: Owen Dubiel
April 22, 2021
CrowdStrike is a leading endpoint security solution that continues to grow its foothold as a top contender for an all-encompassing EDR tool. For the most part, CrowdStrike uses its sensors seamlessly with features like auto-update uninstall protection and reduced functionality mode. Specifically, reduced functionality mode (RFM) is designed to protect your machine and any processes running from breaking if, for some reason, the CrowdStrike Falcon sensor becomes incompatible. Unfortunately, when a device is in RFM, it is only sending a heartbeat back to the CrowdStrike Falcon console, nothing more. Not many know about some of the hidden nightmares that can occur with RFM on Linux-based sensors if they are not adequately managed. In this article, we will touch on some things that can be done to ensure your Linux sensors remain out of RFM.
Being mindful of the Sensor Version
A lot of issues can be avoided by simply tracking which version of the Falcon sensor is running. CrowdStrike frequently makes updates to all of its sensors (pretty much every week). Adding features, functionalities, or just fixing bugs are reasons the sensor updates happen so often. Notifications must be enabled from the support portal within your instance of CrowdStrike to ensure you receive all applicable release notes. CrowdStrike’s communications around its sensor include valuable information around sensor management and specifics around each function or enhancement added. Reviewing these announcements frequently will ensure you avoid any unforeseen issues like Falcon’s sensors dropping into RFM.
Linux OS and Kernel Support
Within the support portal, it is also possible to subscribe to Linux kernel support notifications, and it is highly recommended as this is where things get tricky. CrowdStrike Falcon only supports specific types of Linux kernels (and those vary amongst the different flavors of Linux). Custom kernels are not supported; only kernels labeled as “LTS” (Long term support) will adhere. The critical thing to note about this, don’t have auto-update enabled for kernels as you will most likely update out of CrowdStrike Falcon support and drop your sensor into RFM. CrowdStrike has expressed that it takes, on average, around ten days to support a recently released kernel. Still, to be positive, by navigating to the docs section in the CrowdStrike Falcon console, you can verify the latest supported Linux kernels.
Checking if Linux machine requires a reboot
Another reason a Falcon sensor may be in RFM is that it may simply require a reboot. If the following location is available, the system in question needs to be rebooted (var/run/reboot-required/). The cause for this is when security patches are applied, they often require a reboot, but sometimes on production servers, we forget to reboot, or it is not convenient at that time to do so. By restarting the machine, the patches will then take hold, and the Falcon sensor should jump out of RFM mode.
Docker Duplication issues, Checking for Duplicate copies of the same asset.
Last by not least, if you are utilizing CrowdStrike in your cloud instance and have it installed on docker containers, you may experience some RFM issues and duplication of assets if they are not configured correctly. CrowdStrike has recently released an additional method to distribute Falcon sensors to containers that avoid asset duplication. If configured the traditional route, a container is spun up and back down every time a duplicate asset is created within the Falcon UI. From a management perspective, these will get deleted in 90 days of no activity, but unfortunately, before that 90 day hits, CrowdStrike may flag older versions as in RFM. To manually clean this up, you have to search in host management for the asset in question. Once located, filter by last seen date (usually the duplicates in RFM have the earliest last seen date/time) and delete it. Once removed, the correct RFM status will be reported by the next time the automated report is generated.
All of the above are the most common reasons why a Linux host would be in RFM mode. There may be additional outliers not outlined in this article, but ensuring the above concerns are addressed is the only way to start eliminating RFM from your CrowdStrike Falcon instance. To learn more about CrowdStrike, or EDR in general, check out what Cybrary has to offer.