Back to Tech Center

How to Install Falcon in the Data Center

CrowdStrike Tech Center

Introduction

CrowdStrike Falcon® strikes the balance needed in today’s data center: unrivaled protection from best-in-class prevention, detection and response along with security that actually contributes to the speed, flexibility, manageability and scalability benefits that IT operations expect from their modern-day data center. CrowdStrike Falcon® provides the following key benefits to data centers:

  1. Speed and Simplicity.
    • No performance impact. Maximum security. Minimal impact. Data center guys typically hate security because it slows their servers down. This means that they have to purchase more servers to do the same job as one server could do before it got bogged down by security tools. CrowdStrike Falcon® is  so lightweight that this problem goes away.
    • Easy to deploy. All you need is the Falcon sensor and an internet connection. There is no complex security infrastructure to manage. Just install the Falcon Sensor and go.
  2. It Just Works. CrowdStrike works in all types of data centers, including on-prem, hybrid, and cloud. Falcon also works in multiple cloud platform environments, including Amazon AWS, Google Cloud Platform and Microsoft Azure. The Falcon sensor also supports Windows, Linux and macOS at the kernel level, on bare metal or as a VM, with minimal impact.
  3. Ultimate Threat Protection. An organization’s internet-facing servers are constantly under attack. We stand out in our ability to provide protection for the Linux OS – which especially important given its growing use in the data center. CrowdStrike Falcon® provides protection against all attack types, from the mundane opportunistic attacks to highly-targeted and sophisticated attacks. CrowdStrike provides protection against the threats that AV and Application Whitelisting miss.

Video

Read Video Transcript

Installation Instructions

Detailed sensor instruction can be seen in the How to Install the Falcon Sensor article and found in the UI under the Support App.  Below are instructions specifically related to VM and datacenter deployments.

Installing the Windows Sensor On a Virtual Machine Template

Installing the Falcon Host Window Sensor on a virtual machine template requires you to follow specific steps outlined below. This ensures that each virtual machine created from your template has a unique configuration and ensures proper detection display in the Falcon Host UI.

To install on a virtual machine template:

  1. Prepare your VM template.
  2. Install the sensor with the NO_START=1 parameter: WindowsSensor.exe /install /quiet /norestart CID=<your CID> NO_START=1
  3. Shut down the VM.
  4. Use your virtualization software to convert the VM to a template image.

When a VM created from this template first starts up, the CrowdStrike cloud assigns it a unique AID.

Install the Falcon Sensor for Linux

  1. Download the Falcon sensor installer from Hosts > Sensor Downloads.
  2. Copy your Customer ID Checksum (CID), displayed on Sensor Downloads.
  3. Run the installer, substituting <installer_package> with your installer’s file name.
    • Ubuntu:
      sudo dpkg -i <installer_package>
    • RHEL, CentOS, Amazon Linux:
      sudo yum install <installer_package>
    • SLES:
      sudo zypper install <installer_package>
  4. Set your CID on the sensor, substituting <CID> with your CID.
    This step is not required for versions 4.0 and earlier.

    • All OSes:
      sudo /opt/CrowdStrike/falconctl -s –cid=<CID>
  5. Start the sensor manually.
    This step is not required for versions 4.0 and earlier.

    • Hosts with SysVinit:
      service falcon-sensor start
    • Hosts with Systemd:
      systemctl start falcon-sensor
  6. Confirm the sensor is running.
    • All OSes:
      ps -e | grep falcon-sensor

You’ll see output similar to this:

[root@centos6-installtest ~]# sudo ps -e | grep falcon-sensor
  905 ?         00:00:02 falcon-sensor

 

Optional: Prepare a Host as a Master Image

If you’re preparing a host as a “master” device for cloning or virtualization, you must remove your “master” host’s agent ID (AID).

Run this command after installing:

sudo /opt/CrowdStrike/falconctl -d -f –aid

When your cloned devices or virtual machines first contact the CrowdStrike cloud, they’ll be automatically assigned a unique AID. If multiple devices use the same AID, the Falcon console will process all their events as though they came from a single device.

UPDATING YOUR TEMPLATES

When you periodically boot your template to update the software that’s included on the base image, apply OS and security updates, or do other maintenance, we recommend addressing the sensor as well. Typically, the process is:

  1. Uninstall the currently applied sensor (see Uninstalling the Linux Sensor).
  2. Reboot the host to complete the uninstall and complete any necessary cleanup.
  3. Install using the latest installer per the special instructions in the “Prepare a Host as a Master Image” for your given platform.

Installing the Mac Sensor on A Virtual Machine Template

To install the Falcon Host Mac Sensor on a virtual machine template image, you must:

  • Ensure that the sensor configuration is unique in each virtual machine created from that template.
  • Turn off networking in the VM as you build your template.

Then, install the Falcon Host Sensor normally and take a snapshot.

 

Conclusion

The Falcon Platform has been built to provide best in class prevention, detection and response capabilities for the modern data center, via a lightweight agent for Windows, Linux or macOS servers.  The Falcon high performance server platform SKU ensures complete, real-time and retrospective visibility into the servers that comprise the modern-day data center.

More Resources

Related Content