CrowdStrike / Falcon Sensor Support

fifofonix · February 9, 2021, 2:13pm

CrowdStrike Falcon sensor support is very kernel specific and currently FedoraCoreOS (FCOS) is unsupported. CrowdStrike support have indicated that FCOS support is a H1 2021 roadmap item but with no hard delivery date.

Hopefully the September 2020 introduction of Falcon sensors that can cope with minor kernel updates (“Zero Touch Linux Updates”) will provide strong support for self-updating OS’s like FCOS without resulting in sensors being constantly degraded into an RFM (“Reduced Functionality Mode”) mode.

For those running K8S on OKD on FCOS a container-level CrowdStrike sensor is available but obviously this is not intended to provide the host-level monitoring that regular Falcon sensors provide.

jaimelm · February 9, 2021, 2:20pm

Thanks for looking into that. Do you have a support ticket open with them to get updates on the progress? If not, I’d be interested in opening one with them.

walters · February 9, 2021, 9:26pm

For OpenShift and kernel modules, see https://github.com/openshift/enhancements/pull/357

(But, nothing really is going to be better than having whatever they’re doing in the upstream kernel. I suspect KRSI is relevant)

fifofonix · February 9, 2021, 11:22pm

Found the ‘Idea’ that is roadmap-flagged in CrowdStrike. More votes from those of you who have CrowdStrike accounts can’t hurt: CrowdStrike Idea: Redhat CoreOS Support

It is worded for Redhat CoreOS support but the comments express desire for Fedora CoreOS support too. And more comments is good.

fifofonix · July 23, 2021, 8:25pm

Met with the CrowdStrike engineering team and there has been a re-think on their end which is pushing this out somewhat further. They are resigned to being unable to engineer for a rapidly changing kernel and so are pushing to remove the Falcon Sensor kernel version dependency entirely so that they have wider OS reach. If as they suggest this only results in minor functionality reductions then this sounds a good plan. No timeline yet. Crowdstrike customer only link above updated to same effect.

jaimelm · September 14, 2021, 3:15pm

I added a comment and vote to the customer support ticket.

fifofonix · September 30, 2021, 6:19pm

CrowdStrike confirmed in a status update today that they are pushing ahead with a fully user space Falcon sensor using eBPF with a v1 that will support 5.4+ Linux kernels and estimated to deliver in +6 months. This will have limited coverage initially, i.e. indicators of attacks but not preventative measures. However, goal is to expand to better current falcon sensor over time yet be fully user space.

rkohli2000 · July 19, 2025, 4:45pm

Does anyone have any experience with falcon-sensor on Fedora 42 (6.14+) or any recent Fedora release ? Any recommendations or experience to share ?

Thanks in advance.

Topic		Replies	Views
Fedora CoreOS on AMD Milan or Intel IceLake Project Discussion coreos-wg	1	239	March 11, 2021
Launch FAQ: How do I coordinate cluster-wide OS updates? Is locksmith or the Container Linux Update Operator available for Fedora CoreOS? Project Discussion coreos-wg	0	1036	June 20, 2018
Launch FAQ: Does Fedora CoreOS replace Fedora Atomic Host? What happens to Fedora Atomic Host and CentOS Atomic Host? Project Discussion coreos-wg	6	1932	September 27, 2018
Fedora CoreOS streams rebasing to Fedora Linux 35 Project Discussion coreos-wg	0	600	November 11, 2021
Launch FAQ: Does Fedora CoreOS replace Container Linux? What happens to CL? Project Discussion coreos-wg	3	1500	February 13, 2020

CrowdStrike / Falcon Sensor Support

Related topics