The Secure Computing Standard for Servers requires that an OIT-approved Endpoint Detection and Response (EDR) solution be installed on all university-owned servers. CrowdStrike Falcon is the OIT-approved EDR solution for servers running Linux or Unix-based operating systems. However, users may opt to use the Microsoft Defender security agent (which is the recommended tool for all workstations and all Windows servers) instead, if preferred.
This page will show you how to enroll in OIT’s CrowdStrike EDR management program - either as an individual user in the generic tenant, or as a group/department managing its own tenant. There is also information and FAQs about the campus’s CrowdStrike implementation.
About CrowdStrike
CrowdStrike security agents provide Endpoint Detection and Response (EDR) and Antivirus (AV) protection. The use of EDR and AV tools are part of the University’s approach to ensure the integrity and security of University data and the shared information technology environment by:
- Monitoring for suspicious events that may indicate an attack by a malicious actor
- Blocking executable files that match known fingerprints of viruses and ransomware
- Helping the CU Security team identify and isolate cyberattacks while they are being actively exploited on campus.
CrowdStrike security agents are optimized to utilize minimal CPU usage, RAM, and disk space, and the sensor’s detection and prevention aggressiveness can be adjusted to accommodate varying environments. If you experience problems with CrowdStrike’s resource usage, please email security@colorado.edu to troubleshoot the issue.
How to get CrowdStrike
First, check whether CrowdStrike can run on your operating system and kernel. The FAQ section below includes a list of supported Linux distributions. There are two options for setting up CrowdStrike:
- Private tenant: If you are an ITP that manages multiple servers for a department or a group on campus, you can request the creation of a private tenant. The private tenant lets users log into the CrowdStrike portal to manage the deployment of sensors on devices they manage and respond to any alerts generated by CrowdStrike.
- Generic tenant: If you have a single server or a group of servers that do not have an Information Technology Practitioner (ITP) managing them, you can install the generic sensor option which will place them into the OIT-managed generic tenant. If your device is a member of the generic tenant, you will not be able to log in to a CrowdStrike portal to manage your agents or review findings. OIT will monitor findings reported to the generic tenant and can provide limited support for sensor deployment.
What’s the difference between tenants?
Put simply, having a Private tenant allows you to manage your EDR yourself, but installing a sensor from the Generic tenant will allow OIT to manage your EDR for you. We recommend requesting a Private tenant if you are capable of monitoring the EDR tool and want to customize it to best suit your environment.
Setup instructions for Private tenants
- Complete the Shared Responsibility Acknowledgement: Download the CrowdStrike EDR Shared Responsibility acknowledgement form. Please read the document in its entirety and electronically sign it with a tool such as Adobe Acrobat. A signed copy of the form will be requested by OIT Security before your access to a private tenant is configured.
- Fill out request form: Fill out the CrowdStrike Tenant request form. Be sure to select "private tenant." After submitting the request form, an OIT Security analyst will get in touch with you to review the form. Reach out to security@colorado.edu to check on the status of your request or to ask questions about the form.
Deploy sensors: After your initial meeting with an OIT Security analyst, an account and a private tenant will be created for you in the CrowdStrike portal. The creation of the tenant can take up to five business days, and your account information will be sent to your CU email address. If you need to use an email address that is not in the @colorado.edu domain, please specify this with the OIT Security analyst. Upon logging in to CrowdStrike, please read the following training documents: (links can only be accessed with an active CrowdStrike account)
How to deploy sensors from your Private tenant:
- Download the installer as an RPM or DEB package from the portal under Sensor Downloads.
- If installing the sensor with the CLI, follow the CrowdStrike Documentation. If using a configuration management tool for automated deployment, you can set up a meeting with an OIT Security analyst for assistance.
- Verify that a host has been onboarded in your private tenant by searching under Host setup and management>Manage endpoints>Host management. Or you can search for the CrowdStrike Falcon process on your machine’s CLI with the command:
ps -e | grep falcon-sensor
A one-month check-in with an OIT Security analyst will be scheduled to follow up on the implementation. Questions about licensing or CrowdStrike features can be directed to OIT security at security@colorado.edu.
Setup instructions for Generic tenants
- Fill out request form: Fill out the CrowdStrike Tenant request form. Be sure to select “generic tenant” in the form. After submitting the request form, an OIT Security analyst will get in touch with you to provide the installer file, CID, and Installation Token that are needed in the installation instructions below. Reach out to security@colorado.edu to check on the status of your request or to ask questions about the form.
- Install the sensor: Once an OIT Security Analyst has provided you with an installer file, CID, and Installation Token, you can follow these steps to install the CrowdStrike sensors with your device’s command line interface:
- Download the Falcon sensor installer
- Run the installer, substituting <installer_filename> with your Falcon sensor installer's file name. Installing the sensor requires sudo privileges.
- Ubuntu:
sudo dpkg -i <installer_filename> - RHEL, CentOS, Amazon Linux:
sudo yum install <installer_filename> - SLES:
sudo zypper install <installer_filename>
- Ubuntu:
- Set your CID on the sensor, substituting <CID> with your CID and <token> with your installation token.
sudo /opt/CrowdStrike/falconctl -s --cid=<CID> --provisioning-token=<token
- Start the sensor manually.
- Hosts with SysVinit:
sudo service falcon-sensor start - Hosts with Systemd:
sudo systemctl start falcon-sensor
- Hosts with SysVinit:
Frequently asked questions
What data is monitored by the CrowdStrike security agents?
The CrowdStrike agents are primarily concerned with reporting information that pertains to security threats. Routine monitoring conducted by the CrowdStrike agent does not access the content of your emails, photos, or other personal communications/files you might have on your computer.
Does the security agent give people access/visibility into my computer?
ITPs that manage your department’s CrowdStrike deployment are able to view the details of detections that are created when the security agent suspects malicious activity. Detection details can include processes and commands that relate to the potentially malicious activity. ITPs can also view general information about the computer, such as its operating system version and IP address. In the event of a compromise or a critical security incident, the OIT Security Incident Response team can leverage the CrowdStrike agent to gain remote access to the vulnerable
computer. The computer’s owner is notified when such incident response actions must be taken on their computer.
Who can I contact if the CrowdStrike security agent is causing issues on my computer?
Questions or concerns about the CrowdStrike security agent can be directed to the OIT Security department at Security@Colorado.EDU.
Can the CrowdStrike agent run on my operating system?
Find the list of supported OS versions on the CrowdStrike website. If you have an account on a private tenant, you can access a more comprehensive list of supported kernel versions on the portal.
