EDR - CrowdStrike for Unix and Linux Servers

Enroll and InstallSensor DeploymentFAQ

The Secure Computing Standard for Servers requires that an OIT-approved Endpoint Detection and Response (EDR) solution be installed on all university-owned servers. CrowdStrike Falcon is the OIT-approved EDR solution for servers running Linux or Unix-based operating systems. However, users may opt to use the Microsoft Defender security agent (which is the recommended tool for all workstations and all Windows servers) instead, if preferred.

This page will show you how to enroll in OIT’s CrowdStrike EDR management program - either as an individual user in the generic tenant, or as a group/department managing its own tenant. There is also information and FAQs about the campus’s CrowdStrike implementation.

About CrowdStrike

CrowdStrike security agents provide Endpoint Detection and Response (EDR) and Antivirus (AV) protection. The use of EDR and AV tools are part of the University’s approach to ensure the integrity and security of University data and the shared information technology environment by:

  • Monitoring for suspicious events that may indicate an attack by a malicious actor
  • Blocking executable files that match known fingerprints of viruses and ransomware
  • Helping the CU Security team identify and isolate cyberattacks while they are being actively exploited on campus.

CrowdStrike security agents are optimized to utilize minimal CPU usage, RAM, and disk space, and the sensor’s detection and prevention aggressiveness can be adjusted to accommodate varying environments.

Enroll and Install CrowdStrike 

There are two versions of CrowdStrike agents available to use on your system:

  • Private tenant: If you are an ITP that manages multiple servers for a department or a group on campus, you can request the creation of a private tenant. The private tenant lets users log into the CrowdStrike portal to manage the deployment of sensors on devices they manage and respond to any alerts generated by CrowdStrike.
  • Generic tenant: If you have a single server or a group of servers that do not have an Information Technology Practitioner (ITP) managing them, you can install the generic sensor option which will place them into the OIT-managed generic tenant. If your device is a member of the generic tenant, you will not be able to log in to a CrowdStrike portal to manage your agents or review findings. OIT will monitor findings reported to the generic tenant and can provide limited support for sensor deployment.

Before starting this process, ensure that CrowdStrike can run on your operating system and kernel version. The FAQ section below includes a list of supported Linux distributions.

Please review more details about both options below and follow the steps for the one that best applies to your needs.

Private tenant request process and setup

  1. Complete the Shared Responsibility Acknowledgement: Download the CrowdStrike EDR Shared Responsibility acknowledgement form. Please read the document in its entirety and electronically sign it with a tool such as Adobe Acrobat. A signed copy of the form will be requested by OIT Security before your access to a private tenant is configured.
  2. Fill out request form: Fill out the CrowdStrike Tenant request form. Be sure to select private tenant from the versions of Crowdstrike option. After submitting the request form, an OIT Security analyst will get in touch with you to review the form. Reach out to security@colorado.edu to check on the status of your request or to ask questions about the form.

  3. Complete training and development: After your initial meeting with an OIT Security analyst, an account and a private tenant will be created for you in the CrowdStrike portal. The creation of the tenant can take up to five business days, and your account information will be sent to your CU email address. If you need to use an email address that is not in the @colorado.edu domain, please specify this with the OIT Security analyst. Upon logging in to CrowdStrike, please read the following training documents: (links can only be accessed with an active CrowdStrike account)

    Detection and prevention policies will default to the minimum-security requirements set by OIT Security. If you wish to create your own policies, please confirm your detection and prevention policy configurations with an OIT Security analyst in your meeting.

Generic tenant request process and setup

To be compliant with campus security standards, your server must have a security agent installed. If your server does not have a security agent associated with a CrowdStrike private tenant, you can request for it to be enrolled in the OIT-managed “generic” tenant. Fill out the CrowdStrike Tenant request form to start this process. 

Sensor Deployment 

Once your private tenant has been set up, you are now ready to follow the steps below to deploy CrowdStrike sensors. If you requested a sensor in the generic tenant, an OIT Security team member will provide you with sensor installation instructions:

  1. Download the installer as an RPM or DEB package from the portal under Sensor Downloads.
  2. If installing the sensor with the CLI, follow the CrowdStrike Documentation. If using a configuration management tool for automated deployment, you can set up a meeting with an OIT Security analyst for assistance.
  3. Verify that a host has been onboarded in your private tenant by searching under Host setup and management>Manage endpoints>Host management. Or you can search for the CrowdStrike Falcon process on your machine’s CLI with the command: ps -e | grep falcon-sensor

A one-month check-in with an OIT Security analyst will be scheduled to follow up on the implementation. Questions about licensing or CrowdStrike features can be directed to OIT security at security@colorado.edu

Frequently Asked Questions

What data is monitored by the CrowdStrike security agents?

The CrowdStrike agents are primarily concerned with reporting information that pertains to security threats. Routine monitoring conducted by the CrowdStrike agent does not access the content of your emails, photos, or other personal communications/files you might have on your computer.

Does the security agent give people access/visibility into my computer?

ITPs that manage your department’s CrowdStrike deployment are able to view the details of detections that are created when the security agent suspects malicious activity. Detection details can include processes and commands that relate to the potentially malicious activity. ITPs can also view general information about the computer, such as its operating system version and IP address. In the event of a compromise or a critical security incident, the OIT Security Incident Response team can leverage the CrowdStrike agent to gain remote access to the vulnerable

computer. The computer’s owner is notified when such incident response actions must be taken on their computer.

Who can I contact if the CrowdStrike security agent is causing issues on my computer?

Questions or concerns about the CrowdStrike security agent can be directed to the OIT Security department at Security@Colorado.EDU.

Can the CrowdStrike agent run on my operating system?

Find the list of supported OS versions on the CrowdStrike website. If you have an account on a private tenant, you can access a more comprehensive list of supported kernel versions on the portal.