EDR - CrowdStrike for Unix and Linux Servers

Enroll and InstallSensor DeploymentFAQ

The Secure Computing Standard for Servers requires that an OIT-approved Endpoint Detection and Response (EDR) solution be installed on all university-owned servers. CrowdStrike Falcon is the OIT-approved EDR solution for servers running Linux or Unix-based operating systems. However, users may opt to use the Microsoft Defender security agent (which is the recommended tool for all workstations and all Windows servers) instead, if preferred.

This page will show you how to enroll in OIT’s CrowdStrike EDR management program - either as an individual user in the generic tenant, or as a group/department managing its own tenant. There is also information and FAQs about the campus’s CrowdStrike implementation.

About CrowdStrike

CrowdStrike security agents provide Endpoint Detection and Response (EDR) and Antivirus (AV) protection. The use of EDR and AV tools are part of the University’s approach to ensure the integrity and security of University data and the shared information technology environment by:

  • Monitoring for suspicious events that may indicate an attack by a malicious actor
  • Blocking executable files that match known fingerprints of viruses and ransomware
  • Helping the CU Security team identify and isolate cyberattacks while they are being actively exploited on campus.

CrowdStrike security agents are optimized to utilize minimal CPU usage, RAM, and disk space, and the sensor’s detection and prevention aggressiveness can be adjusted to accommodate varying environments. If you experience problems with CrowdStrike’s resource usage, please email security@colorado.edu to troubleshoot the issue.

How to get CrowdStrike 

First, check whether CrowdStrike can run on your operating system and kernel. The FAQ section below includes a list of supported Linux distributions. There are two options for setting up CrowdStrike:

  • Private tenant: If you are an ITP that manages multiple servers for a department or a group on campus, you can request the creation of a private tenant. The private tenant lets users log into the CrowdStrike portal to manage the deployment of sensors on devices they manage and respond to any alerts generated by CrowdStrike.
  • Generic tenant: If you have a single server or a group of servers that do not have an Information Technology Practitioner (ITP) managing them, you can install the generic sensor option which will place them into the OIT-managed generic tenant. If your device is a member of the generic tenant, you will not be able to log in to a CrowdStrike portal to manage your agents or review findings. OIT will monitor findings reported to the generic tenant and can provide limited support for sensor deployment.

What’s the difference between tenants?

Put simply, having a Private tenant allows you to manage your EDR yourself, but installing a sensor from the Generic tenant will allow OIT to manage your EDR for you. We recommend requesting a Private tenant if you are capable of monitoring the EDR tool and want to customize it to best suit your environment.

Setup instructions for Private tenants

Setup instructions for Generic tenants

  • Fill out request form: Fill out the CrowdStrike Tenant request form. Be sure to select “generic tenant” in the form.
  • Install the sensor: After your form has been submitted, OIT Security will provide you with a token so you can follow the installation steps below:
    1. Download the Falcon sensor installer (provided by OIT Security via Microsoft Teams). 
    2. Run the installer, substituting <installer_filename> with your Falcon sensor installer's file name. Installing the sensor requires sudo privileges.
      • Ubuntu: sudo dpkg -i <installer_filename>
      • RHEL, CentOS, Amazon Linux: sudo yum install <installer_filename>
      • SLES: sudo zypper install <installer_filename>
    3. Run the following command to link your CrowdStrike sensor with CU Boulder. Replace “<token>” with the token provided by OIT Security, and replace “<department>” with your department name, so the ownership of your host(s) can be cataloged by OIT. Enter the department name tag in lower-case with no spaces; e.g., “computerscience.”
      • sudo /opt/CrowdStrike/falconctl -s --cid=<CID> --provisioning-token=<token> --tags=<department name>
    4. Start the sensor manually.
      • Hosts with SysVinit: sudo service falcon-sensor start
      • Hosts with Systemd: sudo systemctl start falcon-sensor

Frequently asked questions

What data is monitored by the CrowdStrike security agents?

The CrowdStrike agents are primarily concerned with reporting information that pertains to security threats. Routine monitoring conducted by the CrowdStrike agent does not access the content of your emails, photos, or other personal communications/files you might have on your computer.

Does the security agent give people access/visibility into my computer?

ITPs that manage your department’s CrowdStrike deployment are able to view the details of detections that are created when the security agent suspects malicious activity. Detection details can include processes and commands that relate to the potentially malicious activity. ITPs can also view general information about the computer, such as its operating system version and IP address. In the event of a compromise or a critical security incident, the OIT Security Incident Response team can leverage the CrowdStrike agent to gain remote access to the vulnerable

computer. The computer’s owner is notified when such incident response actions must be taken on their computer.

Who can I contact if the CrowdStrike security agent is causing issues on my computer?

Questions or concerns about the CrowdStrike security agent can be directed to the OIT Security department at Security@Colorado.EDU.

Can the CrowdStrike agent run on my operating system?

Find the list of supported OS versions on the CrowdStrike website. If you have an account on a private tenant, you can access a more comprehensive list of supported kernel versions on the portal.