Kernel versions and Crowdstrike

~ aardvark
Photo by Mohammad Hoseini Rad on Unsplash

So when we update the systems generally this can easily update the kernel. However the kernel might not be supported by Crowdstrike. At worst this has crashed the machine, but at best it means the warranty offered is void.

/opt/CrowdStrike/falcon-kernel-check
Host OS Linux 4.18.0-553.5.1.el8_10.x86_64 #1 SMP Wed Jun 5 09:12:13 EDT 2024 is not supported by Sensor version 16803.

So this machine has a kernel that is not supported. On Rocky/Redhat/Alma/CentOS we can use grubby like this.

ls -l /boot/vmlinuz-*
grubby --set-default /boot/vmlinuz-4.18.0-513.24.1.el8_9.x86_64
systemctl reboot

But that kernel will eventually be deleted if any more kernels get put on. So we can lock it (prevent it from being erased.)

dnf install yum-plugin-versionlock
dnf versionlock kernel-$(uname -r)
dnf versionlock list

And now check the kernel is ok with falcon sensor (Crowdstrike):

/opt/CrowdStrike/falcon-kernel-check
Host OS 4.18.0-513.24.1.el8_9.x86_64 is supported by Sensor version 16803.

Of course now you need to remember to unlock it come patching time – which is pretty much dictated by you finding out from Crowdstrike what is supported.

Leave a Reply

Your email address will not be published. Required fields are marked *