Linux - Configuration - Ensure the Crowdstrike Service is Running

What the CrowdStrike Falcon service checker does

This Automox Worklet™ validates that CrowdStrike's Falcon sensor is installed on the Linux endpoint and actively connected to the CrowdStrike cloud. The Worklet performs a two-phase check: first verifying the presence of the falconctl utility at /opt/CrowdStrike/falconctl, then querying the sensor's agent ID to confirm it is running and registered.

If the Falcon sensor is found to be installed but not running, the Worklet automatically starts the falcon-sensor service and verifies connectivity to CrowdStrike servers. This prevents protection gaps that could occur when the service stops unexpectedly due to reboots, service failures, or configuration changes.

Why maintain continuous CrowdStrike Falcon coverage

CrowdStrike Falcon provides endpoint protection against threats including malware, ransomware, and intrusions. If the Falcon sensor stops running, your endpoints lose real-time threat detection and behavioral monitoring. Even brief service interruptions can create windows of vulnerability that attackers actively exploit.

Automated monitoring and remediation maintains coverage remains consistent across your Linux fleet. This Worklet eliminates manual troubleshooting by automatically detecting and restarting stopped sensors, reducing Mean Time To Resolution (MTTR) for security incidents and compliance violations.

How the Falcon service validation works

1. Evaluation phase: The Worklet checks if /opt/CrowdStrike/falconctl exists, confirming the Falcon sensor is installed. It then executes falconctl -g --aid to query the agent ID, verifying the sensor is loaded and connected. If the service is running and returns an agent ID, the Worklet exits with no changes needed.

2. Remediation phase: If the Falcon sensor is not active, the Worklet attempts to start it using service falcon-sensor start, with a fallback to systemctl start falcon-sensor for systems using systemd. After starting, it waits three seconds for the service to initialize, then verifies connectivity by checking falcon-sensor status. If the service successfully starts and connects to CrowdStrike, the Worklet completes successfully.

CrowdStrike Falcon service requirements

• CrowdStrike Falcon sensor must be pre-installed on the endpoint at /opt/CrowdStrike/

• Supported on Linux distributions that run falcon-sensor service (RedHat, CentOS, Ubuntu, Debian, etc.)

• Root or sudo permissions required to query falconctl and start/stop the service

• Linux endpoint must have network connectivity to CrowdStrike cloud infrastructure

• falcon-sensor service must exist and be manageable via service or systemctl command

• FixNow compatible for immediate execution via RunNow capability

Expected Falcon service state after remediation

After the Worklet runs successfully, the falcon-sensor service will be confirmed as running and connected to the CrowdStrike cloud. The endpoint will resume active threat detection, behavioral monitoring, and incident response capabilities.

You can verify the state by running service falcon-sensor status or systemctl status falcon-sensor on the endpoint, which should show the service as active. The Falcon console will also reflect the endpoint as online with an active agent ID. Subsequent Worklet runs will confirm continuous protection without requiring additional remediation.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for verify the crowdstrike service is running. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as exit, else, service. Use these indicators to verify that endpoint changes match intended policy outcomes.