Overview
Protecting QuantaStor from network threats can be an important part of your security posture. In this article I’ll detail how to install the CrowdStrike Falcon Sensor (agent) on a QuantaStor instance. The sensor has multiple modes of operation, the most important of which are kernel mode and user mode. In the past, there was a bias toward running in kernel mode as it tends to have some positive performance impact. As a result of the widespread outage in mid-2024 the bias shifted to user mode so as to avoid outages due to bugs or erroneous updates taking systems down when running in kernel mode. As a result, this article will focus on running in user mode to avoid the possibility of taking down your storage platform due to bugs or erroneous updates.
Before I get started, for those not familiar with all the technologies we’re going to go over in this article today I’ll start with a brief synopsis of each to get everyone up to speed.
CrowdStrike is…
a cybersecurity company that provides antivirus endpoint security solutions utilized by many companies and organizations around the world. It is known for its Falcon platform, which is a cloud-based security solution designed to monitor and protect against cyber threats. CrowdStrike’s Falcon tool identifies unusual behavior and vulnerabilities to protect computer systems from threats such as malware.
QuantaStor is…
an enterprise-grade Software Defined Storage platform that turns standard servers into multi-protocol, scale-out storage appliances and delivers file, block, and object storage. OSNexus has made managing enterprise-grade, performant scale-out storage (Ceph-based) and scale-up storage (ZFS-based) extremely simple in QuantaStor, and able to be done quickly from anywhere. The differentiating Storage Grid technology makes storage management a breeze.
At a Glance
I will be installing the CrowdStrike Falcon Sensor on a single QuantaStor node. The characteristics of the node are irrelevant in the context of this article as we won’t be doing anything with storage configuration but rather adding protection at the platform level. Configuring the Falcon platform is beyond the scope of this article, so we’ll just be installing the sensor and validating that the platform can communicate with it.
Let’s Go!
The first thing we need to accomplish is to get access to the sensor install package as well as the Falcon platform. If you’re a current CrowdStrike customer you already have access. I, however, am not a current customer so will be signing up for the trial.
Sign Up for a CrowdStrike Trial
For this part I’ll walk you through the process, but I won’t be showing any screenshots as the process may change and the process is pretty easy.
- Go to CrowdStrike.com and click “Start free trial” button
- Fill out web form(s)
At this point you need to wait for your trial request to be approved. The page says 24 hours, but I found it to be less than an hour, if I recall correctly. Once you receive and email from “falcon” with the subject of “Activation Link”:
- Click “Set Up My Account” in the Activation Link email
- Go through web forms
Login to Falcon Hub
Once your account is created you should end up in the Falcon Hub. If not, navigate to the Falcon Hub Login Page and login. This brings you to the Summary tab of the interface.
Click on “Devices” to change to the Devices tab of the interface.
The next activity is to install the Falcon sensor onto QuantaStor. To start this process you need to download the sensor package. Click “Download sensor”. This will bring up a warning about antivirus interference. Click “Ready to install” to continue.
Next you’re asked to decide between a sensor for a computer or a mobile device. Select “Workstation” and click “Next”.
DON’T rush to click the “Go to Linux installation” link in the following dialog. Before you do so, make sure you copy and store your Customer ID as you will need it during the installation process on QuantaStor. Now that you’ve saved the Customer ID go ahead and click the “Go to Linux installation” link.
Click the “Download” button for the latest Ubuntu version of the driver that is NOT for arm64 nor IBM zLinux. You can determine the latest version by both the build number and the release date. Also note, this is a second chance to copy and store your Customer ID if you missed it in the previous screen. This will download a .deb file for us to install on QuantaStor. Mine was falcon-sensor_7.23.0-17607_amd64.deb.
Install Falcon Sensor on QuantaStor
Now we need to install the .deb package onto QuantaStor. I’ll be doing this remotely via SSH, but you could also do it at the console of the physical server. I’m copying the .deb package to the node using SCP and then starting an SSH session to complete the install.
### Copy the Falcon sensor package to the node ### $ scp falcon-sensor_7.23.0-17607_amd64.deb qadmin@10.0.18.31: ### Establish an SSH session to the node ### $ ssh qadmin@10.0.18.31 qadmin@10.0.18.31's password: Linux sj-643f-31 6.5.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue May 7 09:00:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux Ubuntu 22.04.4 LTS OSNEXUS QuantaStor 6.6.0.090+next-6685340beb == System Info == Uptime: up 3 weeks, 3 days, 8 hours, 5 minutes CPU: 6 cores RAM: 7.74625 GB System information as of Mon Apr 7 10:22:21 PM UTC 2025 System load: 0.21 Processes: 395 Usage of /: 23.7% of 56.38GB Users logged in: 0 Memory usage: 21% IPv4 address for ens192: 10.0.18.31 Swap usage: 0% Last login: Fri Mar 14 14:59:33 2025 from 10.0.0.1 ### Validate that the install package exists ### qadmin@sj-643f-31:~$ ls falcon-sensor_7.23.0-17607_amd64.deb ### Install the Falcon sensor package ### qadmin@sj-643f-31:~$ dpkg -i falcon-sensor_7.23.0-17607_amd64.deb [sudo] password for qadmin: Selecting previously unselected package falcon-sensor. (Reading database ... 160881 files and directories currently installed.) Preparing to unpack falcon-sensor_7.23.0-17607_amd64.deb ... Unpacking falcon-sensor (7.23.0-17607) ... Setting up falcon-sensor (7.23.0-17607) ... Created symlink /etc/systemd/system/multi-user.target.wants/falcon-sensor.service → /lib/systemd/system/falcon-sensor.service. Processing triggers for libc-bin (2.35-0ubuntu3.6) ... ### Switch to the root user ### qadmin@sj-643f-31:~$ sudo -i ### See what's in the Falcon install directory ### root@sj-643f-31:~# /opt/CrowdStrike/{tab}{tab} Falcon4IT/ falcon-fx falcon-predict libelf-sourceware.so.1 falconctl falcon-fxpredict falcon-sensor libelf-sourceware.so.1-17607 falconctl17607 falcon-fxpredict17607 falcon-sensor17607 libfalconfxp.so.2 falcond falcon-kernel-check falcon-sensor-bpf libfalconfxp.so.2-17607 falcond17607 falcon-kernel-check17607 falcon-sensor-bpf17607 Packages/ ### Associate the Customer ID with this Falcon sensor ### root@sj-643f-31:~# /opt/CrowdStrike/falcon-sensorctl -s --cid=928B897F12AXYXYXYXYXYXY9F7F7C8DF-D2 ### Enable, start and get the status of the Falcon sensor ### root@sj-643f-31:~# systemctl enable falcon-sensor root@sj-643f-31:~# systemctl start falcon-sensor root@sj-643f-31:~# systemctl status falcon-sensor.service ● falcon-sensor.service - CrowdStrike Falcon Sensor Loaded: loaded (/lib/systemd/system/falcon-sensor.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2025-04-07 22:30:37 UTC; 13s ago Process: 2203971 ExecStartPre=/opt/CrowdStrike/falconctl -g --cid (code=exited, status=0/SUCCESS) Process: 2203972 ExecStart=/opt/CrowdStrike/falcond (code=exited, status=0/SUCCESS) Main PID: 2203973 (falcond) Tasks: 32 (limit: 9354) Memory: 203.3M CPU: 11.889s CGroup: /system.slice/falcon-sensor.service └─sensor.falcon ├─2203973 /opt/CrowdStrike/falcond └─2203974 falcon-sensor-bpf Apr 07 22:30:37 sj-643f-31 systemd[1]: Starting CrowdStrike Falcon Sensor... Apr 07 22:30:37 sj-643f-31 falconctl[2203971]: cid="928b897f12a2437fbb00fa49f7f7c8df". Apr 07 22:30:37 sj-643f-31 falcond[2203973]: starting Apr 07 22:30:37 sj-643f-31 systemd[1]: Started CrowdStrike Falcon Sensor. Apr 07 22:30:37 sj-643f-31 falcond[2203974]: Running /opt/CrowdStrike/falcon-sensor Apr 07 22:30:37 sj-643f-31 falcon-sensor[2203974]: No traceLevel set via falconctl defaulting to none Apr 07 22:30:37 sj-643f-31 falcon-sensor[2203974]: LogLevelUpdate: none = trace level 0. Apr 07 22:30:38 sj-643f-31 falcon-sensor[2203974]: Running /opt/CrowdStrike/falcon-sensor-bpf Apr 07 22:30:38 sj-643f-31 falcon-sensor-bpf[2203974]: No traceLevel set via falconctl defaulting to none Apr 07 22:30:38 sj-643f-31 falcon-sensor-bpf[2203974]: LogLevelUpdate: none = trace level 0. ### Exit out of root ### root@sj-643f-31:~# exit logout ### Exit the SSH session ### qadmin@sj-643f-31:~$ exit logout
The Falcon sensor is now installed to the QuantaStor node. Now let’s go back to the Falcon Hub to validate that our node is seen and can be used from the platform.
Validate Your Install in Falcon Hub
If necessary, log back into the Falcon Hub. Once there click the “Devices” tab (or refresh if necessary) and you should see your node listed.
Click the hamburger menu (three lines at the top-left of the window), select the “Host setup and management” menu and then select “Host management”.
This brings up the host management dashboard.
Clicking on the host we just added brings up a host information pane with all the details of the node we installed the sensor on.
Clicking the down arrow to the right of “Host info” displays a message that says the the sensor is running in User Mode. Before the major outage that a CrowdStrike update caused in 2024 the preferred running mode was kernel mode. As a result of the outage CrowdStrike has changed their stance and is preferring User Mode.
And that’s all there is to it. The sensor is installed and the platform can control it.
Final Words
I hope you found this activity valuable
I’d love to hear feedback from your adventure deploying this. Please start a comment thread and let me know how it went.
If you have ideas for additional posts that would be valuable to you please don’t hesitate to drop me a line and share them at steve.jordahl at osnexus.com!
Useful Resources
Falcon Installation Documentation:
OSNexus Official Blog 
Leave a comment