To get the full benefits of the falcon-sensor on Ubuntu, you need to use a supported kernel, or your system will be in “RFM”. To remove the RFM status we will need to update to a kernel supported by your version of falcon-sensor.
First verify your RFM status. You should see the following in the dashboard:
/opt/CrowdStrike/falcon-kernel-check
First, we ask CrowdStrike a list of supported kernels given the version of the kernel we are searching for. Here we will choose the most recent version of 5.15.0 generic. Choose a kernel suitable for your system.
Next, choose a kernel to install that is compatible with CrowdStrike. You can list all available kernels with the following command:
apt search linux-image-5.15.0 | less
In this case, we are searching for an available 5.15.0 kernel. Ubuntu by default boots into the most recent kernel, so we are choosing a newer kernel than the existing kernel on our system.
apt search linux-image-5.15.0
We will be installing linux-image-5.15.0-101-generic.
apt install linux-image-5.15.0-101-generic
Reboot.
Next, pin the current version of the kernel so it doesn’t get automatically upgraded when running apt upgrade.
apt-mark hold 5.15.0-101-generic
Verify that CrowdStrike isn’t in RFM status.
/opt/CrowdStrike/falcon-kernel-check