Protecting your CrowdStrike Falcon sensors from unauthorized removal is critical for maintaining endpoint security. The 'Prevent Sensor Uninstall' feature in CrowdStrike Falcon requires a maintenance token before anyone can remove the sensor, preventing both accidental and malicious uninstallation attempts.
This guide covers how to enable uninstall protection and sensor tamper prevention for Falcon Sensor on Linux endpoints, including configuration through Sensor Update Policies and Prevention Policies.
Requirements
- CrowdStrike Falcon sensor for Linux version 7.20 or later
- Falcon Administrator access to the Falcon Console
- Endpoints assigned to a Sensor Update Policy
Understanding Uninstall Protection vs. Tamper Prevention
CrowdStrike offers two complementary protection mechanisms:
| Feature | What It Protects Against | Where to Configure |
|---|---|---|
| **Uninstall and Maintenance Protection** | Unauthorized sensor uninstallation, unloading, repair, or manual upgrade | Sensor Update Policies |
| **Sensor Tampering Protection** | Deleting, renaming, or modifying sensor files and components | Prevention Policies (Linux) |
Recommendation: Enable both features for comprehensive protection.
Step 1: Enable Uninstall Protection in Sensor Update Policies
The 'Prevent Sensor Uninstall' setting is configured in Sensor Update Policies:
-
- **Log into the CrowdStrike Falcon Console**
-
Navigate to falcon.crowdstrike.com or falcon.us-2.crowdstrike.com
-
Sign in with your administrator credentials
-
Navigate to Sensor Update Policies
-
Go to Host Setup and Management > Sensor Update Policies
-
Select the policy assigned to your Linux endpoints (or create a new one)
-
Enable Uninstall Protection
-
Click Edit on the policy
-
Locate the Uninstall and maintenance protection setting
-
Toggle the setting to Enabled
-
Click Save
Once enabled, any attempt to uninstall the Falcon sensor will require a maintenance token.
Step 2: Enable Sensor Tamper Prevention (Linux Prevention Policy)
For additional protection, enable sensor tamper prevention in your Linux prevention policy:
-
- **Navigate to Prevention Policies**
-
Go to Configuration > Prevention Policies
-
Select your Linux prevention policy
-
Enable Sensor Tampering Protection
-
Click Edit on the policy
-
Under Protection Settings, locate Sensor tampering protection
-
Toggle to Enabled
-
Click Save
This prevents users or processes from performing actions that tamper with key sensor components, such as:
- Deleting sensor files in
/opt/CrowdStrike/ - Renaming sensor executables
- Stopping the falcon-sensor service without authorization
- Modifying sensor configuration files
Step 3: Retrieving Maintenance Tokens for Authorized Uninstalls
When uninstall protection is enabled, authorized administrators need maintenance tokens to remove sensors:
Single Host Token
-
- Go to **Host Setup and Management** > **Host Management**
- Search for the specific host
- Click on the host to view details
- Select **Reveal maintenance token**
- Copy the token for use during uninstallation
Bulk Token Generation (API)
For large-scale operations, use the CrowdStrike API to generate maintenance tokens programmatically. This is useful for automation scripts and mass maintenance windows.
Uninstalling a Protected Sensor on Linux
When uninstall protection is enabled, use the maintenance token with the uninstall command:
Using falconctl
sudo /opt/CrowdStrike/falconctl -s --maintenance-token=YOUR_TOKEN
sudo /opt/CrowdStrike/falconctl -s --aid=0Using Package Manager
Ubuntu/Debian
sudo MAINTENANCE_TOKEN=YOUR_TOKEN apt remove falcon-sensorRHEL/CentOS/Amazon Linux
sudo MAINTENANCE_TOKEN=YOUR_TOKEN yum remove falcon-sensorSUSE/SLES
sudo MAINTENANCE_TOKEN=YOUR_TOKEN zypper remove falcon-sensorFor detailed uninstallation instructions, see our complete guide on how to uninstall CrowdStrike Falcon Sensor.
Verifying Protection Status
To verify that uninstall protection is active on a Linux endpoint:
sudo /opt/CrowdStrike/falconctl -g --featureLook for the uninstall protection feature in the output. If protection is enabled, attempts to uninstall without a token will fail with an error message.
Best Practices
- Enable both protections: Use uninstall protection AND tamper prevention together
- Document token retrieval process: Ensure IT staff know how to get tokens for authorized maintenance
- Use API for automation: Generate tokens programmatically for scripted deployments
- Audit uninstall attempts: Monitor Falcon Console for unauthorized removal attempts
- Test in staging first: Verify your maintenance procedures work before rolling out to production
Troubleshooting
Error: "Maintenance token required"
This means uninstall protection is enabled. Retrieve the maintenance token from Falcon Console (Host Management > Select Host > Reveal maintenance token).
Error: "Invalid maintenance token"
Maintenance tokens are single-use and host-specific. Generate a new token for the specific host you're trying to uninstall from.
Protection not taking effect
Policy changes can take up to 15 minutes to propagate. Verify the host is assigned to the correct Sensor Update Policy and has connectivity to the CrowdStrike cloud.