How to Install CrowdStrike Falcon Sensor on Linux with Installation Tokens (Provisioning Token Guide)

Installation tokens (also called provisioning tokens) are an optional security feature in CrowdStrike Falcon that prevents unauthorized hosts from being added to your Customer ID (CID). This guide explains how to deploy the Falcon Sensor on Linux using installation tokens.

Why Use Installation Tokens?

Installation tokens protect your CID by ensuring only authorized sensors can register:

• Prevent rogue endpoints: Stop unauthorized or malicious hosts from joining your CID
• Control deployment: Limit who can add new endpoints to your environment
• Audit trail: Track which token was used for each deployment
• Revocable access: Expire or delete tokens to stop new installations

Step 1: Create Installation Tokens

- **Log into the Falcon Console**

• Navigate to falcon.crowdstrike.com or your regional cloud

• Navigate to Installation Tokens

• Go to Host Setup and Management > Sensor Downloads

• Click on Installation Tokens tab

• Create a New Token

• Click Create Token

• Set an expiration date (recommended: 30-90 days)

• Add a description (e.g., "Linux Production Servers - Q1 2025")

• Click Create

• Copy the Token

• Copy the generated token immediately (it won't be shown again in full)

• Store securely for use during deployment

Step 2: Enable Token Requirement

To enforce tokens for all new installations:

- In the **Installation Tokens** section - Toggle **Require tokens** to ON - Confirm the change

Note: Existing sensors continue to function normally. Only new installations require tokens.

Step 3: Install Sensor with Token on Linux

Download the Sensor Package

Download the appropriate Falcon sensor package from Host Setup and Management > Sensor Downloads.

Install the Package

Ubuntu/Debian

sudo dpkg -i falcon-sensor__amd64.deb

RHEL/CentOS/Amazon Linux

sudo yum install falcon-sensor-.rpm

SUSE/SLES

sudo zypper install falcon-sensor-.rpm

Configure with CID and Provisioning Token

Set both your Customer ID and the provisioning token:

sudo /opt/CrowdStrike/falconctl -s --cid= --provisioning-token=

Example

sudo /opt/CrowdStrike/falconctl -s --cid=ABCD1234EFGH5678IJKL9012MNOP3456-78 --provisioning-token=ABCD1234

Start the Sensor

Systemd

sudo systemctl start falcon-sensor

SysVinit

sudo service falcon-sensor start

Adding Token Post-Installation

If you installed a sensor without a token and need to add one:

- **Stop the sensor:**

sudo systemctl stop falcon-sensor

Copy
• Set the provisioning token:

sudo /opt/CrowdStrike/falconctl -s --provisioning-token=

Copy
• Restart the sensor:

sudo systemctl start falcon-sensor

Copy

Verify Installation

Confirm the sensor registered successfully:

sudo /opt/CrowdStrike/falconctl -g --aid

A valid Agent ID (AID) confirms successful registration. You can also verify the host appears in the Falcon Console under Host Management.

Automation with API

For automated deployments, use the CrowdStrike API to create and manage installation tokens programmatically. This integrates with CI/CD pipelines and configuration management tools like Ansible, Puppet, or Chef.

Best Practices

• Use descriptive names: Label tokens by purpose, team, or deployment phase
• Set reasonable expiration: 30-90 days balances security and convenience
• Create separate tokens: Use different tokens for different environments (dev, staging, prod)
• Monitor token usage: Review which tokens are being used for installations
• Rotate tokens regularly: Create new tokens before old ones expire

Related Articles

• How to Install CrowdStrike Falcon Sensor
• How to Enable Uninstall Protection for CrowdStrike Falcon
• How to Verify CrowdStrike Falcon Sensor is Running