Sometimes on Linux hosts, CrowdStrike has a bit of a weird issue with filling up /opt/CrowdStrike with old versions. The fix they gave us was… a bit special, so I came up with my own.
sudo find /opt/CrowdStrike -type f -name "KernelModuleArchive*" -not -wholename "$(readlink -f /opt/CrowdStrike/KernelModuleArchive)" -exec rm "{}" \;
sudo find /opt/CrowdStrike -type f -name "falcond*" -not -wholename "$(readlink -f /opt/CrowdStrike/falcond)" -exec rm "{}" \;
sudo find /opt/CrowdStrike -type f -name "falconctl*" -not -wholename "$(readlink -f /opt/CrowdStrike/falconctl)" -exec rm "{}" \;
sudo find /opt/CrowdStrike -type f -name "falcon-sensor*" -not -wholename "$(readlink -f /opt/CrowdStrike/falcon-sensor)" -exec rm "{}" \;
For each of the different file types it makes, there’s a “versioned” file, such as falcon-sensor7303 which is symlinked as /opt/CrowdStrike/falcon-sensor. When the “real” files update to new versions, they don’t clean themselves up. The above four lines looks for the “bad” files and filters out the existing “current” file using readlink to identify the canonical destination of the symlink.