This article is based on SentinelOne community documentation last updated on Oct 2025
Agent requirements on Linux
Linux Agent minimum resource requirements
These are the minimum recommended resource requirements for the Linux Agent.
1 CPU core/2 threads, dedicated to the Agent.
800 MB RAM minimum, dedicated to the Agent.
2 GB in
/opt/sentinelone(3 GB recommended).Instruction-supported CPU: SSE4_2.
Some virtual environments mask support for advanced CPU capabilities. For more information, see your VM vendor documentation.
Linux x86 operating system requirements
Note these details about Linux x86 OS requirements.
The Linux Agent supports SELinux in permissive and enforcing modes. SELinux allows administrators to define and enforce security policies that limit the actions of processes running on the system. It can be helpful for organizations with stringent compliance requirements. To use SELinux in a hardened environment, in enforcing mode, follow the instructions in Configuring the Agent for SELinux.
The Linux Agent is supported on Amazon Elastic Container Service (ECS) Anywhere if you use the CWS for Containers product.
For Docker containers, the Agent only supports the overlay2 storage driver. This requires the CWS for Containers product. To monitor and protect the containers, the Agent requires the OverlayFS filesystem used by the containers to be mounted on the host’s filesystem at /var/lib/docker/overlay/<container-id>/merged, the default Docker location.
The Linux Agent is compiled with 64-bit kernel and libraries. It supports Intel x86_64 compatible architecture and x64 hardware.
The Linux Agent does not support:
32-bit architecture
CPU micro-architectures such as ppc64, x86_32, RISC, or MIPS
UNIX OS version such as FreeBSD, AIX, or Solaris
The Linux Agent can be installed on desktops and servers of the supported distributions (for example, Oracle 6.9 kernel-uek-4.1.12-61*).
Limitations of older kernels:
Kernels earlier than 2.6 (build 2.6.32-358) - Not supported.
Kernels earlier than 3.8 - Static AI and Reputation engines do not evaluate files on-write to disk. However, Full Disk Scan functions as expected. For telemetry collection, File Modification and Network event types are not supported.
Kernels earlier than 3.10 - Containers are not supported.
Kernels earlier than 3.10 - Not compatible with eBPF.
Kernels earlier than 3.11 - Static AI cannot analyze files as they are written to a container. The Agent analyzes these files when the files are executed.
A Kernel bug with 4.19.0-6-amd64 and 4.19.0-8-amd64 can cause system freezes when the Agent is installed. To solve the issue, upgrade to a more recent Kernel.
The Agent does not support systems with Kernel Lockdown set to Confidentiality.
Example: Fedora 31 Kernel 5.3.7 default Kernel Lockdown was Confidentiality, which is not supported. Fedora 31 Kernel 5.5.x default is Integrity, which is supported.
Login and logout event limitations:
Unsuccessful login events - These events are currently not detected for AlmaLinux 10, CentOS Stream 9, Oracle Linux 10, RHEL 10, and Rocky Linux 10.
Login and logout events - These events are currently not detected for Debian-13.
Installing the Linux Agent with RPM or DPKG
Supported from Agent version: Linux 3.0
1. Prerequisites
Make sure the endpoints, physical and virtual, meet the system requirements.
Get the site or group token for registration on the Management Console.
Every Agent belongs to a Site of a specific Management Console. If an installed Agent is not bound to a specific Site, your Management Console cannot manage the Agent.
Make sure the endpoint does NOT reboot before you complete the full installation, association, and activation.
A signed certificate for the Agent to communicate with the Management Console.
Please note:
Installation of the Linux ARM Agent is the same as for the Linux Agent on x86, but make sure you use the correct installer. The Linux Agent uses the RPM and DEB package formats for both x86 and ARM. The x86 package will not install on ARM endpoints, and the ARM installer will not install on x86 endpoints.
For Agent version 23.2 and earlier: RPM installation requires the
--nodigestswitch to prevent this error:Package SentinelAgent_linux_version does not verify: no digest.If you use yum to install on RHEL 8.2, the signed RPM installer is required.
If you are running the Agent on CentOS or RHEL 7 with SELinux set to Enforcing, you should create a dedicated policy on the endpoint, or set SELinux to Permissive, to enable eBPF usage. See Configuring the Agent on SELinux.
To install the Agent on the legacy SUSE Linux Enterprise Server 11 SP4, first apply and activate the kernel patch. Run
zypper install -y kernel-trace
Then open the file
/boot/grub/menu.lstfor editing, change the default to 0, and save the file.
2. Installation Instructions:
In the Sentinels toolbar, click Packages.
Download the package for the distro of the endpoints.
Install the package with one of these methods. The RPM or DEB package must be local to where you want to install the Agent.
RPM: Run sudo rpm -i package_pathname.
DEB: Run sudo dpkg -i package_pathname.
Note: If you run the dpkg command alone,
/var/lib/dpkgmust have exec permissions. If/varhas noexec permissions, you can bind mountdpkgin a different directory.Example:
mkdir -p /opt/dpkg mount --bind /var/lib/dpkg /opt/dpkg mount -o remount,exec /opt/dpkg
Associate the Agent with the Management Console with the Group or Site Token. Run sudo /opt/sentinelone/bin/sentinelctl management token set <token_value>.
Start the Agent services. Run sudo /opt/sentinelone/bin/sentinelctl control start.
After a few minutes, check the Agent status. Other software may interfere with the startup. Run sudo /opt/sentinelone/bin/sentinelctl control status.
Validate that a new version of the Agent is installed. From the endpoint, run sudo /opt/sentinelone/bin/sentinelctl management status, and verify that the
Connectivityparameter isOn.Example workflow:
sudo rpm -i SentinelAgent-aarch64_linux_v23_3_2_12.rpm sudo /opt/sentinelone/bin/sentinelctl management token set <token_value> Setting registration token... Registration token successfully set sudo /opt/sentinelone/bin/sentinelctl control start Starting agent... Agent is running sudo /opt/sentinelone/bin/sentinelctl control status Agent state Enabled Process Name PID orchestrator 41586 network 41587 scanner 41588 agent 41589 firewall 41590 sudo /opt/sentinelone/bin/sentinelctl version Agent version: 23.3.2.12 SentinelCTL version: 23.3.2.12 Ranger version: 22.3.0.7 Git hash: <githash_value>
You can simplify installation with Ansible or the Configuration File.
Deploying the Linux Agent with a Configuration File
Version 21.5 of the Linux Agent supports an easier deployment. Rather than run the commands to install, associate, activate, and then set a proxy, you can set one configuration file to use these variables.
Create a configuration file with the installation parameters, each on a separate line.
Example:
S1_AGENT_MANAGEMENT_PROXY=http://10.10.10.10:1111 S1_AGENT_DV_PROXY=http://192.0.2.0:1111 S1_AGENT_MANAGEMENT_TOKEN=eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1zdXBwb3J0My5zZW5 S1_AGENT_AUTO_START=true S1_AGENT_CUSTOMER_ID="Custom value here" S1_AGENT_CREATE_USER=false S1_AGENT_CUSTOM_INSTALL_PATH=/custom/install/path/ S1_AGENT_DEVICE_TYPE=server
Example with subset:
S1_AGENT_MANAGEMENT_TOKEN=eyJ1cmwiOiAiaHR......3J0My5zZW5 S1_AGENT_AUTO_START=true
Save the file and copy it to the Linux endpoint.
Export one environment variable that gives the absolute path to the configuration file.
Example:
export S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg"
Install the package with the package manager.
RPM:
rpm -i --nodigestpackage_pathnameRPM installation requires the
--nodigestswitch. If you run the RPM command without the--nodigestswitch, an error shows:Package SentinelAgent_linux_version does not verify: no digest.DEB:
dpkg -ipackage_pathname
Note: If the user is not root, use the sudo command to give the absolute path and run the installer.
sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" dpkg -i package_pathname sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" rpm -i --nodigest package_pathname
Example of the Linux Agent Configuration File usage:
[root@localhost ~]# rpm -i --nodigest /home/user/SentinelAgent_Linux_21_5_3_2_x86_64-release-v21.5.3.rpm Setting registration token... Registration token successfully set Setting management device type... Device type successfully set Setting customer ID... Customer ID successfully set Starting agent... Agent is running
Valid Parameters of Agent Deployment Configuration
Parameter | Valid Values | Description and Notes |
S1_AGENT_FIPS_ENABLED |
| From Agent version 23.1.1: If If set to |
S1_AGENT_MANAGEMENT_PROXY | http://URL | IP address :port | If there is a proxy server between the Agent and the Management, enter the proxy URL (or IP address) and the proxy port. |
S1_AGENT_DV_PROXY | From Agent version 21.5.3: If there is a proxy server between the Agent and the Deep Visibility™ service, enter the proxy URL (or IP address) and the port. |
|
S1_AGENT_MANAGEMENT_TOKEN | This string associates the Agent with the default group of a Site or with a specific group. | |
S1_AGENT_DEVICE_TYPE |
| Define the endpoint as a server or desktop. |
S1_AGENT_AUTO_START |
| If set to If |
S1_AGENT_CUSTOMER_ID | string | Your customer ID as set in: |
S1_AGENT_CUSTOM_INSTALL_PATH | local path | From Agent version 21.5.2: Change the installation (and all recursive paths, such as logs) to a different path. The Agent will create a symlink from your custom path to |
S1_AGENT_CREATE_USER |
| If true (default), the Agent creates the sentinelone user and group when it is installed. If set to
Example to create a user: |