Deploying the Linux Agent - Overview
Supported from Management version: Grand Canyon
Supported from Agent version: Linux 3.0
SentinelOne updates your Management Console with the latest Agent packages.
Download the packages for the operating systems in your environment. You can use third-party tools to deploy the package to all of your endpoints by platform. Or you can install Agents individually.
This article is a portal page for the Linux Agent information to understand, install, upgrade, and uninstall.
Make sure the endpoints fulfill the Agent Requirements on Linux.
Optional: Create a Linux deployment configuration file.
Optional: Create a deployment script.
Download and install the package. Associate with a Site. Activate the Agent.
Upgrade the Agent before the version goes End of Support.
If suggested by Support, uninstall the Agent and then install again to solve a unique scenario.
SentinelOne development follows the Principle of Least Privilege. Each process is allowed to do only what it is meant to do. This model reduces the Agent attack surface. For example, if a process reads files in the system, the same process cannot send files through the network.
The Agent components communicate with IPC (Inter-Process Communication) secure mechanisms. IPC makes sure that only processes of one component can talk to each other. Every other process that tries is blocked. For example, if an OS process tries to open a socket to the main Agent process, IPC will block it.
The SentinelCTL process is also protected with signature and root permissions. When SentinelCTL connects (through IPC) to an Agent component, the component verifies the signature before allowing the connection.
Agent components:
The main process that runs the AI and security engines
Service providers and data processes that are triggered by events
SentinelCTL
Watchdogs that monitor the status of other processes
Agent requirements on Linux
Important
The Linux Agent is not supported on Kubernetes (K8s) platforms.
Required Software
None on baseline distro installations.
If your Linux OS is customized, first get the list of requirements. Run one of these commands:
rpm -qRp SentinelAgent_installerFileName.rpm
dpkg -I SentinelAgent_installerFileName.deb
Linux Minimum Hardware Requirements
2 GHz Dual-core CPU
4 GB RAM, according to distro requirements
2 GB available in
/opt/sentinelone. We recommend 3 GB.Make sure the endpoint meets the minimum disk space and partition requirements of the Linux distro it is running on.
Instruction-supported CPU: SSE4_2.
Some virtual environments mask support for advanced CPU capabilities. See your VM vendor documentation. Example: VMWare article How to Override Masks Hyper-V article How to turn off processor compatibility mode.
Linux Operating System Architecture Notes
The Linux Agent supports SELinux in Permissive and Enforcing modes.
Major cloud providers support installation of the Linux Agent on instances that meet the system requirements.
Supported with ECS Anywhere. For more information see Containerized Workloads in AWS.
For Docker containers, the Agent supports only the overlay2 storage driver. For monitoring and protecting the containers, the Agent requires the OverlayFS filesystem used by the containers to be mounted on the host’s filesystem, /var/lib/docker/overlay/<container-id>/merged, the default Docker location. For more information, see OverlayFS Storage Driver.
The Linux Agent is compiled with 64-bit kernel and libraries. It supports Intel x86_64 compatible architecture and x64 hardware. ARM 64-bit architecture (also known as aarch64) is supported starting with Agent version 22.1.
The Linux Agent does not support:
32-bit architecture
CPU micro-architectures such as ppc64, x86_32, RISC, or MIPS
UNIX OS version such as FreeBSD, AIX, or Solaris
The Linux Agent can be installed on Desktops and Servers of the supported distributions, of new kernel versions only (for example: Oracle 6.9 kernel-uek-4.1.12-61*).
Limitations of older kernels:
Kernels earlier than 2.6 (build 2.6.32-358) - Not supported.
Kernels earlier than 3.8 - Static AI and Reputation engines are not triggered on new files written to disk, but they do work from Full Disk Scan. Deep Visibility™ File Modification and Network Action event types are not supported.
Kernels earlier than 3.10 - Containers are not supported.
Kernels earlier than 3.10 - Not compatible with eBPF.
Kernels earlier than 3.11 - Static AI cannot analyze files as they are written to a container. The Agent analyzes these files when the files are executed.
Kernel version 4.18.0-147 on RHEL 8.1, a soft lockup might occur when the Agent uses eBPF. The issue is resolved in RHEL-8.2 with a newer kernel.
The Agent does not support systems with Kernel Lockdown set to Confidentiality.
Example: Fedora 31 kernel 5.3.7 default Kernel Lockdown was "Confidentiality" which is not supported. Fedora 31 kernel 5.5.x default is "Integrity", which is supported.
Deploying the Linux Agent with a Configuration File
Supported from Management version: North Pole
Supported from Agent version: Linux 21.5 | K8s 21.5
Version 21.5 of the Linux Agent supports an easier deployment. Rather than run the commands to install, associate, activate, and then set a proxy, you can set one configuration file to use these variables.
The Linux Agent is not supported on nodes on containers (Kubernetes, OpenShift).
To apply easy deployment with a configuration file:
Create a configuration file with the installation parameters, each on a separate line.
Example:
S1_AGENT_MANAGEMENT_PROXY=http://10.10.10.10:1111 S1_AGENT_DV_PROXY=http://192.0.2.0:1111 S1_AGENT_MANAGEMENT_TOKEN=eyJ1cmwiOiAiaHR0cHM6Ly91c2VhMS1zdXBwb3J0My5zZW5 S1_AGENT_AUTO_START=true S1_AGENT_CUSTOMER_ID="Custom value here" S1_AGENT_CREATE_USER=false S1_AGENT_CUSTOM_INSTALL_PATH=/custom/install/path/ S1_AGENT_DEVICE_TYPE=server
Example with subset:
S1_AGENT_MANAGEMENT_TOKEN=eyJ1cmwiOiAiaHR......3J0My5zZW5 S1_AGENT_AUTO_START=true
Save the file and copy it to the Linux endpoint.
Export one environment variable that gives the absolute path to the configuration file.
Example:
export S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg"
Install the package with the package manager.
RPM:
rpm -i --nodigestpackage_pathnameRPM installation requires the
--nodigestswitch. If you run the RPM command without the--nodigestswitch, an error shows:Package SentinelAgent_linux_version does not verify: no digest.DEB:
dpkg -ipackage_pathname
Note: If the user is not root, use the sudo command to give the absolute path and run the installer.
sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" dpkg -i package_pathname sudo S1_AGENT_INSTALL_CONFIG_PATH="/tmp/config.cfg" rpm -i --nodigest package_pathname
Example of the Linux Agent Configuration File usage:
[root@localhost ~]# rpm -i --nodigest /home/user/SentinelAgent_Linux_21_5_3_2_x86_64-release-v21.5.3.rpm Setting registration token... Registration token successfully set Setting management device type... Device type successfully set Setting customer ID... Customer ID successfully set Starting agent... Agent is running
Valid Parameters of Agent Deployment Configuration
Parameter | Valid Values | Description and Notes |
S1_AGENT_FIPS_ENABLED |
| From Agent version 23.1.1: If If set to |
S1_AGENT_MANAGEMENT_PROXY | http://URL | IP address :port | If there is a proxy server between the Agent and the Management, enter the proxy URL (or IP address) and the proxy port. |
S1_AGENT_DV_PROXY | From Agent version 21.5.3: If there is a proxy server between the Agent and the Deep Visibility™ service, enter the proxy URL (or IP address) and the port. |
|
S1_AGENT_MANAGEMENT_TOKEN |
| This string associates the Agent with the default group of a Site or with a specific group. |
S1_AGENT_DEVICE_TYPE |
| Define the endpoint as a server or desktop. |
S1_AGENT_AUTO_START |
| If set to If |
S1_AGENT_CUSTOMER_ID | string | Your customer ID as set in: |
S1_AGENT_CUSTOM_INSTALL_PATH | local path | From Agent version 21.5.2: Change the installation (and all recursive paths, such as logs) to a different path. The Agent will create a symlink from your custom path to |
S1_AGENT_CREATE_USER |
| If true (default), the Agent creates the sentinelone user and group when it is installed. If set to
Example to create a user: |
Scripting for Mass Deployment on Linux
This script is intended for environments where you want deploy the Linux Agent at scale. You can configure the Script with a defined management token or it will ask for one interactively.
Functions of the script:
Checks to see if the SentinelOne Linux Agent is already installed on the endpoint.
Downloads the latest GA package for the Linux OS (RPM or DEB).
Checks for a corrupt operating system.
Shows the Agent details.
Checks for Management Console connectivity.
Script Source Code
#!/bin/bash
#Option pre-populated Site Token.
SITE_TOKEN=
#Remove any prior failure attempt logging.
rm /tmp/s1-dmesg-tracing-functions-corrupt.txt 2> /dev/null
#Check to see if agent is already installed.
if ls -hal /opt | grep --quiet sentinelone; then
echo ""
echo "The Agent appears to already be installed on this machine."
echo ""
exit
fi
#Interactive prompt to ask for Site Token value if not pre-defined.
if [ -z "$SITE_TOKEN" ]; then
echo -n "Enter Site Token: "
read SITE_TOKEN
fi
#Creation of temporary download directory.
mkdir ~/s1TempInstall
#Check for expected Linux distro, download the latest supported GA Linux Agent from Google Drive Cloud Repository, & Install the agent package.
if [ ! -f /etc/redhat-release ]; then
cd ~/s1TempInstall && <Input Local Repository Path to DEB package here>
dpkg -i SentinelAgent_linux_latest_GA.deb 2> ~/s1AgentInstall.log
else
cd ~/s1TempInstall && <Input Local Repository Path to RPM package here>
rpm -ivh --nodigest SentinelAgent_linux_latest_GA.rpm 2> ~/s1AgentInstall.log
fi
#Removal of the temporary download directory.
rm -rf ~/s1TempInstall
#Set the Site Token.
echo ""
/opt/sentinelone/bin/sentinelctl management token set $SITE_TOKEN
echo ""
#Check DMESG output to see if OS is corrupt and if not, start the Agent.
if dmesg | grep -q "FUNCTION TRACING IS CORRUPTED"; then echo "System Instability Detected. Not Starting S1 Agent." > /tmp/s1-dmesg-tracing-functions-corrupt.txt && echo "System Instability Detected. Not Starting S1 Agent." && exit; else /opt/sentinelone/bin/sentinelctl control start ;fi
#Print the Management Console Connectivity Status.
echo ""
/opt/sentinelone/bin/sentinelctl control status
echo ""
#Continue checking the Management Console Connectivity until it is successfully established.
while : ; do
/opt/sentinelone/bin/sentinelctl management status
if /opt/sentinelone/bin/sentinelctl management status | grep Connectivity | awk '{print $2}' | grep -q On ; then
echo ""
echo "The Agent is now connected to the Management Console"
exit
fi
echo ""
echo "The Agent is not connected to the Management Console yet, checking again..."
echo ""
sleep 5
done
Installing the Linux Agent with RPM or DPKG
Supported from Agent version: Linux 3.0
Prerequisites
Make sure the endpoints, physical and virtual, meet the system requirements.
Get the site or group token for registration on the Management Console.
Every Agent belongs to a Site of a specific Management Console. If an installed Agent is not bound to a specific Site, your Management Console cannot manage the Agent.
Make sure the endpoint does NOT reboot before you complete the full installation, association, and activation.
A signed certificate for the Agent to communicate with the Management Console.
Important
Installation of the Linux ARM Agent is the same as for the Linux Agent on x86, but make sure you use the correct installer. The Linux Agent uses the RPM and DEB package formats for both x86 and ARM. The x86 package will not install on ARM endpoints, and the ARM installer will not install on x86 endpoints.
For Agent version 23.2 and earlier: RPM installation requires the
--nodigestswitch to prevent this error:Package SentinelAgent_linux_version does not verify: no digest.If you use yum to install on RHEL 8.2, the signed RPM installer is required.
If you are running the Agent on CentOS or RHEL 7 with SELinux set to Enforcing, you should create a dedicated policy on the endpoint, or set SELinux to Permissive, to enable eBPF usage.
To install the Agent on the legacy SUSE Linux Enterprise Server 11 SP4, first apply and activate the kernel patch. Run
zypper install -y kernel-trace
Then open the file
/boot/grub/menu.lstfor editing, change the default to 0, and save the file.
To install the Linux Agent:
Download the package for the distribution of the endpoints.
Install the package with one of these methods:
RPM: Run sudo rpm -i package_pathname.
DEB: Run sudo dpkg -i package_pathname.
Note: If you run the dpkg command alone,
/var/lib/dpkgmust have exec permissions. If/varhas noexec permissions, you can bind mountdpkgin a different directory.Example:
mkdir -p /opt/dpkg
mount --bind /var/lib/dpkg /opt/dpkg
mount -o remount,exec /opt/dpkg
Associate the Agent with the Management Console with the Group or Site Token. Run sudo /opt/sentinelone/bin/sentinelctl management token set <token_value>.
Start the Agent services. Run sudo /opt/sentinelone/bin/sentinelctl control start.
After a few minutes, check the Agent status. Other software may interfere with the startup. Run sudo /opt/sentinelone/bin/sentinelctl control status.
Validate that a new version of the Agent is installed. From the endpoint, run /opt/sentinelone/bin/sentinelctl version.
Example workflow:
sudo rpm -i SentinelAgent-aarch64_linux_v23_3_2_12.rpm
sudo /opt/sentinelone/bin/sentinelctl management token set <token_value>
Setting registration token...
Registration token successfully set
sudo /opt/sentinelone/bin/sentinelctl control start
Starting agent...
Agent is running
sudo /opt/sentinelone/bin/sentinelctl control status
Agent state Enabled
Process Name PID
orchestrator 41586
network 41587
scanner 41588
agent 41589
firewall 41590
sudo /opt/sentinelone/bin/sentinelctl version
Agent version: 23.3.2.12
SentinelCTL version: 23.3.2.12
Ranger version: 22.3.0.7
Git hash: <githash_value>
You can simplify installation with Ansible or the Configuration file or AWS Systems Manager.