Capture Client Agent OS Requirements : Linux
Description
This article offers guidance on the supportability of the Capture Client Agent for the Linux Platform.
Resolution
Capture Client Management Console supports endpoints (PCs, Laptops & Tablets) running the following operating systems. Capture Client's advanced threat protection is powered by SentinelOne, and the SentinelOne agent is automatically installed and configured according to the Threat Protection security policy. The recommended SentinelOne agent version is listed below.
| Operating System | Version | SentinelOne Agent |
| Azure Linux (formerly CBL-Mariner) | Azure Linux (formerly CBL-Mariner) | 23.3 or later |
| Amazon Linux | Amazon Linux 2023.3 | 23.2 or later |
| Amazon Linux 2023.1, 2023 | 23.1 or later | |
| Amazon Linux 2, AMI 2018, AMI 2017 | 22.3 or later | |
|
Red Hat Enterprise Linux (RHEL) | Red Hat Enterprise Linux (RHEL) 9.4 | 24.1 or later |
| Red Hat Enterprise Linux (RHEL) 9.3, 9.2, 8.9 | 23.3 or later | |
| Red Hat Enterprise Linux (RHEL) 8.10 | 24.1 or later | |
| Red Hat Enterprise Linux (RHEL) 8.8 | 23.1 or later | |
| Red Hat Enterprise Linux (RHEL) 9.1, 9.0, 8.7- 8.0, 7.9 - 7.0, 6.10 - 6.4 | 22.3 or later | |
| Ubuntu | Ubuntu 22.04.6 | 23.2 or later |
| Ubuntu 22.04, 20.04, 18.04, 16.04, 14.04 | 22.3 or later | |
| CenOS | Centos Stream v9 | 23.3 or later |
| CentOS 8.4 - 8.0, 7.9 - 7.0, 6.10 - 6.4 | 22.3 or later | |
| Oracle Linux (OL) / Oracle Enterprise Linux (OEL) | Oracle 9.3, 9.2 | 23.3 or later |
| Oracle 9.1, 8.8 | 23.1 or later | |
| Oracle 9.0, 8.7-8.0, 7.9 - 7.0, 6.10, 6.9 | 22.3 or later | |
|
SUSE Linux | Enterprise Server 15.x, 12.x, 11.x | 22.3 or later |
| SUSE Linux Enterprise Server 11 Sp4 | 24.1 or later | |
| SUSE Linux Enterprise Server 15 Sp5 | 22.4 or later | |
| Fedora | Fedora 38, 39 | 23.3 or later |
| Fedora 37, 36, 35 | 22.3 or later | |
| Debian | Debian 12.4 | 23.2 or later |
| Debian 12.2, 12.1, 12 | 23.3 or later | |
| Debian 11.9 | 23.4 or later | |
| Debian 11.8, 11.7, 10.13 | 23.2 or later | |
| Debian 11, 10, 9, 8 | 22.3 or later | |
| Virtuozzo | Virtuozzo 7 | 22.3 or later |
| Scientific Linux | Scientific Linux 7, 6 | 22.3 or later |
|
RockyLinux | RockyLinux 9.4 | 24.1 or later |
| RockyLinux 9.3, 9.2 | 23.3 or later | |
| RockyLinux 8.10 | 24.1 or later | |
| Rocky Linux 8.8 | 23.1 or later | |
| Rocky Linux 9.1, 9.0, 8.7, 8.6, 8.5, 8.4 | 22.3 or later |
Guidelines for Linux:
- The Linux Agent supports SELinux in Permissive and Enforcing modes.
- All Cloud providers (such as GCP, Azure, AWS) support installation of the Linux Agent on instances that fulfill the system requirements.
- The Linux Agent is compiled with a 64-bit kernel and libraries. It supports Intel x86_64 compatible architecture and x64 hardware.
- The Linux Agent does not support
a. 32-bit architecture.
b. CPU micro-architectures such as ppc64, x86_32, RISC, MIPS.
c. UNIX OS versions such as FreeBSD, AIX, Solaris. - The Linux Agent can be installed on Desktops and Servers of the supported distributions, of new kernel versions only (for example: Oracle 6.9 kernel-uek-4.1.12-61*).
- Major cloud providers support installation of the Linux Agent on instances that meet the system requirements.
- Supported with ECS Anywhere. For more information see Containerized Workloads in AWS.
Limitations of Older Kernels:
- Kernels lower than 2.6 (build 2.6.32-358) - Not supported.
- Kernels lower than 3.8 - Static AI and Reputation engines are not triggered on new files written to disk, but they do work from Full Disk Scan. Deep Visibility File Modification and Network Action Event types are not supported.
- Kernels lower than 3.10 - Containers are not supported.
- Kernels lower than 3.11 - Static AI cannot analyze files as they are written to a container. The Agent analyses these files when the files are executed.
- Kernel version 4.18.0-147 on RHEL 8.1, a soft lockup might occur when the Agent uses eBPF. The issue is resolved in RHEL-8.2 with a newer kernel.
- The Agent does not support systems with Kernel Lockdown set to Confidentiality. For example, Fedora 31 kernel 5.3.7 default Kernel Lockdown was "Confidentiality" which is not supported. Fedora 31 kernel 5.5.x default is "Integrity", which is supported.