Linux kernel compatibility

Deep Security supports the following Linux kernel scopes:

General kernel, which includes general-purpose Linux kernels available to all customers. These kernels are provided by supported operating system partners listed in Deep Security Agent platform compatibility.

A kernel is not considered within the general scope if it is related to experimental (for example, CentOS Stream), appliances (for example, Exadata), community (for example, ELRepo), customized, and so on.

Select extended support kernel, which includes the following:
- Red Hat Enterprise Linux (RHEL). For information, see Extended Update Support (EUS).
- SuSE Enterprise Server (SLES). For information, see Long-Term Service Pack Support (LTSS).

If a kernel is not within the preceding support scope, Deep Security cannot provide a kernel support package.

Supported Linux kernels vary by the Deep Security Agent version:

You can also use a JSON version of the complete list of the supported Linux kernels each agent version with scripts and automated workflows.

Disable optional Linux kernel support package updates

When Deep Security Agent has any of the following security modules enabled, compatible kernel modules must be installed on localhost in order for the agent to load and provide security protection:

Activity Monitoring
Anti-Malware
Application Control
Firewall
Integrity Monitoring
Intrusion Prevention
Web Reputation Service

If compatible kernel modules have not been installed, then Deep Security Agent downloads and installs the latest kernel support package, regardless of whether or not the Automatically update kernel package when agent restarts setting is enabled.

If compatible kernel modules have already been installed and the Automatically update kernel package when agent restarts setting is enabled, then Deep Security Agent downloads and installs the latest kernel support package.

When a Deep Security Agent upgrades, the previously installed kernel modules become incompatible with the agent because the agent version is newer than the kernel support package. Thus, the agent downloads and installs the latest kernel support package regardless of whether or not the Automatically update kernel package when agent restarts setting is enabled.

When upgrading the Linux kernel to a new version, the previously installed kernel modules become incompatible with Linux kernel. Thus, the agent downloads and installs the latest kernel support package regardless whether or not the Automatically update kernel package when agent restarts setting is enabled.

In previous agent versions, the kernel driver update process always downloaded the latest kernel support package from the relay when an agent was restarted or the computer rebooted. For the agent version 20.0.0-3067 and later, you can disable optional kernel support package updates to improve performance.

Disable updates on a single computer

In the Workload Security console, go to Computers.
Double-click the computer where you want to disable kernel support package updates. Alternatively, select the computer, and then select Details.
Select Settings.
From Automatically update kernel package when agent restarts, select No.
Save your changes.

Disable updates on multiple computers

In the Workload Security console, go to Policies.
Double-click the policy that protects multiple computers where you want to disable kernel support package updates. Alternatively, select the policy and then Details.
Select Settings.
From Automatically update kernel package when agent restarts, select No.
Save your changes.

Topics on this page

Linux kernel compatibility

Disable optional Linux kernel support package updates

Disable updates on a single computer

Disable updates on multiple computers

Previous

Next