Linux kernel compatibility

Deep Security supports the following Linux kernel scopes:

  • General kernel, which includes general-purpose Linux kernels available to all customers. These kernels are provided by supported operating system partners listed in Deep Security Agent platform compatibility.
    A kernel is not considered within the general scope if it is related to experimental (for example, CentOS Stream), appliances (for example, Exadata), community (for example, ELRepo), customized, and so on.
  • Select extended support kernel, which includes the following:
    If a kernel is not within the preceding support scope, Deep Security cannot provide a kernel support package.

Supported Linux kernels vary by the agent version:

You can also use a JSON list of Linux kernels that the agent supports with scripts and automated workflows.

Disable optional Linux kernel support package updates

When Deep Security Agent has any of the following security modules enabled, compatible kernel modules must be installed on localhost in order for the agent to load and provide security protection:

  • Activity Monitoring
  • Anti-Malware
  • Application Control
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Web Reputation Service

If compatible kernel modules have not been installed, then Deep Security Agent downloads and installs the latest kernel support package, regardless of whether or not the Automatically update kernel package when agent restarts setting is enabled.

If compatible kernel modules have already been installed and the Automatically update kernel package when agent restarts setting is enabled, then Deep Security Agent downloads and installs the latest kernel support package.

When a Deep Security Agent upgrades, the previously installed kernel modules become incompatible with the agent because the agent version is newer than the kernel support package. Thus, the agent downloads and installs the latest kernel support package regardless of whether or not the Automatically update kernel package when agent restarts setting is enabled.

When upgrading the Linux kernel to a new version, the previously installed kernel modules become incompatible with Linux kernel. Thus, the agent downloads and installs the latest kernel support package regardless whether or not the Automatically update kernel package when agent restarts setting is enabled.

In previous agent versions, the kernel driver update process always downloaded the latest kernel support package from the relay when an agent was restarted or the computer rebooted. For agent 20.0.0-3067 or later with Deep Security Manager 20.0.503 or later, you can disable optional kernel support package updates to improve performance. For details, see Supported features by platform.

Disable kernel support package updates on one computer

  1. In Deep Security Manager, go to Computers.
  2. Double-click the computer where you want to disable kernel support package updates (or select the computer and then select Details).
  3. Select Settings. From Automatically update kernel package when agent restarts, select No.
  4. Save your changes.

Disable kernel support package updates on multiple computers

  1. In Deep Security Manager, go to Policies.
  2. Double-click the policy that protects multiple computers where you want to disable kernel support package updates (or select the policy and then Details).
  3. Select Settings. From Automatically update kernel package when agent restarts, select No.
  4. Save your changes.