Linux
View all Worklets
LinuxLinux

Linux - Configuration - Ensure the SentinelOne Agent is Running

Verify SentinelOne Agent service status on Linux endpoints and auto-restart sentinelone.service when it stops

Worklet Details

What the SentinelOne Linux agent verifier does

This Automox Worklet™ verifies that the SentinelOne Agent is running on Linux endpoints and restores the service when it has stopped. The Worklet uses the sentinelctl command-line tool to query agent state and systemctl to drive recovery. A healthy sentinelctl control status returns exit code 0 and the evaluation script ends without invoking systemctl, so a recurring policy reads the agent state on every pass without disturbing the running daemon.

Evaluation runs sentinelctl control status against the binary at /usr/bin/sentinelctl. A zero exit code means the agent is healthy and the endpoint is marked compliant. A non-zero exit code marks the endpoint for remediation. If /usr/bin/sentinelctl is not present, the Worklet treats the host as out of scope for SentinelOne and exits 0 without flagging it, so the same policy can run against a fleet where only a subset of Linux servers carries the agent.

Remediation restarts the sentinelone.service unit through systemctl restart sentinelone.service, then calls sentinelctl control start to bring the agent process back online. The script re-runs sentinelctl control status to confirm the agent reports healthy. A successful restart exits 0; a failed restart exits 1 with a message in stderr that surfaces in the Automox activity report for follow-up by IT Operations.

Why enforce a healthy SentinelOne Agent on every Linux endpoint

SentinelOne Singularity is the EDR runtime that observes process execution, network activity, and file operations on the host. A stopped sentinelone.service is an EDR blind spot. While the agent is down, ransomware, in-memory malware, and lateral-movement tooling can land on the endpoint without telemetry reaching the SentinelOne console. Linux servers carrying production workloads or developer workstations holding source repositories are exactly the hosts an attacker wants to find unmonitored. Compliance programs that map to CIS Benchmarks, NIST 800-53 control SI-3, PCI-DSS Requirement 5, and SOC 2 CC7.1 all require endpoint anti-malware to be running and actively monitored, and an audit that catches a stopped agent for weeks is a finding.

A SentinelOne daemon that gets killed by an OOM event, masked by a config-management run, or stopped during a vendor maintenance window will silently stay down until something asks systemctl about it. Run this Worklet on the Linux server, container host, and developer workstation groups in the same evaluation window as your patch policy; sentinelctl reports the stopped state on the next pass, systemctl restart sentinelone.service brings it back, and the SOC's detection coverage closes before the next telemetry-gap report.

How SentinelOne agent status verification works

  1. Evaluation phase: The Worklet checks for the SentinelOne binary at /usr/bin/sentinelctl. If the file is absent, the endpoint is out of scope for SentinelOne and the Worklet exits 0. If the file is present, the Worklet runs sentinelctl control status with stdout and stderr discarded. A zero exit code means the agent is healthy and reports compliant. A non-zero exit code flags the endpoint for remediation.

  2. Remediation phase: The Worklet runs systemctl restart sentinelone.service to recycle the systemd unit, then sentinelctl control start to bring the agent process back online. It re-runs sentinelctl control status to verify the restart took effect. A passing post-check exits 0 with a success message. A failing post-check exits 1 with a message written to stderr, which lands in the Automox activity report alongside the policy run identifier.

SentinelOne agent verification requirements

  • Linux endpoint running RHEL, CentOS, Rocky, Alma, Ubuntu, or Debian under systemd

  • SentinelOne Agent installed with the sentinelctl binary at /usr/bin/sentinelctl

  • sentinelone.service registered with systemd (the standard install path on supported distributions)

  • Root or sudo privileges for the Automox agent, which the default agent context already grants

  • Outbound connectivity to the SentinelOne management console so the agent can re-register on restart

  • FixNow compatible, so an operator can trigger a one-off verification against any endpoint or group from the Automox console without waiting for the next scheduled run

Expected SentinelOne agent state after remediation

After a successful remediation run, sentinelctl control status returns a zero exit code on the endpoint and the sentinelone.service unit reports active (running) under systemctl status sentinelone.service. The agent resumes real-time threat detection, behavioral analysis, and incident response across processes, network sockets, and file system events. No reboot is required, and the SentinelOne console reflects the heartbeat on its next check-in cycle.

To validate from the endpoint, run sentinelctl control status and systemctl is-active sentinelone.service. Both should return success. For audit evidence, capture the journalctl -u sentinelone.service log around the timestamp of the policy run and store it with the Automox run identifier. Subsequent policy evaluations report the endpoint as compliant without applying remediation again, because sentinelctl control status returns 0 and the Worklet exits early. If the agent stops again later, the next evaluation flags the endpoint and the same remediation path runs without operator intervention.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets