Non-privileged mode for OneAgent on Linux: best in class security that doesn’t compromise functionality

Non-privileged operation mode for OneAgent on Linux satisfies the requirement for a non-admin monitoring solution.

Managing complex, heterogeneous infrastructure environments can be a real challenge for many organizations. Dynatrace provides great monitoring capabilities that help you identify and resolve problems with the software in your environment. Of course, Dynatrace itself is also software. This is why we invest continuous effort into making Dynatrace components as reliable and, more importantly, as safe as possible to use within demanding and dynamic environments.

Non-privileged operation mode for OneAgent on Linux available with OneAgent version 1.175

Non-privileged operation mode for OneAgent on Linux satisfies the requirement for a non-admin monitoring solution. By combining full functionality with high security (by reducing the attack surface) Dynatrace provides the best in class solution for cloud environments.

The latest chapter in the story of how we reached this major milestone took place in May, 2018 when in an article explaining new and upcoming changes to OneAgent, we announced the Early Adopter program for a new operation mode for OneAgent for Linux that allows OneAgent to be run in non-admin mode (i.e., “non-privileged mode”). We’re now happy to announce that this project—following careful testing and validation—has now reached General Availability.

What problems does non-privileged mode solve?

Software is always at risk of attack, either by malicious programs operating in unmanned mode or by individuals using specially crafted tools. One of the most efficient ways of preventing such attacks is by lowering the attack surface and reducing the potential impact of attacks should they be successful. One defensive approach is to run software with as few system permissions as possible, and, thereby, to avoid running software with full admin or root permissions. The reason for this recommendation is that if an attack is successful, the attacking program or individual who takes control of a particular piece of software will only have the system permissions that are associated with the compromised software. In other words, a process run with full root permissions poses a higher risk of harm than does a process that’s limited to non-admin user permissions.

With this recommendation in mind, we’ve implemented an operating mode for OneAgent for Linux that has a much smaller attack surface, thereby limiting potential further damage should a hacker be successful.

How does it work?

Non-privileged mode for OneAgent for Linux takes advantage of Linux System Capabilities (LSC). LSC is a set of features of the Linux kernel that were first implemented in kernel v2.2 in the early 2000s. LSC has been gradually improved and extended since that time. Use of LSCs is recommended for all security-critical software, and its popularity is growing. LSC is in use at many third-party software houses.

In short, Linux System Capabilities divide the root permissions monolith into several dozen precise permissions that enable select system operations. LSCs are assigned to executable files, either by admins or other software that has the respective permissions. Such executables are then run under unprivileged user accounts, with all permission restrictions except for those specifically granted via LSC.

By its nature, OneAgent needs to be able to see what’s happening in the monitored system and collect data. Therefore, it needs some of the Linux System Capabilities to perform its functions properly. The specific list of system capabilities used by OneAgent and the affected modules are listed in Dynatrace Help.

How to use non-privileged mode

The non-privileged operation mode for OneAgent on Linux satisfies the requirement for a non-admin monitoring solution. Once OneAgent is deployed in non-privileged mode, it begins working without superuser privileges while retaining all the same functionality for discovery, monitoring, data grouping, pushing to Dynatrace clusters, and automatically instrumenting numerous supported technologies with deep monitoring modules. It also provides auto-upgrade of all components. All steps for OneAgent deployment in non-privileged mode are fully automated and can be initiated by invoking the installation with the following parameters:

$ sudo ./ NON_ROOT_MODE=1

Keep in mind that fully-automated OneAgent deployment requires that the installation script be run with elevated privileges. This is the first and only time you need to grant full privileges for OneAgent. The privileges are dropped instantly following OneAgent deployment.

Prerequisites and exceptions

Non-privileged mode requires Linux kernel capabilities available in the versions:

  • v2.6.26+ for Dynatrace OneAgent operation without root privileges.
  • v4.3+ (recommended systemd ≥ 221) for Dynatrace OneAgent automatic updates and full operation without root privileges.

The kernel versions in between v2.6.26 and v4.3 can benefit from non-privileged mode only partially. In this case the automatic updates are not performed in non-privileged mode and the OneAgent installer is run with root permissions for the duration of the upgrade. It is possible to suppress this elevation of privileges (and to effectively disable automatic updates) by adding DISABLE_ROOT_FALLBACK to the parameter upon the initial OneAgent installation. This and other parameters for customizing OneAgent deployment are explained in Dynatrace Help.

What are the next steps?

As of OneAgent version 1.175, we strongly suggest that existing customers plan a re-deployment of their OneAgents for Linux so that they all operate in non-privileged mode and deploy all new OneAgents in this mode as soon as possible. For further details, see the complete instructions.

Going forward, we’ll change the OneAgent installer to default to non-privileged mode for all new installations.