Does Dynatrace require privileged access to my operating system?

To fully automate the monitoring of your operating systems, processes, and network interfaces Dynatrace requires privileged access to your operating system during both installation and operation.

Since version 141, Dynatrace OneAgent can run in non-root mode on Linux. The feature is available as public beta. See Linux non-root mode

Note
Dynatrace OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.

Installation

Dynatrace OneAgent requires admin privileges for:

  • Creating the Dynatrace OneAgent service.
  • Modifying certain registry keys.
  • Installing WinPcap.
  • Installing oneagentmon device.

If you have Log Analytics enabled, admin privileges are also required for:

  • Creating the Dynatrace Log Analytics OneAgent configuration file, which stores security flags (for example, log content access and log auto-detection) and rules that define files that should be treated as log files (based on file extension and location).

Operation

Dynatrace OneAgent requires admin privileges to:

  • List all processes.
  • Get memory statistics for all processes.
  • Read each process command line and environment.
  • View the descriptions of executable files.
  • Read application configuration for Apache and IIS
  • View the list of libraries loaded for each process.
  • Read Windows registry keys.
  • Read .NET application domain for .NET 2.0, 3.0, and 3.5.
  • Start monitoring network traffic.
  • Parse executables for Go Discovery.
  • Gather monitoring data related to Docker containers.

If you have Log Analytics enabled, admin privileges are also required to:

  • Access system logs: System/Application/Security Event logs.
  • Access the list of open file handlers for each process (low-level WinAPI calls).
  • Access the log file for each process.

Linux non-root mode

Public beta

Since version 141, you can install Dynatrace OneAgent in the non-root mode in which the superuser privileges are used once to initiate the installation process.

Then, Dynatrace OneAgent is run under an unprivileged user, retaining the complete set of its functionalities.

The feature is available as public beta.

See How do I install Dynatrace OneAgent? to learn how to enable the non-root mode during the Dynatrace OneAgent installation.

Installation

Dynatrace OneAgent installer run in the non-root mode requires superuser privileges to:

  • Set file capabilities for OneAgent binaries located under /opt/Dynatrace/oneagent/agent/lib[64]/*.
  • Invoke oneagent service script to start oneagentwatchdog.

The root privileges are then dropped by switching to dtuser (an unprivileged user with nologin set), retaining the cap_sys_kill capability.

Dynatrace OneAgent starts and runs all other processes under an unprivileged user without superuser access.

Automatic updates and operation

The scope of privileges required by Dynatrace OneAgent depends on the kernel version, that is whether it supports Linux ambient capabilities.

For kernel 4.3 and newer

During the automatic update, the installer starts under an unprivileged dtuser with proper ambient capabilities set. Dynatrace OneAgent doesn't require the root access to perform the automatic update.

For kernels between 2.6.26 and 4.3

Dynatrace OneAgent will work under non-privileged dtuser in majority of cases. When the kernel doesn't provide ambient capabilities, it will automatically elevate its privileges to the superuser level using setuid(0) in the following cases:

  • Dynatrace OneAgent automatic updates,
  • host OSI ID generation on Azure hosts,
  • Docker containers properties detection,
  • self-diagnostics.

If you don't want to grant the superuser permission level to Dynatrace OneAgent, you can disable it by adding the DISABLE_ROOT_FALLBACK=1 parameter to the Dynatrace OneAgent installation command. For example:

sudo /bin/sh Dynatrace-Agent-Linux-1.0.0.sh NON_ROOT_MODE=1 DISABLE_ROOT_FALLBACK=1

In such case, you will have to perform manual updates on individual hosts. We don't recommend using DISABLE_ROOT_FALLBACK=1 parameter for OneAgents on Azure or Docker containers.

Tip

To learn more about Linux capabilities, refer to Linux man pages and chapter 39 of "The Linux Programming Interface."