OneAgent security on Linux
To fully automate the monitoring of your operating systems, processes, and network interfaces, OneAgent performs the following changes to your system.
OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.
By default, OneAgent is installed in non-privileged mode, in which superuser privileges are used once to initiate the installation process. OneAgent is then run under an unprivileged user, retaining the complete set of functionalities. For details and system requirements, see OneAgent non-privileged mode on Linux
OneAgent performs the following privileged operations. Depending on whether OneAgent runs in non-privileged or privileged mode, the scope of operations is the same, only the underlying mechanism differs. In privileged mode, OneAgent runs as root, while non-privileged mode utilizes the Linux System Capabilities.
- Access the list of open sockets for each process.
- Access the list of libraries loaded for each process.
- Access the name and path of the executable file for each process.
- Access command-line parameters for each process.
- Monitor network traffic.
- Read application configuration files.
- Parse executables for Go Discovery.
- Gather monitoring data related to Docker containers.
If you have Log Monitoring enabled, root privileges are also required for:
- Accessing system logs:
- Accessing the list of open file handlers for each process (
- Accessing the log file for each process.
Operating system changes
The OneAgent installer performs the following changes to your system:
dtuseruser is created. You can change the default name using the
oneagentservice is registered in the system init.
ABRT(Red Hat) and
Apport(Debian) services are stopped and disabled.
- A custom SELinux module is installed on systems with SELinux enabled. The sources of the SELinux module installed by the OneAgent installer are available under
- Installs OneAgent components in the system library directories.
- Sets up
/etc/ld.so.preloadto automatically monitor processes.
The OneAgent installer modifies the following system files:
/etc/sysctl.confare modified to enable core dump processing by
oneagentdumpproc. The original
core_patternconfiguration will still work following installation and will be preserved in
/opt/dynatrace/oneagent/agent/conf/original_core_pattern, where you can define your own core settings using the format as specified in Linux Programmer's Manual. See Linux core dump handling for more information.
/etc/ld.so.preloadis modified to enable auto-injection into processes.
OneAgent modifies the following files during its operation:
- The OneAgent wrapper overwrites the
/var/vcap/packages/runc/bin/runcfile (Garden runc) to allow injection. This happens periodically during runtime. The original file is stored as
runc-originaland is restored by the uninstall script.
- On CRI-O hosts (OCI-based implementation of Kubernetes Container Runtime Interface), the crio hook (
oneagent_crio_injection-0.1.0.json) is copied to the path specified in the
hooks_dirparameter of the CRI-O configuration file (
/etc/crio/crio.conf). If the
hooks_dirparameter is not set, one of the default paths is used, either
/usr/share/containers/oci/hooks.d/. The hook is removed by the uninstall script.
The OneAgent installer adds the following files to your system:
- OneAgent binaries and configuration files are saved in
/opt/dynatrace/oneagent. Note that you can change the location using the INSTALL_PATH parameter.
- Startup scripts are copied to
/etc/init.don systems with SystemV and to
/etc/systemd/systemon systems with systemd.
liboneagentproc.sois placed in the system library directories, which vary depending on a distribution. For example,
- Ubuntu 14.04 (with 32-bit libraries installed):
- Fedora 25:
- OpenSUSE 42.2:
- CentOS 7.3 and Red Hat Enterprise Linux 6:
- Ubuntu 14.04 (with 32-bit libraries installed):
- OneAgent temporary files and runtime configuration are saved in
- OneAgent persistent configuration is saved in
- Large runtime data, such as memory dumps, is saved in
/var/lib/dynatrace/oneagent/datastorage. Note that you can change the location of large runtime data using the DATA_STORAGE parameter.
System logs downloaded by OneAgent
OneAgent downloads certain system logs so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or automatic updates.
- Output of
- Output of
/bin/journalctl --utc -a -n 10000command
To revoke access to system logs, use the
oneagentctl command with the
--set-system-logs-access-enabled parameter set to
For more information, see OneAgent configuration via command-line interface
Globally writable directories
The OneAgent directory structure contains globally writable directories (
1777 permissions). Changing these permissions by users is not supported.
OneAgent injection mechanism
Such permissions on the selected set of directories are necessary for successful OneAgent injection into the processes on the monitored hosts. When OneAgent injects into a process, the code module responsible for injection runs in the context of the original injected process. Consequently, the users under which these processes are run need to be permitted to write into the OneAgent directory structure, which is the reason for the global write permissions that allow that.
Similarly, certain log files require global write permissions (
666) to allow applications running under various users to write to them.
We're aware that global read and write permissions on OneAgent directories get flagged by security scan heuristics, but we can assure you that they're fully secure.
- We keep the number of globally writable directories as limited as possible.
- All these directories have a sticky bit set (actual permissions are
1777). Only the file's owner, the directory's owner, or the root user can modify the files in the directory. This is standard practice that makes the permissions more robust. It's also used for the Linux
/tmpdirectory to prevent ordinary users from deleting or moving other users' files.