OneAgent security on Windows
To fully automate the monitoring of your operating systems, processes, and network interfaces, Dynatrace requires privileged access to your operating system during both installation and operation.
Note:
OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.
Permissions
OneAgent requires admin privileges on Windows, for both installation and operation.
Installation
OneAgent installer requires admin privileges to:
- Create the OneAgent service.
- Modify certain registry keys.
- Install WinPcap.
- Install oneagentmon device.
Operation
OneAgent requires admin privileges to:
- List all processes.
- Get memory statistics for all processes.
- Read each process command line and environment.
- View the descriptions of executable files.
- Read application configuration for Apache and IIS
- View the list of libraries loaded for each process.
- Read Windows registry keys.
- Read .NET application domain for .NET 2.0, 3.0, and 3.5.
- Start monitoring network traffic.
- Parse executables for Go Discovery.
- Gather monitoring data related to Docker containers.
Operating system changes
OneAgent performs the following changes to your system:
Installation
OneAgent installer modifies the following aspects of your system:
- Starting with version 1.195, no user account is created to run OneAgent extensions. Instead, the
NT AUTHORITY\SYSTEM
privileged system account is used. For more information, see OneAgent extension user. - The
Dynatrace OneAgent
service is created. - The Dynatrace OneAgent program is registered with Windows Installer.
oneagentmon
driver is installed andOneAgentMon
device is created. It's required to enable automatic injection into processes.- WinPcap is installed
- Registry sub-trees are created:
HKEY_LOCAL_MACHINE\SOFTWARE\Dynatrace\OneAgent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oneagentmon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dynatrace OneAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer
Operation
- Each time a Docker service is discovered and grouped,
dtuser
is added to Access Control List of\\.\pipe\docker_engine
withGENERIC_ALL
rights.
Files added
Installation
OneAgents installer adds the following files to your system:
- OneAgent binaries and configuration files are saved in
%PROGRAMFILES%\dynatrace\oneagent
. Note that you can change the location using the INSTALL_PATH parameter. - Installer temporary files are saved in
C:\AI_RecycleBin
. The folder is deleted after the installation is complete.
Operation
- OneAgent temporary files and runtime configuration are saved in
%PROGRAMDATA%\dynatrace\oneagent\runtime
. - OneAgent persistent configuration is saved in
%PROGRAMDATA%\dynatrace\oneagent\config
. - Large runtime data, such as memory dumps, is saved in
%PROGRAMDATA%\dynatrace\oneagent\datastorage
. Note that you can change the location of large runtime data using the DATA_STORAGE parameter.
System logs downloaded by OneAgent
OneAgent downloads Security, System, and Application system logs from the last 14 days so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or automatic updates.
Globally writable directories
The OneAgent directory structure contains globally writable directories (directories where the Everyone
user group can write, modify, or execute). Changing these permissions by users is not supported.
OneAgent injection mechanism
Such permissions on the selected set of directories are necessary for successful OneAgent injection into the processes on the monitored hosts. When OneAgent injects into a process, the code module responsible for injection runs in the context of the original injected process. Consequently, the users under which these processes are run need to be permitted to write into the OneAgent directory structure, which is the reason for the global write permissions that allow that.
Similarly, certain log files require global write permissions to allow applications running under various users to write to them.
System security
We're aware that global read and write permissions on OneAgent directories get flagged by security scan heuristics, but we can assure you that they're fully secure.
- We keep the number of globally writable directories as limited as possible.
- We leverage advanced file permissions and use the
Creator Owner
permission to limits access to files.