question

Shawn G. avatar image
Shawn G. asked ·

Minimum Linux rights for Agent install

Due to the constraints of utilizing root access on Linux systems we utilize essentially a sudoer account and group that allows us to run elevated commands without the use of root. Since the OneAgent is attempting to hook to so many items I am looking to get an exact list of every command we need in order to build out a sudoer account without providing root access. I found some information in the Dynatrace Help that told me some items, however this seems a little incomplete. Would anyone be able to provide that information? I realize that can be an open ended question especially when dealing with apps that may utilize their own sudoer user/groups. But, this is something that will be needed in order to move us into a more standard build.

During install

OneAgent requires root privileges for:

  • Installing OneAgent components in system library directories.
  • Setting up /etc/ld.so.preload to automatically monitor processes.
  • Adapting SELinux policies to allow for the monitoring of processes.

During operation

OneAgent requires root privileges for:

  • Accessing the list of open sockets for each process.
  • Accessing the list of libraries loaded for each process.
  • Accessing the name and path of the executable file for each process.
  • Accessing command line parameters for each process.
  • Monitoring network traffic.

Thank you for your time.

Regards,

Shawn Givan

oneagentinstallationprocess groups
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Grzegorz P. avatar image
Grzegorz P. answered ·

Shawn,

As software architect being responsible for some aspects of the OneAgent I should be able to help you.

You are right that the installation and upgrade require root. Upgrade is done through a similar package as installation. The updater package is downloaded by /opt/ruxit/agent/lib(64)/ruxitagent into /opt/ruxit/downloads directory and called from there without any parameters. Name of the updater package has the new version and build numbers embedded in it.

Autoinjection has two forms:

1. Regular processes are injected via /etc/ld.so.preload configuration, so after setting this up by the installer no root rights are necessary. Every autoinjected process starts without any rights modification. Sometimes though modifications are made to SE Linux profiles for such processes because of additional files that the injected agent must access. SE Linux profiles modification are done by the installer.

2. Processes running inside Docker containers are injected by /opt/ruxit/agent/lib(64)/ruxitagenthelper process that must running under root. ruxitagenthelper is started if needed by ruxitagent process

ruxitagent process is controlled by /opt/ruxit/agent/lib(64)/ruxitwatchdog which also needs to be started by root.

All the processes mentioned above are started with a small set parameters that can be figured out from "ps" output and usually don't change.

There is one issue I have to mention here. All the settings that you come up with for sudo might get broken by a change in a later version of OneAgent. It is still undergoing a lot of development and such breaking change might happen without any notice from Dynatrace, since the sudo roles setups are not currently supported.

Regards,

Grzegorz Pawełczak

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Grzegorz,

Thank you. This is exactly what I was looking for. Also, I totally understand that this is not supported and we will probably run into some challenges as we are building this out. Greatly appreciate your input.

Regards,

Shawn Givan

0 Likes 0 · ·
Shawn G. avatar image
Shawn G. answered ·

Grzegorz,

Thank you for your response. This helps us understand that for installation we would require root access. I want to go a step deeper in this to understand exactly what needs to run as root from a agent operating perspective.

In this case I am specifically talking about the agent performing items such as an upgrade or deep level configuration or even a stop and start of the agent? For example the way I may have one of my pbroles configured by using the following command defined in my role to start my security gateway process "/etc/init.d/ruxitgateway start". I have no problem starring this out but this would just be an example of one configuration. same this with a installation script that requires extra parameters I would use "/opt/ruxit/upgrader/upgrader.sh *" so I can pass those parameter. I want to make sure that when the agent is auto injecting or upgrading I develop a role on the server that will allow the agent to perform the function correctly. Anything that would be post installation, especially since this will drop root on a lot of items. Would you happen to know this information?

Regards,

Shawn Givan

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Grzegorz P. avatar image
Grzegorz P. answered ·

Shawn, Here is what I found by tracing OneAgent installation script on 64-bit Ubuntu 15.10:

/bin/cat /bin/chmod /bin/chown /bin/cp /bin/date /bin/df /bin/grep /bin/ln /bin/mkdir /bin/mount /bin/mv /bin/rm /bin/sed /bin/sleep /bin/systemctl /bin/systemd-tty-ask-password-agent /bin/tar /bin/uname /lib64/ld-linux-x86-64.so.2 /opt/ruxit_11505/others/sample32 /opt/ruxit_11505/others/sample64 /opt/xzdec64 /sbin/ldconfig /sbin/ldconfig.real /usr/bin/arch /usr/bin/awk /usr/bin/basename /usr/bin/chmod /usr/bin/comm /usr/bin/cut /usr/bin/dirname /usr/bin/expr /usr/bin/find /usr/bin/id /usr/bin/ldd /usr/bin/pkttyagent /usr/bin/systemctl /usr/bin/tail /usr/bin/touch /usr/bin/tr /usr/bin/which /usr/bin/xargs /usr/lib/insserv/insserv /usr/sbin/groupadd /usr/sbin/update-rc.d

There are two problems:

  1. Temporary directories are used to execute two tests: sample32 and sample64. I don't know how comfortable you are with having wildcards in sudoers policy.
  2. The exact list of commands executed from the script may vary slightly depending on distribution and version.

Apart from that, the list of external commands called by the OneAgent executables running under root privileges is quite tightly controlled and wherever possible root privileges are dropped.

Probably all /opt/ruxit/agent/lib64 and /opt/ruxit/agent/lib executables have to be allowed though some

(e.g. ruxitagentnetwork) drop root after initialization.

In some cases OneAgent runs external commands like java runtime to check their version number, but it is always done after changing to a unprivileged non-login user (ruxitusr).

Let me know if this helps.

Regards, Grzegorz Pawełczak

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services custom event alerts notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions session replay diagnostic tools permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android