Run Agent as Non-Root User
beta feature
This topic describes functionality that is currently in beta.
Overview
If you install agent v5.2 and later directly on the host (RPM or Debian packages), you can run the agent as a non-root user using Linux capabilities.
Existing host deployments of agents that get upgraded to v5.2 can also enable the non-root mode.
Agents running inside containers will continue to run with root user privileges and are not impacted by this feature.
Prerequisites
Before you run the agent as a non-root user:
- Ensure that your system's kernel version is 4.3 or later. Kernel versions prior to v4.3 do not support ambient capabilities required by the agent.
- Create a user called lacework-user:
sudo useradd -r -s /sbin/nologin lacework-user
Run Agent as Non-Root User
Enable the non-root mode (capsmode
) explicitly in the agent configuration file (config.json) as follows:
"privileges" : {
"capsmode" : "enable"
}
capsmode
is the mode where agent relies on the Linux capabilities to carry privileged actions instead of using the root user privileges.
The agent starts as a root user as before so there is no need to reinstall existing agents to enable this feature.
At startup, the agent switches to user lacework-user
(default) and uses Linux capabilities for privileged actions. If your system does not meet the prerequisites, the agent continues to run as root user.
Agent Properties
When the agent switches to Linux capabilities:
- Controller process starts as root. After reading the configuration, it switches to the configured user (default is
lacework-user
). It then starts the collector as the configured user. - After the controller pivots to the configured user, it keeps running under the user and does not switch back and forth to root.
- A set of Linux capabilities has been identified for the agent to operate. The agent will not drop any of the capabilities in the required set.
- In existing deployments where the agent is running as root, files and directories (/var/lib/lacework, /var/log/lacework) maintained by the agent are owned by root. When you run an agent as a non-root user, existing files and directories preserve their root ownership. New files and directories (such as localdb, binary during upgrade) created by the agent will be owned by the configured user (default
lacework-user
). - You can configure a user other than
lacework-user
(default). Create the user and add it to config.json file:
"privileges" : {
"capsmode" : "enable",
"user" : "any-user"
}
- Any changes to
privileges
in the configuration file require agent restart to take effect.