Skip to main content

Run Agent as Non-Root User

Overview

If you install agent v5.2 and later directly on the host (RPM or Debian packages), you can run the agent as a non-root user using Linux capabilities.

Existing host deployments of agents that get upgraded to v5.2 can also enable the non-root mode.

Agents running inside containers will continue to run with root user privileges and are not impacted by this feature.

Prerequisites

Before you run the agent as a non-root user:

  1. Ensure that your system's kernel version is 4.3 or later. Kernel versions prior to v4.3 do not support ambient capabilities required by the agent.

  2. Create a service account user called lacework-user without a login shell, and disable password access for the user:

    sudo useradd -r -s /sbin/nologin lacework-user
    sudo usermod -L lacework-user
    Important

    The service account user should not have a login shell. It should be treated as a privileged user. Lacework also recommends disabling password access for the user.

Run Agent as Non-Root User

Enable the non-root mode (capsmode) explicitly in the agent configuration file (config.json) as follows:

    "privileges" : {
"capsmode" : "enable"
}

capsmode is the mode where agent relies on the Linux capabilities to carry privileged actions instead of using the root user privileges.

The agent starts as a root user as before so there is no need to reinstall existing agents to enable this feature.

At startup, the agent switches to user lacework-user (default) and uses Linux capabilities for privileged actions. If your system does not meet the prerequisites, the agent continues to run as root user.

Agent Properties

When the agent switches to Linux capabilities:

  • Controller process starts as root. After reading the configuration, it switches to the configured user (default is lacework-user). It then starts the collector as the configured user.
  • After the controller pivots to the configured user, it keeps running under the user and does not switch back and forth to root.
  • A set of Linux capabilities has been identified for the agent to operate. The agent will not drop any of the capabilities in the required set.
  • In existing deployments where the agent is running as root, files and directories (/var/lib/lacework, /var/log/lacework) maintained by the agent are owned by root. When you run an agent as a non-root user, existing files and directories preserve their root ownership. New files and directories (such as localdb, binary during upgrade) created by the agent will be owned by the configured user (default lacework-user).
  • You can configure a user other than lacework-user (default). Create the user and add it to config.json file:
    "privileges" : {
"capsmode" : "enable",
"user" : "any-user"
}
  • Any changes to privileges in the configuration file require agent restart to take effect.