Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Agent] How we could reduce the need for root privileges for beats. #134

Closed
elasticmachine opened this issue Oct 17, 2019 · 7 comments
Closed

[Agent] How we could reduce the need for root privileges for beats. #134

elasticmachine opened this issue Oct 17, 2019 · 7 comments
Labels
discuss Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@elasticmachine
Copy link
Collaborator

Original comment by @ph:

The Agent starts the beats process with the same user as the agent process which means root. This is less than ideal if we want to lock down the process and reduce the risk.

TODO:
Define stories

  • Behavior of Metricbeat
  • Behavior of Auditbeat
  • Behavior of Packetbeat.
@elasticmachine
Copy link
Collaborator Author

Original comment by @ph:

@michalpristas I know we have logic in place to control group/user that a process is executed, but at the moment I don't think we ever exposed that to the end user.

@elasticmachine
Copy link
Collaborator Author

Original comment by @ph:

cc @mattapperson for awareness.

@elasticmachine
Copy link
Collaborator Author

Original comment by @michalpristas:

also a sidenote: this should be configurable, agent is capable of running beat as a different user if configuration is provided.
we have this isolation story in the backlog for specifying namespaces when running processes, i think this should also help

@ph ph changed the title [Discuss] How we could reduce the need for root privileges for beats. [Agent] How we could reduce the need for root privileges for beats. Nov 19, 2019
@elasticmachine
Copy link
Collaborator Author

Pinging @elastic/ingest-management (Team:ingest-management)

@botelastic
Copy link

botelastic bot commented Apr 19, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot closed this as completed May 19, 2021
@ph ph reopened this May 19, 2021
@jsoriano jsoriano added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Oct 29, 2021
@elasticmachine
Copy link
Collaborator Author

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@jlind23 jlind23 transferred this issue from elastic/beats Mar 7, 2022
@jlind23
Copy link
Contributor

jlind23 commented May 27, 2024

Closing this as done now that there is an unprivileged Elastic Agent experience. Example on Mac: #3867

@jlind23 jlind23 closed this as completed May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ph @jsoriano @jen-huang @elasticmachine @jlind23