To fully automate the monitoring of your operating systems, processes, and network interfaces, OneAgent performs the following changes to your system.
OneAgent is tested extensively to ensure that it has minimal performance impact on your system and conforms to the highest security standards.
By default, OneAgent is installed in non-privileged mode, in which superuser privileges are used once to initiate the installation process. OneAgent is then run under an unprivileged user, retaining the complete set of functionalities. For details and system requirements, see OneAgent non-privileged mode on Linux
OneAgent performs the following privileged operations. Depending on whether OneAgent runs in non-privileged or privileged mode, the scope of operations is the same, only the underlying mechanism differs. In privileged mode, OneAgent runs as root, while non-privileged mode utilizes the Linux System Capabilities.
If you have Log Monitoring enabled, root privileges are also required for:
/var/log/syslog and /var/log/messages./proc file system).The OneAgent installer performs the following changes to your system:
dtuser user is created. You can change the default name using the USER installation parameter.oneagent service is registered in the system init.ABRT (Red Hat) and Apport (Debian) services are stopped and disabled.{install-dir}/agent/SELinuxPolicy, /opt/dynatrace/oneagent/agent/SELinuxPolicy by default./etc/ld.so.preload to automatically monitor processes.The OneAgent installer modifies the following system files:
/proc/sys/kernel/core_pattern and /etc/sysctl.conf are modified to enable core dump processing by oneagentdumpproc. The original core_pattern configuration will still work following installation and will be preserved in /opt/dynatrace/oneagent/agent/conf/original_core_pattern, where you can define your own core settings using the format as specified in Linux Programmer's Manual. See Linux core dump handling for more information./etc/ld.so.preload is modified to enable auto-injection into processes.OneAgent modifies the following files during its operation:
/var/vcap/packages/runc/bin/runc file (Garden runc) to allow injection. This happens periodically during runtime. The original file is stored as runc-original and is restored by the uninstall script.oneagent_crio_injection-0.1.0.json) is copied to the path specified in the hooks_dir parameter of the CRI-O configuration file (/etc/crio/crio.conf). If the hooks_dir parameter is not set, one of the default paths is used, either /etc/containers/oci/hooks.d/ or /usr/share/containers/oci/hooks.d/. The hook is removed by the uninstall script.The OneAgent installer adds the following files to your system:
/opt/dynatrace/oneagent. Note that you can change the location using the INSTALL_PATH parameter./etc/init.d on systems with SystemV and to /etc/systemd/system on systems with systemd.liboneagentproc.so is placed in the system library directories, which vary depending on a distribution. For example,
/lib32 and /lib/x86_64-linux-gnu/lib64/lib and /lib64/lib and /lib64/var/lib/dynatrace/oneagent/runtime./var/lib/dynatrace/oneagent/agent/config./var/lib/dynatrace/oneagent/datastorage. Note that you can change the location of large runtime data using the DATA_STORAGE parameter.OneAgent downloads certain system logs so that Dynatrace can diagnose issues that may be caused by conditions in your environment. Most often such issues are related to deep monitoring or automatic updates.
/var/log/boot.log/var/log/dmesg/var/log/dpkg.log/var/log/kern.log/var/log/messages/var/log/syslog/var/log/yum.log/var/log/audit/audit.log/var/log/zypper.log/etc/nsswitch.conf/usr/sbin/apparmor_status command/bin/journalctl --utc -a -n 10000 commandTo revoke access to system logs, use the oneagentctl command with the --set-system-logs-access-enabled parameter set to false.
For more information, see OneAgent configuration via command-line interface
The OneAgent directory structure contains globally writable directories (1777 permissions). Changing these permissions by users is not supported.
Such permissions on the selected set of directories are necessary for successful OneAgent injection into the processes on the monitored hosts. When OneAgent injects into a process, the code module responsible for injection runs in the context of the original injected process. Consequently, the users under which these processes are run need to be permitted to write into the OneAgent directory structure, which is the reason for the global write permissions that allow that.
Similarly, certain log files require global write permissions (666) to allow applications running under various users to write to them.
We're aware that global read and write permissions on OneAgent directories get flagged by security scan heuristics, but we can assure you that they're fully secure.
1777). Only the file's owner, the directory's owner, or the root user can modify the files in the directory. This is standard practice that makes the permissions more robust. It's also used for the Linux /tmp directory to prevent ordinary users from deleting or moving other users' files.