Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add steps and details for running 'unprivileged' Elastic Agent #1087

Merged
merged 15 commits into from
Jun 27, 2024
Merged
7 changes: 7 additions & 0 deletions docs/en/ingest-management/commands.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -565,6 +565,7 @@ elastic-agent install --url <string>
[--proxy-url <string>]
[--staging <string>]
[--tag <string>]
[--unprivileged]
[global-flags]
----

Expand Down Expand Up @@ -607,6 +608,7 @@ elastic-agent install --fleet-server-es <string>
[--proxy-url <string>]
[--staging <string>]
[--tag <string>]
[--unprivileged]
[--url <string>] <3>
[global-flags]
----
Expand Down Expand Up @@ -774,6 +776,11 @@ use these tags to filter the list of agents in {fleet}.
NOTE: Currently, there is no way to remove or edit existing tags. To change the
tags, you must unenroll the {agent}, then re-enroll it using new tags.

`--unprivileged`::
Run {agent} without full superuser privileges.
This option is useful in organizations that limit `root` access on Linux or macOS systems, or `admin` access on Windows systems.
For details and limitations for running {agent} in this mode, refer to <<elastic-agent-unprivileged>>.

`--url <string>`::
{fleet-server} URL to use to enroll the {agent} into {fleet}.

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
[[elastic-agent-unprivileged]]
= Run {agent} without administrative privileges

Beginning with {stack} version 8.15, {agent} is no longer required to be run by a user with superuser privileges. You can now run agents in an `unprivileged` mode that does not require `root` access on Linux or macOS, or `admin` access on Windows. Being able to run agents without full administrative privileges is often a requirement in organizations where this kind of access is often very limited.

In general, agents running without full administrative privileges will perform and behave exactly as those run by a superuser. There are certain integrations and datastreams that are not available, however. If an integration requires root access, this is <<unprivileged-integrations,indicated on the integration main page>>.

// Add mention of the System integration data streams.

You can also <<unprivileged-change-mode,change the privilege mode>> of an {agent} after it has been installed.

Refer to <<unprivileged-command-behaviors>> and <<unprivileged-running>> for the requirements and steps associated with running an agent without full `root` or `admin` superuser privileges.

* <<unprivileged-running>>
* <<unprivileged-command-behaviors>>
* <<unprivileged-integrations>>
* <<unprivileged-view-mode>>
* <<unprivileged-change-mode>>

[discrete]
[[unprivileged-running]]
== Run {agent} in `unprivileged` mode

To run {agent} without administrative privileges you use exactly the same commands that you use for {agent} otherwise, with one exception. When you run the <<elastic-agent-install-command,`elastic-agent install`>> command, add the `--unprivileged` flag. For example:

[source,shell]
----
elastic-agent install \
--url=https://cedd4e0e21e240b4s2bbbebdf1d6d52f.fleet.eu-west-1.aws.cld.elstc.co:443 \
--enrollment-token=NEFmVllaa0JLRXhKebVKVTR5TTI6N2JaVlJpSGpScmV0ZUVnZVlRUExFQQ== \
--unprivileged
----

IMPORTANT: On Linux systems, when you install {agent} using the `--unprivileged` flag, {agent} commands should not be run with `sudo`.
Doing so may result in <<agent-sudo-error,an error>> due to the agent not having the required privileges.

[discrete]
[[unprivileged-command-behaviors]]
== Agent and dashboard behaviors in unprivileged mode

In addition to the <<unprivileged-integrations,integrations that are not available>> when {agent} is run in unpriviledged mode, certain data streams are also not available. The following tables show, for different operating systems, the impact when the agent does not have full administrative privileges. In most cases the limitations can be mediated by granting permissions for a user or group to the files indicated.

.macOS
[options,header]
|===
|Action |Behavior in unprivileged mode |Resolution

|Run {agent} with the System integration
|Log file error: `Unexpected file opening error: Failed opening /var/log/system.log: open /var/log/system.log: permission denied`.
|Give read permission to the `elastic-agent` group for the `/var/log/system.log` file to fix this error.

|Run {agent} with the System integration
|On the `[Logs System] Syslog` dashboard, the `Syslog events by hostname`, `Syslog hostnames and processes` and `Syslog logs` visualizations are are missing data.
|Give read permission to the `elastic-agent` group for the `/var/log/system.log` file to fix the missing visualizations.

|Run {agent} with the System integration
|On the `[Metrics System] Host overview` dashboard, only the processes run by the `elastic-agent-user` user are shown in the CPU and memory usage lists.
|To fix the missing processes in the visualization lists you can add add the `elastic-agent-user` user to the system `admin` group. Note that while this mitigates the issue, it also grants `elastic-agent user` with more permissions than may be desired.

|Run {agent} and access the {agent} dashboards
|On the `[Elastic Agent] Agents info` dashboard, visualizations including `Most Active Agents` and `Integrations per Agent` are missing data.
|To fix the missing data in the visualizations you can add add the `elastic-agent-user` user to the system `admin` group. Note that while this mitigates the issue it also grants `elastic-agent user` with more permissions than may be desired.

|Run {agent} and access the {agent} dashboards
|On the `[Elastic Agent] Integrations` dashboard, visualizations including `Integration Errors Table`, `Events per integration` and `Integration Errors` are missing data.
|To fix the missing data in the visualizations you can add add the `elastic-agent-user` user to the system `admin` group. Note that while this mitigates the issue it also grants `elastic-agent user` with more permissions than may be desired.

|===

.Linux
[options,header]
|===
|Action |Behavior in unprivileged mode |Resolution

|Run {agent} with the System integration
|Log file error: `[elastic_agent.filebeat][error] Harvester could not be started on new file: /var/log/auth.log.1, Err: error setting up harvester: Harvester setup failed. Unexpected file opening error: Failed opening /var/log/auth.log.1: open /var/log/auth.log.1: permission denied`
|To avoid the error you can add add the `elastic-agent-user` user to the `adm` group. Note that while this mitigates the issue it also grants `elastic-agent user` with more permissions than may be desired.

|Run {agent} with the System integration
|Log file error: `[elastic_agent.metricbeat][error] error getting filesystem usage for /run/user/1000/gvfs: error in Statfs syscall: permission denied`
|To avoid the error you can add add the `elastic-agent-user` user to the `adm` group. Note that while this mitigates the issue it also grants `elastic-agent user` with more permissions than may be desired.

|Run {agent} with the System integration
|On the `[Logs System] Syslog` dashboard, the `Syslog events by hostname`, `Syslog hostnames and processes` and `Syslog logs` visualizations are are missing data.
|To fix the missing data in the visualizations you can add add the `elastic-agent-user` user to the `adm` group. Note that while this mitigates the issue it also grants `elastic-agent user` with more permissions than may be desired.

|Run {agent} and access the {agent} dashboards
|On the `[Elastic Agent] Agents info` dashboard, visualizations including `Most Active Agents` and `Integrations per Agent` are missing data.
|Giving read permission to the `elastic-agent` group for the `/var/log/system.log` file will partially fix the visualizations, but errors may still occur because the `elastic-agent-user` does not have read access to files in the `/run/user/1000/` directory.
// It'd be nice if we can expand on this, even if just to say why that read access can't be given.

|Run {agent} and access the {agent} dashboards
|On the `[Elastic Agent] Integrations` dashboard, visualizations including `Integration Errors Table`, `Events per integration` and `Integration Errors` are missing data.
|Give read permission to the `elastic-agent` group for the `/var/log/system.log` file to fix the missing visualizations.

|===

.Windows
[options,header]
|===
|Action |Behavior in unprivileged mode |Resolution

|Run {agent} with the System integration
|Log file error: `failed to open Windows Event Log channel "Security": Access is denied`
|Add the `elastic-agent-user` user to the `Event Log Users` group to fix this error.

|Run {agent} with the System integration
|Log file error: `cannot open new key in the registry in order to enable the performance counters: Access is denied`
|Update the permissions for the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr` registry to fix this error.

|Run {agent} with the System integration
|Most of the System and {agent} dashboard visualizations are missing all data.
|Add the `elastic-agent-user` user to the `Event Log Users` group and update the permissions for the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr` registry to fix the missing visualizations.

Note that the `elastic-agent-user` user may still not have access to all processes, so the lists in the `Top processes by CPU usage` and `Top processes by memory usage` visualizations may be incomplete.

|Run {agent} with the System integration
|On the `[Metrics System] Host overview` dashboard, the `Disk usage` visualizations are missing data.
|This occurs because direct access to the disk or a volume is restricted and not available to users without administrative privileges. Refer to link:https://learn.microsoft.com/en-us/windows/win32/secbp/running-with-special-privileges[Running with Special Privileges] in the Microsoft documentation for details.
kilfoyle marked this conversation as resolved.
Show resolved Hide resolved

|===

[discrete]
[[unprivileged-integrations]]
== Using Elastic integrations

// Add mention of the System integration data streams.

Most Elastic integrations support running {agent} in unprivileged mode. For the exceptions, any integration that requires {agent} to have root privileges has the requirement indicated at the top of the integration page in {kib}:

[role="screenshot"]
image::images/integration-root-requirement.png[Elastic Defend integration page showing root requirement]

As well, a warning is displayed in {kib} if you try to add an integration that requires root privileges to an {agent} policy that has agents enrolled in unprivileged mode.

[role="screenshot"]
image::images/unprivileged-agent-warning.png[Warning indicating that root privileged agent is required for an integration]

Examples of integrations that require {agent} to have administrative privileges are:

* link:https://docs.elastic.co/en/integrations/endpoint[{elastic-defend}]
* link:https://docs.elastic.co/integrations/auditd_manager[Auditd Manager]
* link:https://docs.elastic.co/integrations/fim[File Integrity Monitoring]
* link:https://docs.elastic.co/integrations/network_traffic[Network Packet Capture]
* link:https://docs.elastic.co/integrations/system_audit[System Audit]
* link:https://docs.elastic.co/integrations/profiler_agent[Universal Profiling Agent]

[discrete]
[[unprivileged-view-mode]]
== Viewing an {agent} privilege mode

For any {agent} policy you can view the number of agents that are currently running in privileged or unprivileged mode:

. In {fleet}, open the **Agent policies** tab.

. Click the agent policy to view the policy details.

The number of agents enrolled with the policy is shown. Hover over the link to view the number of privileged and unpriviled agents.

[role="screenshot"]
image::images/privileged-and-unprivileged-agents.png[Agent policy tab showing 1 unprivileged agent and 0 privileged enrolled agents]

In the event that the {agent} policy has integrations installed that require root privileges, but there are agents running without root privileges, this is shown in the tooltip.

[role="screenshot"]
image::images/root-integration-and-unprivileged-agents.png[Agent policy tab showing 1 unprivileged agent and 0 privileged enrolled agents]

[discrete]
[[unprivileged-change-mode]]
== Changing an {agent}'s privilege mode

If an agent doesn't have the right level of privilege to read a data source, you can adjust the agent's privileges by adding `elastic-agent-user` to the user group that has privileges to read the data source.

As background, when you run {agent} in `unprivileged` mode, one user and one group are created on the host. The same names are used for all operating systems:

* `elastic-agent-user`: The user that is created and that the {agent} service runs as.
* `elastic-agent`: The group that is created. Any user in this group has access to control and communicate over the control protocol to the {agent} daemon.

For example:

. When you install {agent} with the `--unprivileged` setting, the `elastic-agent-user` user and the `elastic-agent` group are created automatically.
. If you then want your user `myuser` to be able to run an {agent} command such as `elastic-agent status`, add the `myuser` user to the `elastic-agent` group.
. Then, once added to the group, the `elastic-agent status` command will work. Prior to that, the user `myuser` running the command will result in a permission error that indicates a problem communicating with the control socket.

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions docs/en/ingest-management/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,8 @@ include::elastic-agent/ingest-pipeline-kubernetes.asciidoc[leveloffset=+3]

include::elastic-agent/configuration/env/container-envs.asciidoc[leveloffset=+3]

include::elastic-agent/elastic-agent-unprivileged-mode.asciidoc[leveloffset=+2]

include::elastic-agent/install-agent-msi.asciidoc[leveloffset=+2]

include::elastic-agent/installation-layout.asciidoc[leveloffset=+2]
Expand Down
14 changes: 11 additions & 3 deletions docs/en/ingest-management/tab-widgets/download.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,12 @@ endif::[]

ifeval::["{release-state}"!="unreleased"]

IMPORTANT: To simplify upgrading to future versions of {agent}, we recommended
that you use the tarball distribution instead of the DEB distribution.
[IMPORTANT]
====
* To simplify upgrading to future versions of {agent}, we recommended
that you use the tarball distribution instead of the RPM distribution.
* You can install {agent} in an `unprivileged` mode that does not require `root` privileges. Refer to <<elastic-agent-unprivileged>> for details.
====

["source","sh",subs="attributes"]
----
Expand All @@ -28,8 +32,12 @@ endif::[]

ifeval::["{release-state}"!="unreleased"]

IMPORTANT: To simplify upgrading to future versions of {agent}, we recommended
[IMPORTANT]
====
* To simplify upgrading to future versions of {agent}, we recommended
that you use the tarball distribution instead of the RPM distribution.
* You can install {agent} in an `unprivileged` mode that does not require `root` privileges. Refer to <<elastic-agent-unprivileged>> for details.
====

["source","sh",subs="attributes"]
----
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,7 @@ Find troubleshooting information for {fleet}, {fleet-server}, and {agent} in the
* <<pgp-key-download-fail>>
* <<fleet-server-integration-removed>>
* <<agent-oom-k8s>>


* <<agent-sudo-error>>


[discrete]
Expand Down Expand Up @@ -807,3 +806,20 @@ To detect the problem, run the `kubectl describe pod` command and check the resu
----

To resolve the problem, allocate additional memory to the agent and then restart it.

[discrete]
[[agent-sudo-error]]
== Error when running {agent} commands with `sudo`

On Linux systems, when you install {agent} <<elastic-agent-unprivileged,without administrative privileges>>, that is, using the `--unprivileged` flag,
{agent} commands should not be run with `sudo`. Doing so may result in an error due to the agent not having the required privileges.

For example, when you run {agent} with the `--unprivileged` flag, running the `elastic-agent inspect` command will result in an error like the following:

[source,sh]
----
Error: error loading agent config: error loading raw config: fail to read configuration /Library/Elastic/Agent/fleet.enc for the elastic-agent: fail to decode bytes: cipher: message authentication failed
----

To resolve this, either run {agent} without the `--unprivileged` flag so that it has administrative access, or run the {agent} commands without the `sudo` prefix.