Environment
- Carbon Black Cloud Sensor
- Linux: All Supported Versions
Question
Why does the Linux sensor run as root?
Answer
The sensor needs to run as root so it can:
- Install, start, stop and communicate with its kernel driver
- Read arbitrary files on the file system in order to produce hashes for them
- Be able to upgrade itself (e.g. run the installer that in turn must be root)
- Depending on the specific query may need to access resources available only to root ((Audit and Remediation/Live Response))
- Kill bad processes (Enterprise EDR hashbanning, Endpoint Standard policy actions)
- Running as root affects calculations done by the OOM killer (to reduce the chance of killing a root process) and access to reserved memory.
Related Content