logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Why Does the Linux Sensor Run as Root?

Carbon Black Cloud: Why Does the Linux Sensor Run as Root?

Environment

  • Carbon Black Cloud Sensor
  • Linux: All Supported Versions

Question

Why does the Linux sensor run as root?

Answer

The sensor needs to run as root so it can:
  • Install, start, stop and communicate with its kernel driver
  • Read arbitrary files on the file system in order to produce hashes for them
  • Be able to upgrade itself (e.g. run the installer that in turn must be root)
  • Depending on the specific query may need to access resources available only to root ((Audit and Remediation/Live Response))
  • Kill bad processes (Enterprise EDR hashbanning, Endpoint Standard policy actions)
  • Running as root affects calculations done by the OOM killer (to reduce the chance of killing a root process) and access to reserved memory.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-27-2020
Views:
743
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.