Enable or disable agent self-protection on Linux
Agent self-protection prevents local users from tampering with the agent. When enabled, if a user tries to tamper with the agent, a message such as "Removal or modification of this application is prohibited by its security settings" is displayed.
The agent self-protection is supported on Linux and requires the Deep Security Agent version 20.0.0-5953 or later.
To uninstall Deep Security Agent, the user must first disable agent self-protection.
You can configure agent self-protection by using either Deep Security Manager or the command line on the agent's computer. However, you must configure agent self-protection through Deep Security Manager for the first time.
Before using agent self-protection, you have to enable at least one of the following:
-
Anti-Malware
-
Application Control
-
Integrity Monitoring with Real Time enabled
-
Activity Monitoring
Configure self-protection through Deep Security Manager
- Click Settings > General.
- In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
- For Local override requires password, select Yes and type an authentication password.
An authentication password is highly recommended because it prevents the unauthorized use of the dsa_control command. When a password is required, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent. - Click Save.
Configure self-protection using the command line
You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.
- Open the command prompt as an Administrator.
-
Change the current directory to the Deep Security Agent installation folder. The following shows the default install folder:
cd /opt/ds_agent
-
Enter one of the following commands:
To enable agent self-protection, enter:
dsa_control --selfprotect=1
To disable agent self-protection, enter:
dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Deep Security Manager. For details on this password, see Configure self-protection through Deep Security Manager.
Limitations
-
The agent service should not be stopped when the system is shutting down or rebooting. Stopping the service may prevent it from working properly after the reboot.
-
The status of the agent service may be inconsistent. If you try to stop the agent service running the command stop, the result returned as successful, however the agent service still runs as normal.
-
If there is a running process that has the same name as an agent process in the system, it is added to the self-protection list. The protected process is protected from tampering.
-
The agent service cannot be killed when Out-Of-Memory (OOM) happens.
-
Oracle 6 (32-bit) platform does not support self protection.
-
If you have enabled secure boot and self-protection is not working, check your machine's kernel version. If the kernel version is 5.4 or earlier, upgrade to a kernel version that is later than 5.4.
Troubleshooting
To recover the service status back to normal, follow these steps:
-
Stop agent self-protection.
-
Restart the agent service.
Agent self-protection is resumes after the agent service restarts.