Enable or disable agent self-protection on Linux

The agent self-protection feature is supported by Deep Security Agent version 20.0.0.5953 and later. This feature is available for agents on both Linux and Windows. For more information, see Enable or disable agent self-protection on Windows.

Agent self-protection prevents local users from tampering with the agent. When enabled, if the user is prevented from tampering.

To uninstall Deep Security Agent, user must first disable agent self-protection.

You can configure agent self-protection by using either Deep Security Manager or the command line on the agent's computer. However, you must configure agent self-protection through Deep Security Manager for the first time.

Before using agent self-protection, you must enable at least one of the following:

  • Anti-Malware

  • Application Control

  • Integrity Monitoring with Real Time enabled

  • Activity Monitoring

Configure self-protection through Deep Security Manager

  1. Click Settings > General.
  2. In the Agent Self-Protection section, for Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent, select Yes.
  3. For Local override requires password, select Yes and type an authentication password.
    An authentication password is highly recommended because it prevents the unauthorized use of the dsa_control command. When a password is required, it must be entered with the dsa_control command using the -p or --passwd= option whenever a command is run on the agent.
  4. Click Save.

Configure self-protection using the command line

You can enable and disable self-protection using the command line, with one limitation: you cannot specify an authentication password. You need to use Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details.

  1. Open the command prompt as an Administrator.
  2. Change the current directory to the Deep Security Agent installation folder. The following shows the default install folder:

    cd /opt/ds_agent

  3. Enter one of the following commands:

    To enable agent self-protection, enter:

    dsa_control --selfprotect=1

    To disable agent self-protection, enter:

    dsa_control --selfprotect=0 -p <password>, where -p <password> is the authentication password, if one was specified previously in Deep Security Manager. For details on this password, see Configure self-protection through Deep Security Manager.

Limitations

  • The agent service cannot be stopped when the system is shutting down or rebooting. Stopping the service may prevent it from working properly after the reboot.

  • The status of the agent service may be inconsistent. If you try to stop the agent service running the command stop, the result returned as successful, however the agent service still runs as normal.

  • If there is a running process that has the same name as an agent process in the system, it is added to the self-protection list. The protected process is protected from tampering.

  • The agent service cannot be killed when Out-Of-Memory (OOM) happens.

  • Oracle 6 (32-bit) platform does not support self protection.

  • If you have enabled secure boot and self-protection is not working, check your machine's kernel version. If the kernel version is 5.4 or earlier, upgrade to a kernel version that is later than 5.4.

Troubleshooting

To recover the service status back to normal, follow these steps:

  1. Stop agent self-protection.

  2. Restart the agent service.

Agent self-protection is resumes after the agent service restarts.