About the accounts used by Endpoint Protection / Endpoint Security on Linux systems
book
Article ID: 214759
calendar_today
Updated On:
Products
Cloud Workload ProtectionEndpoint ProtectionData Center Security ServerEndpoint Security CompleteEndpoint Security
Issue/Introduction
What is the dcscaf account running on Linux instances installed with CWP/SEP/SES/DCS agent?
What other users / groups does Symantec create and use?
Environment
SEP 14.3 RU1 and higher, CWP/SEP/SES/DCS agent installed on Linux Operating system
Resolution
"dcscaf" user is a service account created by Common Agent Framework component (cafservice or cafagent in short) of Linux agent.
It is created during installation of the agent. Following points are to be noted about this account:
Although it is in sudoers, It's sudo capabilities are limited to executing /usr/sbin/dmidecode.
It does not have the privileges to run any other sudo command.
It can not be used to login to any shell.
This is a service account, cafservice runs in this context, and component daemons communicate with each other in this account's context. It can not be removed.
Other user accounts created: sisips, dcscaf
Groups: sisips, dcscaf, avdefs
These Symantec users/groups are unprivileged except for the dcscaf user as noted above. Sisamddaemon and sisipsdaemon run as root to do their jobs.