search cancel

About the accounts used by Endpoint Protection / Endpoint Security on Linux systems

book

Article ID: 214759

calendar_today

Updated On:

Products

Cloud Workload Protection Endpoint Protection Data Center Security Server Endpoint Security Complete Endpoint Security

Issue/Introduction

What is the dcscaf account running on Linux instances installed with CWP/SEP/SES/DCS agent?

What other users / groups does Symantec create and use?

Environment

SEP 14.3 RU1 and higher, CWP/SEP/SES/DCS agent installed on Linux Operating system

Resolution

"dcscaf" user is a service account created by Common Agent Framework component (cafservice or cafagent in short) of Linux agent.

It is created during installation of the agent. Following points are to be noted about this account:

  • Although it is in sudoers, It's sudo capabilities are limited to executing /usr/sbin/dmidecode.
  • It does not have the privileges to run any other sudo command.
  • It can not be used to login to any shell.
  • This is a service account, cafservice runs in this context, and component daemons communicate with each other in this account's context. It can not be removed.

Other user accounts created: sisips, dcscaf

Groups: sispips, dcscaf, avdefs

These Symantec users/groups are unprivileged except for the dcscaf user as noted above. Symantec "uses" the root account in that the sisamddaemon and sisipsdaemon run as root to do their jobs.