What is the dcscaf account running on Linux instances installed with CWP/SEP/SES/DCS agent?

What other users / groups does Symantec create and use?

SEP 14.3 RU1 and higher, CWP/SEP/SES/DCS agent installed on Linux Operating system

"dcscaf" user is a service account created by Common Agent Framework component (cafservice or cafagent in short) of Linux agent.

It is created during installation of the agent. Following points are to be noted about this account:

• Although it is in sudoers, It's sudo capabilities are limited to executing /usr/sbin/dmidecode.
• It does not have the privileges to run any other sudo command.
• It can not be used to login to any shell.
• This is a service account, cafservice runs in this context, and component daemons communicate with each other in this account's context. It can not be removed.
  
  

Other user accounts created: sisips, dcscaf

Groups: sisips, dcscaf, avdefs

These Symantec users/groups are unprivileged except for the dcscaf user as noted above. Sisamddaemon and sisipsdaemon run as root to do their jobs.

Information about "avdefs" and its GID on the Linux system with Endpoint Client