Run a .NET 8 Linux System Monitor with Non-Root Privileges

This guide outlines the process of running a Linux System Monitor Agent without root privileges.

Prerequisites

64-bit x86-64 Linux distribution
A .NET 8 Linux System Monitor Agent is already installed using the instructions provided in Install a .NET 8 System Monitor on UNIX/Linux.

There is no .NET Runtime installation required when running a System Monitor Agent with non-root privileges; the agent is self-contained and includes all necessary .NET dependencies.

Run a Linux System Monitor Agent with Non-Root Privileges

Create a non-root user (for example, “logrhythm”) with login privileges, if necessary:

sudo useradd -r -s /bin/false -d /opt/logrhythm/scsm logrhythm

Set ownership of the agent installation directory:

sudo chown -R logrhythm:logrhythm /opt/logrhythm/scsm

Edit the systemd service file to run as the non-root user located at /etc/systemd/system/scsm.service. Update the User line in the [Service] section:

user=logrhythm

Optionally, you can also specify a group:

Group=logrhythm

Ensure the non-root user has execute permissions on the agent binary:

sudo chmod +x /opt/logrhythm/scsm/bin/scsmlsvc

Add the following to the PATH environment variable by adding it to the [Service] section of the service located at /etc/systemd/system/scsm.service:

Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

If the agent needs to bind to privileged ports (< 1024), grant the CAP_NET_BIND_SERVICE capability:

sudo setcap 'cap_net_bind_service=+ep' /opt/logrhythm/scsm/bin/scsmlsvc

Reload systemd and manage the agent service:

sudo systemctl daemon-reload

sudo systemctl enable scsm

Syslog Server Configuration

If running the syslog server component as non-root, you have two options:

Option A

Change the syslog port to a value greater than 1024 in the config/scsm.ini file. Ports below 1024 are privileged and normally require root access.

Option B

Keep the default port (514 UDP/TCP) and grant the CAP_NET_BIND_SERVICE capability to the agent binary (as shown in step 6 above).

If the agent runs as non-root with a port below 1024 and without the proper capability, warnings will be logged indicating the syslog server cannot start unless the port is changed to ≥ 1024 or the capability is granted.

Some devices sending syslog data may not support configurable destination ports. If they do not allow the destination port to be configured, you must either:

Use Option B above (grant CAP_NET_BIND_SERVICE capability), or
Configure firewall rules or port forwarding to redirect port 514 to a higher port.