https://community.dynatrace.com/t5/Troubleshooting/Security-Concern-ActiveGate-Service-Account-dtuserag-and/ta-p/286265 <P><LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"></LI-TOC></P> <DIV class="lia-message-template-content-zone"> <P>*<EM>Use a table of contents for longer articles.&nbsp;</EM></P> <H1>Self Service Summary</H1> <P>The <CODE>dtuserag</CODE> account is a local, unprivileged Linux user created by the Dynatrace ActiveGate installer to run its services securely. While it cannot be used for direct login, it has access to specific configuration directories with restricted permissions that typically require root access.</P> <P>Security teams may raise concerns because this account operates outside standard user management workflows and may not be visible in centralized monitoring. Additionally, the operating system must support high resource limits for this user, at least <STRONG>500,000 open files</STRONG> and <STRONG>20,000 processes,&nbsp;</STRONG>to ensure proper functionality. These requirements may trigger alerts or scrutiny during audits or vulnerability scans.<BR /><BR /></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="29px"><STRONG>Issue</STRONG></TD> <TD width="25%" height="29px"><STRONG>Solution</STRONG></TD> <TD width="25%" height="29px"><STRONG>Tasks</STRONG></TD> <TD width="25%" height="29px"><STRONG>Alternatives</STRONG></TD> </TR> <TR> <TD width="25%" height="29px">Security team flagged <CODE>dtuserag</CODE> for elevated permissions or lack of visibility</TD> <TD width="25%" height="29px">Explain that <CODE>dtuserag</CODE> is a dedicated unprivileged local Linux user created by the ActiveGate installer - See below for more information.</TD> <TD width="25%" height="29px">Share official documentation and explain to your Security team.</TD> <TD width="25%" height="29px"><SPAN>Submit a support ticket if you need additional details or you face a different scenario</SPAN></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H1>Explanation</H1> <P>The <CODE>dtuserag</CODE> account is a <STRONG>service account</STRONG> used by Dynatrace ActiveGate on Linux systems. <BR />According to Dynatrace documentation:&nbsp;<EM><A href="https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#service-account" target="_blank" rel="noopener">https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#service-account</A></EM></P> <BLOCKQUOTE> <P>“All ActiveGate services are by default running as dedicated unprivileged user <CODE>dtuserag</CODE>. The only exception is <CODE>dynatraceautoupdater</CODE>, which requires root privileges. If the user <CODE>dtuserag</CODE> does not already exist in the system, the installer will create it.”</P> </BLOCKQUOTE> <P>This account is <STRONG>not intended for interactive login or administrative tasks</STRONG>. It exists solely to run ActiveGate services securely and with minimal privileges.&nbsp;The <STRONG><CODE>dynatraceautoupdater</CODE></STRONG> component may require elevated privileges during installation or updates. You will find all the services related to ActiveGate in this documentation:&nbsp;<A href="https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#services" target="_blank" rel="noopener">https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#services</A></P> <H1>Recommendations</H1> <OL> <LI>Share the official documentation with your security team.</LI> <LI>Confirm that <CODE>dtuserag</CODE> is used only by ActiveGate services and not for manual operations.</LI> <LI>Please reach out to Dynatrace Support for further clarification or other scenarios. <BR />When opening a support ticket, please mention that this article was used and provide the following in the ticket: <DIV class="p-client_container"> <DIV class="p-ia4_client_container"> <DIV class="p-ia4_client p-ia4_client--with-search-in-top-nav p-ia4_client--workspace-switcher-rail-visibletest p-ia4_client--sidebar-wide p-ia4_client--narrow-feature-on"> <DIV class="p-client_workspace_wrapper" role="tabpanel" aria-label="Dynatrace"> <DIV class="p-client_workspace" role="tabpanel" aria-label="DMs"> <DIV class="p-client_workspace__layout"> <DIV class="active-managed-focus-container" role="none"> <DIV class="p-view_contents p-view_contents--primary" tabindex="-1" role="dialog" aria-label="Conversation with Anton Konikov"> <DIV class="tabbed_channel__Abx5r"> <DIV class="tabbed_channel__Abx5r"> <DIV class="channel_tab_panel__zJ5Bt c-tabs__tab_panel c-tabs__tab_panel--active c-tabs__tab_panel--full_height" role="none" data-qa="tabs_content_container"> <DIV class="p-file_drag_drop__container"> <DIV class="p-workspace__primary_view_body"> <DIV class="p-message_pane p-message_pane--classic-nav p-message_pane--scrollbar-float-adjustment p-message_pane--with-bookmarks-bar" data-qa="message_pane"> <DIV role="presentation"> <DIV class="c-virtual_list c-virtual_list--scrollbar c-message_list c-message_list--floating c-message_list--dark c-scrollbar c-scrollbar--fade" role="presentation"> <DIV class="c-scrollbar__hider" role="presentation" data-qa="slack_kit_scrollbar"> <DIV class="c-scrollbar__child" role="presentation"> <DIV class="c-virtual_list__scroll_container" tabindex="-1" role="list" data-qa="slack_kit_list" aria-label="Anton Konikov (direct message, active)"> <DIV id="1734101723.604509" class="c-virtual_list__item" tabindex="0" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1734101723.604509"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message p-message_pane_message__message--last" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <UL class="p-rich_text_list p-rich_text_list__bullet p-rich_text_list--nested" data-stringify-type="unordered-list" data-list-tree="true" data-indent="0" data-border="1" data-border-radius-top-cap="0"> <LI data-stringify-indent="0" data-stringify-border="1">Activegate Support Archive - This will contain the version and operating system information.</LI> </UL> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </LI> </OL> </DIV> Tue, 07 Oct 2025 09:20:20 GMT jonghpark 2025-10-07T09:20:20Z https://community.dynatrace.com/t5/Troubleshooting/Security-Concern-ActiveGate-Service-Account-dtuserag-and/ta-p/286265 <P><LI-TOC indent="15" liststyle="disc" maxheadinglevel="2"></LI-TOC></P> <DIV class="lia-message-template-content-zone"> <P>*<EM>Use a table of contents for longer articles.&nbsp;</EM></P> <H1>Self Service Summary</H1> <P>The <CODE>dtuserag</CODE> account is a local, unprivileged Linux user created by the Dynatrace ActiveGate installer to run its services securely. While it cannot be used for direct login, it has access to specific configuration directories with restricted permissions that typically require root access.</P> <P>Security teams may raise concerns because this account operates outside standard user management workflows and may not be visible in centralized monitoring. Additionally, the operating system must support high resource limits for this user, at least <STRONG>500,000 open files</STRONG> and <STRONG>20,000 processes,&nbsp;</STRONG>to ensure proper functionality. These requirements may trigger alerts or scrutiny during audits or vulnerability scans.<BR /><BR /></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="29px"><STRONG>Issue</STRONG></TD> <TD width="25%" height="29px"><STRONG>Solution</STRONG></TD> <TD width="25%" height="29px"><STRONG>Tasks</STRONG></TD> <TD width="25%" height="29px"><STRONG>Alternatives</STRONG></TD> </TR> <TR> <TD width="25%" height="29px">Security team flagged <CODE>dtuserag</CODE> for elevated permissions or lack of visibility</TD> <TD width="25%" height="29px">Explain that <CODE>dtuserag</CODE> is a dedicated unprivileged local Linux user created by the ActiveGate installer - See below for more information.</TD> <TD width="25%" height="29px">Share official documentation and explain to your Security team.</TD> <TD width="25%" height="29px"><SPAN>Submit a support ticket if you need additional details or you face a different scenario</SPAN></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H1>Explanation</H1> <P>The <CODE>dtuserag</CODE> account is a <STRONG>service account</STRONG> used by Dynatrace ActiveGate on Linux systems. <BR />According to Dynatrace documentation:&nbsp;<EM><A href="https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#service-account" target="_blank" rel="noopener">https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#service-account</A></EM></P> <BLOCKQUOTE> <P>“All ActiveGate services are by default running as dedicated unprivileged user <CODE>dtuserag</CODE>. The only exception is <CODE>dynatraceautoupdater</CODE>, which requires root privileges. If the user <CODE>dtuserag</CODE> does not already exist in the system, the installer will create it.”</P> </BLOCKQUOTE> <P>This account is <STRONG>not intended for interactive login or administrative tasks</STRONG>. It exists solely to run ActiveGate services securely and with minimal privileges.&nbsp;The <STRONG><CODE>dynatraceautoupdater</CODE></STRONG> component may require elevated privileges during installation or updates. You will find all the services related to ActiveGate in this documentation:&nbsp;<A href="https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#services" target="_blank" rel="noopener">https://docs.dynatrace.com/managed/shortlink/activegate-default-settings-linux#services</A></P> <H1>Recommendations</H1> <OL> <LI>Share the official documentation with your security team.</LI> <LI>Confirm that <CODE>dtuserag</CODE> is used only by ActiveGate services and not for manual operations.</LI> <LI>Please reach out to Dynatrace Support for further clarification or other scenarios. <BR />When opening a support ticket, please mention that this article was used and provide the following in the ticket: <DIV class="p-client_container"> <DIV class="p-ia4_client_container"> <DIV class="p-ia4_client p-ia4_client--with-search-in-top-nav p-ia4_client--workspace-switcher-rail-visibletest p-ia4_client--sidebar-wide p-ia4_client--narrow-feature-on"> <DIV class="p-client_workspace_wrapper" role="tabpanel" aria-label="Dynatrace"> <DIV class="p-client_workspace" role="tabpanel" aria-label="DMs"> <DIV class="p-client_workspace__layout"> <DIV class="active-managed-focus-container" role="none"> <DIV class="p-view_contents p-view_contents--primary" tabindex="-1" role="dialog" aria-label="Conversation with Anton Konikov"> <DIV class="tabbed_channel__Abx5r"> <DIV class="tabbed_channel__Abx5r"> <DIV class="channel_tab_panel__zJ5Bt c-tabs__tab_panel c-tabs__tab_panel--active c-tabs__tab_panel--full_height" role="none" data-qa="tabs_content_container"> <DIV class="p-file_drag_drop__container"> <DIV class="p-workspace__primary_view_body"> <DIV class="p-message_pane p-message_pane--classic-nav p-message_pane--scrollbar-float-adjustment p-message_pane--with-bookmarks-bar" data-qa="message_pane"> <DIV role="presentation"> <DIV class="c-virtual_list c-virtual_list--scrollbar c-message_list c-message_list--floating c-message_list--dark c-scrollbar c-scrollbar--fade" role="presentation"> <DIV class="c-scrollbar__hider" role="presentation" data-qa="slack_kit_scrollbar"> <DIV class="c-scrollbar__child" role="presentation"> <DIV class="c-virtual_list__scroll_container" tabindex="-1" role="list" data-qa="slack_kit_list" aria-label="Anton Konikov (direct message, active)"> <DIV id="1734101723.604509" class="c-virtual_list__item" tabindex="0" role="listitem" aria-setsize="-1" data-qa="virtual-list-item" data-item-key="1734101723.604509"> <DIV class="c-message_kit__background p-message_pane_message__message c-message_kit__message p-message_pane_message__message--last" role="presentation" data-qa="message_container" data-qa-unprocessed="false" data-qa-placeholder="false"> <DIV class="c-message_kit__hover" role="document" aria-roledescription="message" data-qa-hover="true"> <DIV class="c-message_kit__actions c-message_kit__actions--above"> <DIV class="c-message_kit__gutter"> <DIV class="c-message_kit__gutter__right" role="presentation" data-qa="message_content"> <DIV class="c-message_kit__blocks c-message_kit__blocks--rich_text"> <DIV class="c-message__message_blocks c-message__message_blocks--rich_text" data-qa="message-text"> <DIV class="p-block_kit_renderer" data-qa="block-kit-renderer"> <DIV class="p-block_kit_renderer__block_wrapper p-block_kit_renderer__block_wrapper--first"> <DIV class="p-rich_text_block" dir="auto"> <UL class="p-rich_text_list p-rich_text_list__bullet p-rich_text_list--nested" data-stringify-type="unordered-list" data-list-tree="true" data-indent="0" data-border="1" data-border-radius-top-cap="0"> <LI data-stringify-indent="0" data-stringify-border="1">Activegate Support Archive - This will contain the version and operating system information.</LI> </UL> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </LI> </OL> </DIV> Tue, 07 Oct 2025 09:20:20 GMT https://community.dynatrace.com/t5/Troubleshooting/Security-Concern-ActiveGate-Service-Account-dtuserag-and/ta-p/286265 jonghpark 2025-10-07T09:20:20Z