Modern Linux security focuses on minimizing privileges wherever possible. Instead of granting applications unrestricted root access, organizations increasingly follow the principle of least privilege, allowing software to run with only the permissions required to perform its intended tasks.
This significantly reduces the potential impact of vulnerabilities, compromised accounts, or configuration mistakes.
The Wazuh Agent Non Root approach follows this security philosophy by configuring the Wazuh agent to run partially or entirely under a non-root user wherever practical.
While some Wazuh components still require elevated privileges to monitor protected operating system resources, many environments can reduce root access by carefully assigning Linux capabilities, file permissions, service configurations, and sudo rules instead of granting full administrative rights.
There are several reasons organizations choose to avoid running agents as root:
- Reduce the impact of a compromised endpoint
- Meet internal security policies
- Satisfy regulatory compliance requirements
- Improve defense-in-depth across Linux servers
- Limit privilege escalation opportunities for attackers
A properly configured least-privilege deployment can provide strong endpoint visibility while reducing unnecessary system permissions. However, administrators must also understand the tradeoffs, since restricting privileges may prevent certain Wazuh modules from collecting specific security data.
In this guide, you’ll learn:
- What Wazuh Agent Non Root actually means
- Which Wazuh components require elevated permissions
- How Linux capabilities affect Wazuh functionality
- Which monitoring features continue working without root
- Common limitations and troubleshooting tips
- Best practices for deploying least-privilege Wazuh agents in production
What Is Wazuh Agent Non Root?
The Wazuh agent is a lightweight endpoint monitoring service installed on Linux, Windows, and macOS systems.
It collects security events, performs integrity monitoring, gathers system inventory information, executes Security Configuration Assessment (SCA) policies, detects vulnerabilities, and forwards collected telemetry to the Wazuh manager.
Internally, the Linux agent consists of several modules that perform different monitoring tasks, including:
- Log collection
- File Integrity Monitoring (FIM)
- Rootcheck
- Security Configuration Assessment (SCA)
- Syscollector
- Vulnerability Detection support
- Active Response
- Command execution
- Secure communication with the manager
By default, the Linux agent runs as root because many of these components require unrestricted access to protected operating system resources.
Examples include:
- Reading privileged log files in
/var/log - Monitoring system directories
- Inspecting kernel information
- Reading
/proc - Executing security commands
- Accessing audit logs
- Performing Active Response actions such as blocking IP addresses
Some administrators assume that every part of the Wazuh agent requires full root access, but that is not entirely accurate.
Certain modules can operate successfully under a dedicated service account with carefully assigned permissions.
Others, however, cannot function correctly without elevated privileges because the Linux kernel protects the resources they monitor.
Running the Wazuh Agent Non Root therefore does not necessarily mean the entire agent executes without any privileged operations.
Instead, it generally refers to reducing root usage wherever technically feasible while selectively granting only the capabilities necessary for specific monitoring tasks.
For example, a least-privilege deployment may:
- Run the main service under a dedicated
wazuhuser - Assign Linux capabilities instead of full root privileges
- Grant read access to selected log files
- Use ACLs for monitored directories
- Restrict sudo access to only approved commands
- Disable modules that require unrestricted root access
This model closely aligns with modern Linux hardening recommendations from organizations such as the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), both of which recommend minimizing privileged processes whenever operationally possible.
Why the Agent Normally Runs as Root
Several Wazuh modules require privileged access because Linux protects security-sensitive resources from ordinary users.
Examples include:
- Monitoring
/etc,/boot, and system binaries - Reading auditd logs
- Executing Rootcheck scans
- Collecting kernel information
- Running Active Response scripts
- Accessing restricted system configuration files
- Performing low-level inventory collection
Without sufficient privileges, these modules may generate permission errors or produce incomplete monitoring data.
Which Agent Components Require Elevated Privileges
Not every Wazuh module has identical permission requirements.
Components that commonly need elevated privileges include:
- Rootcheck
- Active Response
- Security Configuration Assessment (some checks)
- Audit log monitoring
- File Integrity Monitoring on protected directories
- Command modules executing privileged commands
Modules with fewer privilege requirements often include:
- Monitoring application logs with appropriate read permissions
- Collecting user-owned files
- Forwarding logs
- Network communication with the Wazuh manager
The exact requirements depend on your Linux distribution, kernel security policies, SELinux/AppArmor configuration, and the directories or resources being monitored.
What Changes When Running With Non-Root Permissions
Moving to a non-root deployment changes how the agent interacts with the operating system.
Administrators typically must:
- Configure Linux file permissions
- Add ACLs where necessary
- Adjust systemd service definitions
- Assign Linux capabilities
- Review SELinux or AppArmor policies
- Test each enabled module individually
Some monitoring functionality may remain unchanged, while other modules may require additional configuration or become unavailable altogether.
Security engineer Dan Walsh, a long-time SELinux expert and Red Hat Distinguished Engineer, has consistently emphasized that reducing process privileges and using Linux security controls such as capabilities and mandatory access control significantly lowers the potential impact of compromised services.
Applying the same principle to endpoint monitoring agents helps strengthen overall system security by limiting what a successful attacker could do if an agent process were exploited.
Supported Use Cases and Limitations
A non-root Wazuh deployment is generally well suited for environments where:
- Only application logs need monitoring
- File monitoring targets user-owned directories
- Organizations enforce strict least-privilege policies
- Compliance frameworks discourage unnecessary root services
- Containers run with restricted privileges
However, it may be less appropriate when:
- Root-level file monitoring is required
- Active Response must modify firewall rules
- Rootcheck scans are essential
- Full Security Configuration Assessment coverage is required
- Audit subsystem monitoring is mandatory
Before deploying in production, test each enabled Wazuh module to ensure the reduced permission model still provides the visibility your security program requires.
Related Guides:
- How to Configure ossec.conf for Log Monitoring in Wazuh
- How to Configure Wazuh Agent Centralized Configuration
Benefits of Running the Wazuh Agent Without Root Privileges
Reducing unnecessary root access has become one of the most widely accepted security practices across Linux administration, cloud infrastructure, and enterprise cybersecurity.
Running the Wazuh Agent Non Root aligns with this philosophy by minimizing the privileges granted to endpoint monitoring software while maintaining as much functionality as possible.
Although not every Wazuh deployment can completely eliminate root access, reducing privileges wherever feasible offers several important security and operational benefits.
Improved Security
Every process running as root becomes a high-value target for attackers.
If a vulnerability allows arbitrary code execution inside a privileged service, the attacker may immediately gain complete control of the host.
Running the Wazuh agent with restricted permissions helps contain potential damage by limiting what an exploited process can access or modify.
This layered defense complements Linux security mechanisms such as:
- Linux capabilities
- SELinux
- AppArmor
- Namespaces
- Mandatory Access Control (MAC)
Reduced Attack Surface
The principle of least privilege reduces the number of privileged processes running on each endpoint.
Instead of granting unrestricted root access, administrators can provide only the permissions required for specific monitoring tasks, such as:
- Reading selected log files
- Monitoring approved directories
- Communicating with the Wazuh manager
- Executing predefined commands
This significantly decreases opportunities for privilege escalation.
Better Compliance
Many cybersecurity frameworks explicitly recommend minimizing privileged accounts and services.
Deploying Wazuh using non-root permissions can help support organizational compliance efforts by demonstrating that administrative privileges are granted only when operationally necessary.
PCI DSS
The PCI DSS v4.0 standard emphasizes restricting access based on business need and applying least-privilege principles to systems that process payment card data.
HIPAA
The HIPAA Security Rule requires organizations to implement appropriate administrative, technical, and physical safeguards to protect electronic protected health information (ePHI). Restricting privileged access supports these safeguards by reducing unnecessary administrative permissions.
ISO 27001
ISO/IEC 27001 promotes access control policies that ensure users and services receive only the permissions required to perform authorized tasks.
Using a non-root deployment aligns well with these access control objectives.
CIS Benchmarks
The CIS Benchmarks for Linux systems consistently recommend limiting root usage, assigning only necessary permissions, and hardening system services against privilege escalation.
Following these recommendations helps improve the overall security posture of Linux endpoints monitored by Wazuh.
Principle of Least Privilege
The Principle of Least Privilege (PoLP) is one of the most fundamental concepts in cybersecurity.
Rather than asking whether a service can run as root, administrators should ask whether it must.
Applying PoLP to Wazuh means:
- Eliminating unnecessary root permissions
- Assigning only required capabilities
- Reviewing permissions regularly
- Disabling unused modules
- Restricting command execution
These practices reduce both accidental misconfigurations and the impact of successful attacks.
Safer Multi-Tenant Systems
In environments hosting multiple applications, users, or customers, reducing service privileges becomes even more important.
If one application or monitoring process is compromised, privilege separation helps prevent attackers from moving laterally across the system or affecting other tenants.
This approach is particularly valuable for:
- Shared Linux servers
- University environments
- Managed hosting platforms
- Kubernetes worker nodes
- Cloud virtual machines
Easier Security Audits
Least-privilege deployments simplify internal and external security reviews.
Auditors typically verify:
- Which services run as root
- Why elevated privileges are required
- Whether permissions are documented
- Whether privilege escalation paths exist
- Whether administrative access follows organizational policy
A well-documented non-root Wazuh deployment makes these reviews significantly easier by clearly demonstrating that elevated permissions are limited to only those functions that genuinely require them.
Related Guides:
- How to Stop Wazuh File Integrity Monitoring (FIM) From Eating Your CPU
- How to Monitor Linux Event Logs Using Wazuh
Prerequisites
Before configuring the Wazuh Agent Non Root deployment, verify that your Linux system and Wazuh installation meet the necessary requirements.
While the process is straightforward, understanding your environment beforehand helps prevent permission-related issues and avoids breaking existing monitoring capabilities.
Supported Linux Distributions
Running the Wazuh agent with reduced privileges is possible on most modern Linux distributions that support systemd, Linux capabilities, and standard POSIX permissions.
Commonly supported distributions include:
- Ubuntu 20.04, 22.04, and later
- Debian 11 and later
- Red Hat Enterprise Linux (RHEL) 8 and later
- Rocky Linux
- AlmaLinux
- CentOS Stream
- Oracle Linux
- SUSE Linux Enterprise Server (SLES)
- Amazon Linux 2 and Amazon Linux 2023
Although the overall approach is similar across distributions, some permission models differ depending on:
- SELinux policies
- AppArmor profiles
- Default filesystem permissions
- Package locations
- Service management configuration
Always validate your configuration in a non-production environment before deploying to critical systems.
Wazuh Version Requirements
Most modern versions of the Wazuh agent support running under customized service accounts with appropriate permissions.
For best compatibility, use:
- Wazuh 4.x or later
- A fully updated Linux distribution
- Matching agent and manager versions whenever possible
Running mismatched versions may introduce unexpected behavior, unsupported configuration options, or communication issues.
Related Guide: How to Upgrade a Wazuh Agent
Administrative Access for Initial Setup
Even though the goal is to reduce or eliminate continuous root usage, initial configuration still requires administrative privileges.
You’ll typically need root or sudo access to:
- Create users and groups
- Modify file ownership
- Configure systemd services
- Assign Linux capabilities
- Adjust ACLs
- Restart services
- Modify SELinux or AppArmor policies if necessary
After configuration is complete, the agent itself can often operate with significantly fewer privileges.
Understanding Linux Users and Groups
Before modifying the Wazuh service account, it’s important to understand how Linux permissions work.
Key concepts include:
- Users own files and execute processes.
- Groups allow multiple users to share access to resources.
- File permissions determine who can read, write, or execute files.
- ACLs (Access Control Lists) provide more granular permission control than traditional UNIX permissions.
- Linux capabilities allow specific privileged operations without granting full root access.
A successful non-root deployment relies on combining these mechanisms instead of simply removing root privileges.
Existing Wazuh Manager Connection
Your Linux agent should already be enrolled and communicating successfully with the Wazuh manager before changing its execution privileges.
Verify that:
- The agent appears in the Wazuh dashboard.
- The agent status is Active.
- Logs are arriving normally.
- Configuration synchronization is working (if centralized configuration is used).
Making privilege changes before confirming normal operation can complicate troubleshooting.
Related Guides:
- Step-by-Step Guide to Wazuh Agent Auto-Enrollment
- How to Configure Wazuh Agent Centralized Configuration
Required Packages and Tools
Depending on your Linux distribution, you’ll likely use several standard administration tools during the configuration process.
Common utilities include:
systemctluseraddgroupaddusermodchownchmodsetfaclgetfaclsetcapgetcapsudojournalctl
Some distributions may require installing additional packages such as:
acllibcappolicycoreutils(SELinux systems)
These utilities allow you to safely assign only the permissions the Wazuh agent actually requires.
Understanding Which Wazuh Features Require Root
One of the biggest misconceptions about the Wazuh Agent Non Root model is that every agent feature requires unrestricted root access.
In reality, privilege requirements vary considerably depending on the module and the operating system resources it accesses.
Understanding these requirements helps you decide which features can safely run with reduced permissions and which may require elevated privileges.
Log Collection
Log collection often works well under a non-root account, provided the agent has permission to read the monitored log files.
Examples include:
- Application logs
- Web server logs
- User-owned log directories
- Custom application logging
However, system logs such as:
/var/log/auth.log/var/log/secure/var/log/messages/var/log/audit/audit.log
typically require additional permissions or group membership.
Rather than granting root access, many administrators add the Wazuh service account to appropriate log-reading groups or configure ACLs for specific log files.
Related Guide: How to Configure ossec.conf for Log Monitoring in Wazuh
File Integrity Monitoring (FIM)
File Integrity Monitoring can operate without root only if the monitored files are accessible to the Wazuh service account.
Monitoring directories such as:
- User home directories
- Application folders
- Shared storage
usually presents few issues.
However, monitoring sensitive system paths like:
/etc/boot/usr/bin/lib/root
often requires elevated permissions or carefully configured ACLs.
Related Guide: How to Configure File Integrity Monitoring (FIM) in Wazuh
Vulnerability Detection
The agent contributes inventory information used by the Wazuh manager’s vulnerability detection engine.
Collecting complete package inventories may require access to protected system resources depending on the Linux distribution.
In restricted environments, vulnerability detection may still function but produce less complete results if inventory collection is limited.
Related Guide: Wazuh Vulnerability Detection Not Working? Here’s How to Fix It
Syscollector
Syscollector gathers information such as:
- Installed packages
- Running processes
- Network interfaces
- Open ports
- Hardware inventory
- Operating system details
Most of this information can be collected without full root access, although certain kernel and process information may be restricted.
Modern Linux kernels increasingly limit access to sensitive process information for non-privileged users.
Rootcheck
Rootcheck is one of the modules most dependent on elevated privileges.
It performs security checks such as:
- Rootkit detection
- Hidden file discovery
- Suspicious kernel object detection
- System integrity verification
- Privileged configuration inspection
Many of these operations require unrestricted access to protected areas of the operating system.
Running Rootcheck without root may reduce detection coverage.
Related Guide: Fix Wazuh Rootcheck: What to Do When Scheduled Scans Are Ignored
Active Response
Active Response almost always requires elevated privileges.
Examples include:
- Blocking IP addresses
- Updating firewall rules
- Killing malicious processes
- Disabling user accounts
- Executing remediation scripts
Since these actions modify system state, root or carefully delegated sudo permissions are generally required.
Related Guide: How to Configure Wazuh Active Response
Command Monitoring
The command module executes administrator-defined commands and collects their output.
Whether root is required depends entirely on the command itself.
For example:
- Reading user-owned files may require no special privileges.
- Checking kernel parameters may require elevated permissions.
- Querying firewall rules typically requires administrative rights.
When possible, grant access only to specific commands using tightly scoped sudo rules rather than unrestricted root access.
SCA (Security Configuration Assessment)
Security Configuration Assessment (SCA) evaluates a system against security baselines such as CIS Benchmarks.
Many checks inspect:
- System configuration files
- Package settings
- Kernel parameters
- Authentication policies
- File permissions
Some checks function without root, while others require privileged access to protected configuration files.
Limiting permissions may therefore reduce overall benchmark coverage.
Windows Event Collection (Not Applicable)
Windows Event Collection is not relevant to Linux-based Wazuh Agent Non Root deployments.
Also, windows agents use an entirely different permission model based on Windows services, security descriptors, and local privileges rather than Linux users, groups, and capabilities.
Related Guide: How to Monitor Windows Event Logs Using Wazuh
Creating a Dedicated Wazuh User
One of the most important steps in a least-privilege deployment is creating a dedicated service account for the Wazuh agent.
Instead of running under the root account, the agent can execute using a restricted user that has only the permissions required for its assigned monitoring tasks.
This improves security by separating the Wazuh service from other administrative accounts and making permission management easier.
Creating the User
Create a dedicated system user specifically for the Wazuh agent.
Example:
sudo useradd --system wazuhThe --system option creates a service account intended for background processes rather than interactive users.
Verify the account:
id wazuhCreating the Group
For easier permission management, create a dedicated group for the Wazuh service if one does not already exist.
sudo groupadd --system wazuhThen associate the user with the group:
sudo usermod -g wazuh wazuhAdditional group memberships can later be added if the agent requires access to protected log files or application directories.
Assigning Home Directory
Although many service accounts do not require a home directory, assigning one can simplify log storage, temporary files, or custom scripts in certain environments.
Example:
sudo usermod -d /var/ossec wazuhVerify the assigned directory:
getent passwd wazuhEnsure the directory ownership matches the service account:
sudo chown -R wazuh:wazuh /var/ossecPreventing Interactive Login
Since the Wazuh account is intended only for running the agent, interactive logins should be disabled.
Configure a non-login shell:
sudo usermod -s /usr/sbin/nologin wazuhSome distributions instead use:
sudo usermod -s /sbin/nologin wazuhThis prevents users from logging into the account while still allowing systemd to execute the service.
Verifying User Creation
Before modifying the Wazuh service configuration, verify that the account was created correctly.
Useful commands include:
id wazuhgetent passwd wazuhgroups wazuhls -ld /var/ossecConfirm:
- The user exists.
- The group exists.
- The home directory is correct.
- The login shell is disabled.
- Ownership of required directories is properly configured.
Completing these checks provides a solid foundation before assigning capabilities, adjusting file permissions, and configuring the Wazuh service to run with reduced privileges.
Configuring File Ownership and Permissions
One of the most important aspects of a Wazuh Agent Non Root deployment is ensuring that the service account has access only to the files and directories it actually needs.
Instead of granting unrestricted root access, you’ll explicitly assign ownership, permissions, or Access Control Lists (ACLs) to the Wazuh user.
Always review permissions carefully before applying them in production. Granting overly broad access defeats the purpose of a least-privilege deployment.
Wazuh Installation Directory
The Wazuh agent is typically installed under:
/var/ossecIf you’re using a dedicated wazuh user, ensure the installation directory is owned by the appropriate user and group where possible.
Example:
sudo chown -R wazuh:wazuh /var/ossecVerify ownership:
ls -ld /var/ossecBe cautious when recursively changing ownership. Some files may intentionally remain owned by root for security reasons, depending on your deployment and package manager.
Log Files
The Wazuh agent must be able to read any log files you configure in ossec.conf.
Examples include:
/var/log/syslog/var/log/messages/var/log/auth.log- Application-specific log files
Rather than making these files world-readable, consider using:
- Group membership
- ACLs
- Read-only permissions for the Wazuh service account
Example using ACLs:
sudo setfacl -m u:wazuh:r /var/log/auth.logVerify the ACL:
getfacl /var/log/auth.logUsing ACLs provides more granular control than modifying traditional UNIX file permissions.
Queue Directories
The agent stores internal communication data, event queues, and runtime information within its queue directories.
Examples include:
/var/ossec/queueThe Wazuh service account typically requires:
- Read access
- Write access
- Execute permission on directories
Verify permissions after any ownership changes to ensure the agent can continue processing events.
Temporary Files
Some Wazuh modules create temporary working files during scans or data collection.
Temporary directories should:
- Be writable only by the service account.
- Prevent unauthorized modification by other users.
- Be cleaned automatically when appropriate.
Avoid assigning global write permissions unless absolutely necessary.
Certificates and Keys
Secure communication between the Wazuh agent and manager relies on cryptographic certificates and authentication keys.
Examples include:
- Agent keys
- TLS certificates
- Private keys
These files should remain tightly protected.
Recommended permissions include:
Owner: root (or designated administrator)
Group: wazuh (only if required)
Permissions: 600 or 640Private keys should never be readable by unauthorized users.
Configuration Files
Important configuration files include:
/var/ossec/etc/ossec.confand related XML configuration files.
These should generally be:
- Readable by the Wazuh service account
- Writable only by administrators
- Protected from accidental modification
Restrict write permissions to prevent unauthorized configuration changes.
Related Guides:
- How to Configure ossec.conf for Log Monitoring in Wazuh
- How to Configure Wazuh Agent Centralized Configuration
Restricting Sensitive Files
Not every system file should be accessible to the Wazuh service account.
Avoid granting access to:
/etc/shadow- Root SSH keys
- Private administrator credentials
- Database passwords
- Application secrets
- Other users’ home directories
When additional access is required, grant permissions only to the specific files needed for monitoring rather than entire directories.
Security experts at the Open Worldwide Application Security Project (OWASP) recommend minimizing file permissions and limiting service accounts to only the resources required for normal operation, reducing the impact of compromised processes.
Configuring Linux Capabilities Instead of Root
Linux capabilities provide a more granular alternative to full root privileges.
Instead of granting a process unrestricted administrative access, capabilities allow individual privileged operations to be assigned independently.
This approach is central to many Wazuh Agent Non Root deployments because it enables specific monitoring functions while significantly reducing overall system privileges.
What Linux Capabilities Are
Traditionally, Linux processes either ran as:
- Root (full privileges)
- Non-root (limited privileges)
Linux capabilities divide root privileges into individual permissions that can be granted separately.
Examples include:
- Reading protected files
- Opening raw network sockets
- Inspecting processes
- Loading kernel modules
- Changing network settings
Rather than giving the Wazuh agent unrestricted administrative access, you can assign only the capabilities required for your monitoring requirements.
The Linux kernel documentation describes capabilities as a mechanism for breaking down the traditional all-powerful root privilege into distinct units that can be independently enabled or disabled.
Using setcap
The setcap utility assigns capabilities directly to executable files.
Example syntax:
sudo setcap capability_name=ep /path/to/executableFor example:
sudo setcap cap_dac_read_search=ep /var/ossec/bin/wazuh-agentdThe exact executable and capability set depend on your deployment and should be thoroughly tested before use.
After assigning capabilities, verify that the agent continues to collect the expected security data.
Common Capabilities Used
Different Wazuh modules may benefit from different Linux capabilities depending on the resources being monitored.
Only assign capabilities that are absolutely necessary.
CAP_DAC_READ_SEARCH
CAP_DAC_READ_SEARCH allows a process to bypass certain file read permission checks.
This capability is often useful for:
- Reading protected log files
- Monitoring restricted directories
- Accessing configuration files without full root privileges
It is one of the most commonly considered capabilities for least-privilege monitoring agents.
CAP_NET_RAW
CAP_NET_RAW allows processes to create raw network sockets.
Although many Wazuh deployments do not require it, certain network-related monitoring or integrations may depend on this capability.
If unused, leave it disabled.
CAP_SYS_PTRACE
CAP_SYS_PTRACE permits a process to inspect or trace other processes.
Some advanced monitoring or forensic workflows may require it, but it significantly increases the process’s visibility into the operating system.
Grant this capability only after evaluating the associated security implications.
CAP_SYSLOG (where applicable)
On some Linux systems, CAP_SYSLOG allows access to privileged kernel logging interfaces.
Modern distributions often restrict or replace this behavior, and availability varies by kernel version.
Many deployments do not require this capability.
Verifying Assigned Capabilities
After assigning capabilities, verify them using:
getcap /var/ossec/bin/wazuh-agentdYou can also inspect all Wazuh binaries:
getcap -r /var/ossecReview the output to ensure that only the intended capabilities are assigned.
Removing Unnecessary Capabilities
If capabilities are no longer required, remove them immediately.
Example:
sudo setcap -r /var/ossec/bin/wazuh-agentdRegularly auditing assigned capabilities is an important security practice.
As security researcher and Linux kernel developer Andrew G. Morgan, who helped design Linux capabilities, has noted, capabilities are most effective when administrators grant only the minimum privileges necessary rather than attempting to replicate full root access through numerous capability assignments.
Configuring the Wazuh Agent to Run as a Non-Root User
Once file permissions and Linux capabilities have been configured, the next step is modifying the Wazuh service so that it executes using the dedicated service account instead of the root user.
Because package layouts may vary between Linux distributions and Wazuh versions, always verify service file locations before making changes.
Updating the Service Configuration
Most Linux distributions manage the Wazuh agent using systemd.
Locate the service definition:
/etc/systemd/system/or
/usr/lib/systemd/system/Some distributions place package-managed service files in different locations.
Avoid modifying vendor-supplied files directly whenever possible. Instead, use a systemd override file so your changes survive package upgrades.
Editing systemd Service Files
Create an override configuration:
sudo systemctl edit wazuh-agentThis opens a drop-in configuration file that supplements the original service definition.
Using overrides follows systemd best practices and reduces maintenance during future Wazuh updates.
Setting User and Group
Within the override file, configure the service account:
[Service]
User=wazuh
Group=wazuhDepending on your deployment, additional directives such as:
SupplementaryGroups=
ReadWritePaths=
ReadOnlyPaths=may also be appropriate to further restrict filesystem access.
Carefully test these settings, as overly restrictive configurations can prevent the agent from accessing required resources.
Reloading systemd
After saving the override file, reload the systemd configuration:
sudo systemctl daemon-reloadThis instructs systemd to recognize the updated service configuration.
Restarting the Agent
Restart the Wazuh agent:
sudo systemctl restart wazuh-agentThen verify that the service starts successfully:
sudo systemctl status wazuh-agentAlso review the agent logs for any permission-related errors.
Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
Confirming the Running User
Finally, verify that the agent is running under the dedicated service account rather than root.
Useful commands include:
ps -o user,group,comm -C wazuh-agentdor
ps aux | grep wazuhYou can also inspect the systemd process information:
systemctl status wazuh-agentConfirm that:
- The process owner is the
wazuhuser. - The correct group is assigned.
- Required monitoring features continue functioning.
- No permission-denied errors appear in the logs.
Successfully completing these checks confirms that your Wazuh Agent Non Root deployment is operating with a reduced privilege model while maintaining the monitoring capabilities your environment requires.
Allowing Access to Required Log Files
For a Wazuh Agent Non Root deployment to function correctly, the service account must be able to read every log file configured in ossec.conf.
The safest approach is to grant access only to the specific files or directories that require monitoring instead of providing unrestricted root privileges.
Depending on your Linux distribution, this can be accomplished using:
- Linux groups
- Access Control Lists (ACLs)
- Read-only bind mounts
- Carefully scoped file permissions
Avoid making sensitive log files world-readable, as this introduces unnecessary security risks.
Linux Authentication Logs
Authentication logs often contain valuable security events, including:
- SSH login attempts
- Failed authentication
- Privilege escalation
- sudo usage
- PAM events
Common log locations include:
/var/log/auth.logor
/var/log/secureBecause these logs are typically readable only by root or privileged groups, consider using ACLs instead of changing global permissions.
Example:
sudo setfacl -m u:wazuh:r /var/log/auth.logVerify access:
sudo -u wazuh cat /var/log/auth.logRelated Guide: How to Monitor Failed SSH Login Attempts Using Wazuh
Syslog Files
General system logs may reside in:
/var/log/syslog/var/log/messages/var/log/kern.log
The required permissions depend on the Linux distribution and logging service (rsyslog, syslog-ng, journald, etc.).
Whenever possible:
- Use read-only permissions.
- Assign the Wazuh user to an appropriate log-reading group.
- Avoid modifying default system permissions.
Application Logs
Many business applications generate logs in locations such as:
/opt/application/logsor
/var/log/applicationThese directories are often easier to monitor because they are owned by the application rather than the operating system.
Grant the Wazuh service account read access only to the required application log directories.
Web Server Logs
Common web server log locations include:
Apache:
/var/log/apache2/Nginx:
/var/log/nginx/Typical monitored files include:
- access.log
- error.log
Many Linux distributions already assign these logs to dedicated groups, allowing administrators to grant read access without requiring root.
Related Guide: How to Monitor Apache Logs with Wazuh
Docker Logs
Docker containers commonly store logs under:
/var/lib/docker/containers/These directories are usually accessible only by root.
Possible approaches include:
- Adding the Wazuh user to the
dockergroup (only after evaluating the security implications) - Using ACLs
- Forwarding container logs to syslog
- Using centralized logging
Be aware that membership in the Docker group effectively grants elevated privileges on many systems, so it should be used cautiously.
Kubernetes Logs
In Kubernetes environments, logs are commonly located in:
/var/log/containers/and
/var/log/pods/Permissions vary depending on:
- Container runtime
- Distribution
- Security policies
Many organizations choose to collect Kubernetes logs through centralized logging solutions rather than granting extensive filesystem access to individual agents.
Related Guide: How to Monitor Kubernetes Using Wazuh
Custom Log Directories
Many organizations maintain custom logging locations for internally developed applications.
Examples include:
/opt/company/logs/data/application/logsWhen monitoring these directories:
- Grant only read access.
- Avoid recursive write permissions.
- Regularly audit permissions.
- Remove access to retired applications.
Handling File Integrity Monitoring Permissions
File Integrity Monitoring (FIM) is one of Wazuh’s most valuable security capabilities, but it also has some of the highest permission requirements.
Successfully implementing Wazuh Agent Non Root often involves carefully selecting which files and directories the agent can monitor.
Monitoring System Files
System directories frequently monitored by Wazuh include:
/etc/boot/usr/bin/usr/sbin/lib/bin
These locations are protected because they contain critical operating system files.
Instead of granting unrestricted root access, administrators can use ACLs to provide read-only access where appropriate.
Some highly sensitive files may still require root privileges and cannot be monitored effectively under a fully non-root configuration.
Monitoring Application Directories
Application directories are generally easier to monitor because organizations control their ownership and permissions.
Examples include:
- Web applications
- Internal software
- Configuration repositories
- Shared application storage
These directories often require only:
- Read permission
- Directory traversal (
x) permission
This makes them ideal candidates for least-privilege monitoring.
Read-Only Access Requirements
In most cases, File Integrity Monitoring only needs to read files and calculate hashes.
Typical requirements include:
- Read permission on monitored files
- Execute permission on parent directories
- Access to file metadata
Write access is generally unnecessary and should not be granted unless specifically required.
Permission Best Practices
To maintain strong security while enabling FIM:
- Monitor only necessary directories.
- Use ACLs instead of broad permission changes.
- Avoid world-readable system files.
- Regularly review monitored paths.
- Remove obsolete monitoring rules.
- Test FIM after permission changes.
Related Guides:
- How to Configure File Integrity Monitoring (FIM) in Wazuh
- How to Stop Wazuh File Integrity Monitoring (FIM) From Eating Your CPU
Managing Active Response with Non-Root Agents
Active Response presents one of the biggest challenges for Wazuh Agent Non Root deployments because it performs actions that intentionally modify the operating system.
Unlike passive monitoring modules, Active Response may need to:
- Block malicious IP addresses
- Kill running processes
- Disable user accounts
- Update firewall rules
- Execute remediation scripts
These operations generally require elevated privileges.
Why Active Response Is Different
Most Wazuh modules simply observe system activity.
Active Response, however, changes system state.
As a result, running it under a fully non-root account is usually impractical without carefully delegated administrative permissions.
Using sudo Securely
Rather than granting unrestricted root access, many administrators allow the Wazuh service account to execute only approved commands through sudo.
For example:
- Restart a specific service
- Update firewall rules
- Execute a predefined remediation script
Avoid allowing unrestricted sudo access or shell execution.
Restricting Allowed Commands
Limit executable commands to exactly those required.
For example:
/usr/sbin/iptables/usr/bin/firewall-cmd/usr/bin/systemctl restart nginx- Approved internal response scripts
Do not allow wildcard command execution.
The narrower the rule, the smaller the attack surface.
Creating Minimal sudoers Rules
A carefully scoped sudoers entry might resemble:
wazuh ALL=(root) NOPASSWD: /usr/bin/firewall-cmdor
wazuh ALL=(root) NOPASSWD: /opt/security/scripts/block_ip.shAlways edit sudoers using:
sudo visudoThis performs syntax validation before saving changes and reduces the risk of configuration errors.
Sudo documentation: https://www.sudo.ws/docs/man/1.9.17/visudo.man/
Security Considerations
When delegating administrative commands:
- Allow only absolute paths.
- Never use wildcards unless absolutely necessary.
- Review sudo rules regularly.
- Log every privileged command.
- Remove unused rules promptly.
- Test each permitted command individually.
Security experts, including those behind the CIS Linux Benchmarks, consistently recommend restricting sudo privileges to the smallest possible set of administrative actions rather than granting unrestricted root access.
Related Guide: How to Configure Wazuh Active Response
Example Configuration
The following examples illustrate how the various pieces of a non-root deployment fit together.
Your exact configuration will vary depending on your Linux distribution, security policies, and the Wazuh modules you enable.
Example Directory Permissions
sudo chown -R wazuh:wazuh /var/ossec
sudo chmod 750 /var/ossec
sudo setfacl -m u:wazuh:r /var/log/auth.log
sudo setfacl -m u:wazuh:rx /etcThese commands demonstrate the principle of granting only the permissions necessary for monitoring.
Example systemd Override
[Service]
User=wazuh
Group=wazuhDepending on your environment, you may also define:
SupplementaryGroups=ReadOnlyPaths=ReadWritePaths=NoNewPrivileges=yesProtectSystem=
These additional hardening options can further reduce the service’s attack surface.
Example sudoers Configuration
wazuh ALL=(root) NOPASSWD: /usr/bin/firewall-cmdThis allows only the specified command to execute with elevated privileges.
Avoid broad rules such as:
wazuh ALL=(ALL) NOPASSWD: ALLas they effectively eliminate the benefits of a least-privilege deployment.
Example Capability Assignment
sudo setcap cap_dac_read_search=ep /var/ossec/bin/wazuh-agentdAlways verify that assigned capabilities are limited to operational requirements.
Example Verification Commands
Useful validation commands include:
id wazuhps -o user,group,comm -C wazuh-agentdsystemctl status wazuh-agentgetcap -r /var/ossecjournalctl -u wazuh-agentRunning these commands after configuration changes helps confirm that the service is operating correctly under the intended security model.
Verifying the Configuration
After completing the configuration, verify that every major Wazuh component still functions correctly.
A successful Wazuh Agent Non Root deployment should reduce privileges without sacrificing the monitoring capabilities your environment depends on.
Check Running User
Confirm that the Wazuh processes are no longer running as root.
Example:
ps -o user,group,comm -C wazuh-agentdThe output should show the dedicated service account (for example, wazuh) as the process owner.
Verify Manager Connectivity
Ensure the agent continues communicating with the Wazuh manager.
Check:
- Agent status in the Wazuh dashboard
- Recent heartbeat activity
- Registration status
- Connection logs
If the agent disappears from the manager after privilege changes, review file permissions and service logs.
Related Guide: Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
Confirm Log Collection
Generate a test log entry in one of the monitored log files and verify that it appears in the Wazuh dashboard.
If events do not arrive:
- Check file permissions.
- Review ACLs.
- Confirm the configured log path in
ossec.conf. - Inspect agent logs for permission errors.
Verify FIM Events
Modify a monitored file and confirm that Wazuh detects the change.
Typical tests include:
- Editing a configuration file
- Creating a temporary file
- Changing file permissions
If no alert is generated, verify that the service account has sufficient read and directory traversal permissions.
Test Syscollector
Trigger a new Syscollector inventory scan and verify that inventory data such as installed packages, processes, and network interfaces continues to appear in the Wazuh dashboard.
If inventory is incomplete, compare the missing data with the permissions available to the non-root service account.
Test Active Response
If Active Response is enabled:
- Trigger a test rule.
- Verify that the expected remediation command executes.
- Confirm that the command is permitted by your
sudoersconfiguration. - Review both the Wazuh agent log and system logs for any permission-denied messages.
Related Guide: How to Configure Wazuh Active Response
Review Agent Logs
Finally, inspect the Wazuh agent logs for warnings or permission-related failures.
Common locations include:
/var/ossec/logs/ossec.logLook for messages indicating:
Permission deniedOperation not permittedUnable to read fileAccess deniedCapability missing
Addressing these messages early helps ensure that your least-privilege deployment remains both secure and fully operational over time.
Common Problems and Solutions
Configuring a Wazuh Agent Non Root deployment requires careful permission management.
Most issues occur because the agent no longer has unrestricted access to system resources that it previously accessed as root.
The key to troubleshooting is identifying which Wazuh module is failing, determining which resource it needs access to, and granting the smallest possible permission required.
Permission Denied Errors
Permission errors are the most common issue after switching the Wazuh agent from root to a dedicated service account.
Common messages include:
Permission denied
Operation not permitted
Unable to open file
Cannot access directoryTypical causes include:
- Incorrect file ownership
- Missing ACL permissions
- Missing group membership
- Incorrect systemd user configuration
- Missing Linux capabilities
Start troubleshooting by identifying the affected file or directory:
ls -l /path/to/fileCheck whether the Wazuh user can access the resource:
sudo -u wazuh ls -l /path/to/fileIf access fails, grant only the required permission:
sudo setfacl -m u:wazuh:r /path/to/fileAvoid solving permission problems by using:
chmod 777This creates unnecessary security risks and defeats the purpose of a least-privilege deployment.
Agent Cannot Read Log Files
If Wazuh stops collecting logs after switching to a non-root user, the agent likely lacks permission to read the configured log sources.
Common affected files include:
/var/log/auth.log
/var/log/secure
/var/log/syslog
/var/log/messagesVerify access:
sudo -u wazuh cat /var/log/auth.logIf access fails, solutions include:
Using ACLs
sudo setfacl -m u:wazuh:r /var/log/auth.logAdding the User to a Log Group
Some Linux distributions provide groups such as:
adm
systemd-journalExample:
sudo usermod -aG adm wazuhRestart the agent afterward:
sudo systemctl restart wazuh-agentRelated Guide: How to Monitor Linux Event Logs Using Wazuh
Active Response Fails
Active Response commonly fails in non-root deployments because it performs privileged actions.
Examples:
- Blocking firewall rules
- Killing processes
- Restarting services
- Modifying system configuration
Typical errors:
Permission denied executing command
Operation not permitted
sudo: command not allowedThe solution is not to restore full root privileges.
Instead:
- Identify the exact command required.
- Create a restricted sudo rule.
- Allow only that command.
Example:
wazuh ALL=(root) NOPASSWD: /usr/bin/firewall-cmdVerify:
sudo -u wazuh sudo firewall-cmd --list-allRelated Guide: How to Configure Wazuh Active Response
Missing Inventory Data
Syscollector may report incomplete information after removing root privileges.
Symptoms include:
- Missing installed packages
- Missing processes
- Missing network information
- Incomplete hardware inventory
Possible causes:
- Restricted
/procaccess - Missing permissions on package databases
- Protected system files
Check whether the Wazuh user can access required system information:
sudo -u wazuh ls /procIf only specific inventory information is missing, determine whether that information is worth granting additional permissions.
A least-privilege deployment may intentionally collect less data in exchange for stronger security isolation.
FIM Stops Working
File Integrity Monitoring failures usually occur because the Wazuh user cannot access monitored paths.
Common examples:
/etc
/root
/usr/bin
/bootVerify directory access:
sudo -u wazuh ls /etcIf necessary, provide read and traversal permissions:
sudo setfacl -m u:wazuh:rx /etcFor highly sensitive files, consider whether monitoring them requires a privileged agent or whether another collection method is more appropriate.
Related Guide: How to Configure File Integrity Monitoring (FIM) in Wazuh
Linux Capabilities Not Applied
If assigned capabilities do not appear, verify:
getcap /var/ossec/bin/wazuh-agentdCommon causes include:
- Capability assigned to the wrong binary
- Package upgrade replaced the executable
- Filesystem does not support extended attributes
- Incorrect capability syntax
Example:
sudo setcap cap_dac_read_search=ep /var/ossec/bin/wazuh-agentdThen verify again:
getcap /var/ossec/bin/wazuh-agentdsystemd Ignores User Setting
Sometimes administrators modify the systemd service file but the agent continues running as root.
Common causes:
- Incorrect override location
- Missing daemon reload
- Package service file overriding changes
- Multiple service definitions
Check the effective configuration:
systemctl cat wazuh-agentReload systemd:
sudo systemctl daemon-reloadRestart:
sudo systemctl restart wazuh-agentVerify:
systemctl status wazuh-agentSELinux or AppArmor Restrictions
Mandatory Access Control systems may block the Wazuh agent even when traditional permissions are correct.
SELinux
Check status:
getenforceReview denied actions:
ausearch -m avc -ts recentAppArmor
Check profiles:
aa-statusIf restrictions exist, create a dedicated policy instead of disabling the security framework.
Agent Fails After Upgrade
A Wazuh upgrade may replace:
- Binary files
- systemd service files
- Permissions
- Capabilities
After upgrades, verify:
getcap -r /var/ossecCheck ownership:
ls -ld /var/ossecVerify the service:
systemctl cat wazuh-agentReapply required permissions and capabilities if necessary.
Related Guide: How to Upgrade a Wazuh Agent
Security Best Practices
A successful Wazuh Agent Non Root deployment requires continuous permission management.
Reducing privileges once is not enough; organizations should regularly review access, capabilities, and administrative permissions.
Grant Only Required Permissions
Avoid granting broad permissions simply because they solve immediate problems.
Follow these principles:
- Monitor only required directories.
- Allow access only to required logs.
- Avoid unnecessary group memberships.
- Remove unused permissions.
Every additional permission increases the potential impact of compromise.
Use Linux Capabilities Instead of Full Root
Linux capabilities provide a more precise security model than unrestricted root privileges.
Instead of:
wazuh → rootprefer:
wazuh → required capability onlyExamples:
- File reading capability
- Network capability
- Specific sudo commands
Regularly review assigned capabilities:
getcap -r /var/ossecProtect Configuration Files
Wazuh configuration files contain important security settings.
Protect:
/var/ossec/etc/ossec.conf
/var/ossec/etc/client.keysRecommended practices:
- Restrict write access.
- Monitor configuration changes.
- Use centralized configuration carefully.
- Maintain backups.
Related Guide: How to Configure Wazuh Agent Centralized Configuration
Secure Agent Credentials
Agent authentication files and certificates should be protected.
Important files include:
- Agent keys
- Certificates
- Private keys
Recommended permissions:
600or:
640depending on your deployment model.
Never expose credentials through shared directories or backups.
Review File Permissions Regularly
Permissions can drift over time because of:
- Software updates
- Configuration changes
- Administrator actions
Create regular reviews:
find /var/ossec -perm -o+wAudit sensitive locations and remove unnecessary access.
Audit sudo Rules
Review delegated commands regularly:
sudo cat /etc/sudoersand:
sudo ls /etc/sudoers.d/Remove:
- Old rules
- Unused scripts
- Wildcard permissions
Monitor Agent Activity
A non-root deployment should still be monitored.
Review:
- Agent logs
- Authentication events
- sudo activity
- File changes
Related Guide: How to Test Wazuh Rules
Keep Wazuh Updated
Security vulnerabilities are discovered in all software, including monitoring agents.
Maintain:
- Updated Wazuh agents
- Updated managers
- Updated operating systems
- Current security policies
Real-World Example
Scenario
A financial services company wants to deploy Wazuh agents across hundreds of Linux servers while meeting internal security policies that prohibit long-running services from operating as the root user.
The company operates:
- Production application servers
- Database servers
- Web servers
- Internal infrastructure systems
Their security team requires endpoint monitoring but does not allow permanently running privileged services unless absolutely necessary.
Challenge
The organization must maintain:
- Log collection
- File Integrity Monitoring
- System inventory
- Security Configuration Assessment
without granting unnecessary privileges.
Additional challenges include:
- Different Linux distributions
- Standardized deployment requirements
- Compliance auditing
- Operational scalability
Solution
The security team implements a least-privilege Wazuh deployment.
The process includes:
- Creating a dedicated
wazuhservice account. - Assigning ownership and permissions only where required.
- Granting Linux capabilities instead of full root access.
- Configuring ACLs for monitored log files.
- Restricting Active Response operations through sudoers rules.
- Updating the systemd service to run under the non-root account.
- Testing all enabled monitoring modules.
Validation includes:
- Log collection tests
- FIM modification tests
- Syscollector inventory checks
- Manager connectivity verification
- Active Response testing
The final configuration is documented and automated through configuration management tools.
Outcome
The organization successfully operates Wazuh agents with significantly reduced privileges while maintaining essential security visibility.
Benefits include:
- Reduced attack surface
- Improved compliance alignment
- Easier security audits
- Lower privilege escalation risk
- Standardized endpoint deployment
The organization also creates a repeatable deployment model that can be automated across hundreds of Linux systems.
Related Guide: How to Automate Bulk Wazuh Agent Deployment with Ansible and SCCM
Frequently Asked Questions (FAQ)
Question: Can Wazuh Agent Run Completely Without Root Privileges?
In some environments, yes. However, a completely rootless deployment may limit certain features.
Modules such as:
- Rootcheck
- Active Response
- Some FIM scenarios
- Certain SCA checks
may require elevated permissions.
A more practical approach is reducing privileges as much as possible while preserving required monitoring functionality.
Question: Which Wazuh Modules Require Elevated Permissions?
Modules commonly requiring elevated access include:
- Rootcheck
- Active Response
- Some File Integrity Monitoring paths
- Some Security Configuration Assessment checks
Other features may work with carefully configured permissions.
Question: Can Linux Capabilities Replace Root Access?
Yes, in many situations.
Capabilities allow administrators to grant specific privileged operations without granting complete root access.
However, capabilities cannot replace every root function.
Question: Does File Integrity Monitoring Work Without Root?
Yes, if the Wazuh user can access the monitored files.
Monitoring user-owned applications is usually straightforward, while protected system directories may require additional permissions.
Question: Can Active Response Be Used With a Non-Root Agent?
Yes, but it requires careful configuration.
The recommended approach is:
- Dedicated sudo rules
- Specific allowed commands
- No unrestricted sudo access
Question: How Do I Verify Which User the Wazuh Agent Is Running As?
Use:
ps -o user,group,comm -C wazuh-agentdor:
systemctl status wazuh-agentQuestion: Will Running as Non-Root Affect Performance?
Normally, no.
Performance differences are usually negligible.
The main impact is reduced access to certain system resources, which may affect data collection rather than performance.
Question: Does Wazuh Officially Support Non-Root Deployments?
Wazuh agents are commonly deployed with elevated privileges because many security monitoring features require them.
A customized non-root deployment should be tested carefully to ensure required functionality remains available.
Question: How Do I Troubleshoot Permission Errors?
Start by checking:
- Agent logs.
- File permissions.
- ACL settings.
- Linux capabilities.
- SELinux/AppArmor policies.
- systemd configuration.
Question: What Is the Most Secure Way to Deploy Wazuh Agents on Linux?
The most secure approach is:
- Use least privilege.
- Avoid unnecessary root access.
- Grant only required permissions.
- Protect credentials.
- Audit changes regularly.
- Keep Wazuh updated.
- Test every enabled module.
Conclusion
Running the Wazuh Agent Non Root provides organizations with a stronger security posture by reducing unnecessary privileged access while maintaining valuable endpoint monitoring capabilities.
A properly designed deployment can:
- Reduce attack surface
- Limit privilege escalation opportunities
- Improve compliance readiness
- Simplify security audits
- Support least-privilege security models
However, security teams must balance privilege reduction with operational requirements.
Some Wazuh features, especially Active Response, Rootcheck, and certain compliance checks, may require additional permissions.
The most effective approach is not simply removing root access, but carefully designing a permission model that provides the minimum privileges required for each monitoring function.
Before deploying broadly:
- Test every enabled Wazuh module.
- Validate log collection.
- Confirm FIM coverage.
- Verify Syscollector results.
- Review Active Response behavior.
- Document permissions.
By combining Linux capabilities, ACLs, restricted sudo rules, and systemd hardening, organizations can build secure and scalable Wazuh deployments across Linux environments.
Related guides:

Be First to Comment