topic Re: linux agent change or remove without password - bug ?? in Cortex XDR Discussions

linux agent change or remove without password - bug ??

tlmarques — Tue, 30 Dec 2025 17:36:03 GMT

Hi,

i've uninstall password setup for all devices on tenant, but on linux machines, it's possible stop services or uninstall agent without password.

anyone knows why??

Re: linux agent change or remove without password - bug ??

ssingh32 — Tue, 06 Jan 2026 12:05:02 GMT

Hi,

Linux is not having anti-tampering protection as a result uninstall password is not available for linux endpoints.

Please mark the solution as accepted ,if it helps.

Re: linux agent change or remove without password - bug ??

susekar — Tue, 06 Jan 2026 15:14:29 GMT

Hello @tlmarques ,

Greetings for the day!

The reason you can stop services or uninstall the Cortex XDR agent on Linux machines without a password is that the uninstall password and tamper protection features are not currently supported for the Linux platform. These features are currently implemented only for Windows and macOS operating systems.
As correctly said by @ssingh32 .

Additionally, sharing a few details:

Key details regarding this limitation include:

OS-Specific Design: On Linux, the Cortex XDR agent relies on the operating system's inherent security controls. Since uninstallation and service management (such as cytool runtime stop) require superuser (root or sudo) privileges, the agent is designed to allow these actions once those elevated permissions are met, without prompting for an additional XDR-specific password.
Profile Limitations: The Agent Security section, which contains the tamper protection and uninstall password settings in the management console, is not available for Linux Agent Settings profiles.
Feature Request: This is a known product limitation and is currently tracked under feature request CXDR-I-267 (Linux XDR agent security settings for tampering protection).

Recommended Workarounds:

Restrict Administrative Access: Ensure that root or sudo access is limited strictly to authorized personnel only.
Monitoring and Alerts: Configure notification forwarding or Audit Log filters in the Cortex XDR console to alert administrators when the agent service is stopped (TYPE = AGENT SERVICE, SUB-TYPE = STOP).
External Logging: Use local utilities such as rsyslog to forward logs from /var/log/traps/ to an external log management system to ensure audit trails are preserved if the agent is removed.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New Year!!

Thanks & Regards,
S. Subashkar Sekar

Re: linux agent change or remove without password - bug ??

tlmarques — Wed, 07 Jan 2026 10:33:29 GMT

Hi,
Happy new year for all.
And thanks for your responses @susekar and @ssingh32

i'll try configure notification forwarding or Audit Log filters in the Cortex XDR console to alert administrators when the agent service is stopped (TYPE = AGENT SERVICE, SUB-TYPE = STOP)...because sometimes someone with priv users can stop agent and i dont have alerts.

Re: linux agent change or remove without password - bug ??

tlmarques — Wed, 07 Jan 2026 10:40:22 GMT

but every time, machine is shutdown, agent stop...with this configuration, i'll get alot of false/positive.