01-06-2026 04:05 AM
Hi,
Linux is not having anti-tampering protection as a result uninstall password is not available for linux endpoints.
Please mark the solution as accepted ,if it helps.
01-06-2026 07:14 AM
Hello @tlmarques ,
Greetings for the day!
The reason you can stop services or uninstall the Cortex XDR agent on Linux machines without a password is that the uninstall password and tamper protection features are not currently supported for the Linux platform. These features are currently implemented only for Windows and macOS operating systems.
As correctly said by @ssingh32 .
Additionally, sharing a few details:
Key details regarding this limitation include:
OS-Specific Design: On Linux, the Cortex XDR agent relies on the operating system's inherent security controls. Since uninstallation and service management (such as cytool runtime stop) require superuser (root or sudo) privileges, the agent is designed to allow these actions once those elevated permissions are met, without prompting for an additional XDR-specific password.
Profile Limitations: The Agent Security section, which contains the tamper protection and uninstall password settings in the management console, is not available for Linux Agent Settings profiles.
Feature Request: This is a known product limitation and is currently tracked under feature request CXDR-I-267 (Linux XDR agent security settings for tampering protection).
Recommended Workarounds:
Restrict Administrative Access: Ensure that root or sudo access is limited strictly to authorized personnel only.
Monitoring and Alerts: Configure notification forwarding or Audit Log filters in the Cortex XDR console to alert administrators when the agent service is stopped (TYPE = AGENT SERVICE, SUB-TYPE = STOP).
External Logging: Use local utilities such as rsyslog to forward logs from /var/log/traps/ to an external log management system to ensure audit trails are preserved if the agent is removed.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
01-06-2026 04:05 AM
Hi,
Linux is not having anti-tampering protection as a result uninstall password is not available for linux endpoints.
Please mark the solution as accepted ,if it helps.
01-06-2026 07:14 AM
Hello @tlmarques ,
Greetings for the day!
The reason you can stop services or uninstall the Cortex XDR agent on Linux machines without a password is that the uninstall password and tamper protection features are not currently supported for the Linux platform. These features are currently implemented only for Windows and macOS operating systems.
As correctly said by @ssingh32 .
Additionally, sharing a few details:
Key details regarding this limitation include:
OS-Specific Design: On Linux, the Cortex XDR agent relies on the operating system's inherent security controls. Since uninstallation and service management (such as cytool runtime stop) require superuser (root or sudo) privileges, the agent is designed to allow these actions once those elevated permissions are met, without prompting for an additional XDR-specific password.
Profile Limitations: The Agent Security section, which contains the tamper protection and uninstall password settings in the management console, is not available for Linux Agent Settings profiles.
Feature Request: This is a known product limitation and is currently tracked under feature request CXDR-I-267 (Linux XDR agent security settings for tampering protection).
Recommended Workarounds:
Restrict Administrative Access: Ensure that root or sudo access is limited strictly to authorized personnel only.
Monitoring and Alerts: Configure notification forwarding or Audit Log filters in the Cortex XDR console to alert administrators when the agent service is stopped (TYPE = AGENT SERVICE, SUB-TYPE = STOP).
External Logging: Use local utilities such as rsyslog to forward logs from /var/log/traps/ to an external log management system to ensure audit trails are preserved if the agent is removed.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New Year!!
Thanks & Regards,
S. Subashkar Sekar
01-07-2026 02:33 AM
Hi,
Happy new year for all.
And thanks for your responses @susekar and @ssingh32
i'll try configure notification forwarding or Audit Log filters in the Cortex XDR console to alert administrators when the agent service is stopped (TYPE = AGENT SERVICE, SUB-TYPE = STOP)...because sometimes someone with priv users can stop agent and i dont have alerts.
01-07-2026 02:40 AM
but every time, machine is shutdown, agent stop...with this configuration, i'll get alot of false/positive.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
