Grsecurity kernel support

Depending on how it was compiled, the GRS or GRSecurity kernel can restrict file access to certain users. This can potentially prevent the sd-agent user from opening certain files required to gather metrics - Specifically Network, Disk IO and Top Process/Process Count metrics. Due to the nature of custom kernels we cannot offer a universal guide, however we've put together the following which might help.

Reading from /proc/*

Certain metrics require the ability to read from /proc/*. If the kernel was compiled with 


then the sd-agent will be unable to read /proc/* to gather certain metrics unless the sd-agent is run as the root user - This is not recommended.

However, if the kernel was compiled with


Then you can add the sd-agent to group 1001 to allow access to read /proc/*.

groupadd -g 1001 grs 
usermod -a -G grs sd-agent

Once you restart the agent you will begin to see metrics for Network and Disk IO. For Top Process & Process Count you will see an increase in metrics data collected.

Finding your compile options

In some environments you can find your GRS kernel options using the following command: 

 grep 'CONFIG_GRKERNSEC_*' /boot/config-$(uname -r)
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Monday  —  Friday.

10am  —  6pm UK.

Dedicated Support.