Remediation Fix : 33851 - Network daemons not managed by the package system

Question

Hi All,

We have 2 Nessus scanners which are CentOS 7 based. We have observed a vulnerability on them which is 33851 - Network daemons not managed by the package system and the details are below.

Plugin Output:

The following running daemon is not managed by RPM :

/opt/microsoft/omsagent/plugin/npmd_agent

Synopsis:

Some daemon processes on the remote host are associated with programs that have been installed manually.

Description:

Some daemon processes on the remote host are associated with programs that have been installed manually.

System administration best practice dictates that an operating system's native package management tools be used to manage software installation, updates, and removal whenever possible.

Solution:

Use packages supplied by the operating system vendor whenever possible.

And make sure that manual software installation agrees with your organization's acceptable use and security policies.

Could you please help us on mitigating it. Because it is related to "microsoft/omsagent" on CentOS platform.

we would like to know is there any dependency with this package? What if we uninstall it from the path, any consequesnces we face after that? If we can uninstall it from the path, Please share us the process.

Do let me know if any.

Thanks in advance.

Regards,

Tara

Answer 1

The plugin output indicates that the daemon process "/opt/microsoft/omsagent/plugin/npmd_agent" is not managed by RPM, and it is associated with the "microsoft/omsagent" package. This package is part of the Operations Management Suite (OMS) Agent, which is used for monitoring and management of systems and services.

If you uninstall the OMS Agent package or manually remove the npmd_agent process, you may lose the monitoring and management capabilities provided by the package. Additionally, you may not receive any updates or security patches for the package.

If you want to continue using the OMS Agent package, you can try to configure it to use the RPM package management tools instead of manually installing the npmd_agent process. You can refer to the OMS Agent documentation or contact Microsoft support for guidance on how to do this.

Alternatively, if you no longer need the monitoring and management capabilities provided by the OMS Agent package, you can uninstall the package using the RPM package management tools. You can use the following command to uninstall the package:

sudo yum remove omsagent

Answer 2

@Taradevi Purini , thank you for posting this question here on Microsoft Q&A.

The daemon in question - npmd_agent, is part of the Network Performance Monitor solution in Azure. It is installed as an extension to the OMS agent, when you enable this solution in Log analytics workspace and create network monitoring rule.

Note that this solution is not in legacy/deprecated mode and Starting 1 July 2021, it is not possible to add new tests in an existing workspace or enable a new workspace in Network Performance Monitor. It is recommeded to move away from this solution and hence the npmd agent as well. To migrate away from it, here are the steps:

1. As it seems that NPM was already enabled in your environment, you should evaluate the current monitoring being performed by this solution. You may check by going to "Network watcher" in portal --> "Network Performance Monitor" and observe if there are rules available in here. Once you have reviewed the existing deployments, Migrate from Network Performance Monitor to Connection Monitor which is the newer and recommended service to be used.
2. Once you have migrated from NPM to connection monitor, you should also plan/perform migration from OMS agent to Azure Monitor agent. Note that the Log Analytics agent (also known as OMS agent) will be **retired on August 31, 2024 **Please see the following link for guidelines of migration - Migrate to Azure Monitor Agent from Log Analytics agent.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.