Out of the box, the Panopta agent comes with a handful of standard CounterMeasure actions to use. You can view them using the following command: 

python /usr/bin/panopta-agent/ list_plugins

Available Countermeasures


Name Author Description


Reboot Server Reboot the server

dmesg Gather the latest lines from dmesg

netstat Gather most recent netstat output

top Gather most recent top output

vmstat Gather vmstat output

All of these will run without requiring further configuration, except for Reboot Server. Instructions on configuring the reboot server are detailed in the following section.

Configuring Reboot Server privileges

CounterMeasure actions are executed by the panopta-agent user, which is created at the time of agent installation. The panopta-agent user itself does not have elevated privileges and does not require them to perform it's normal monitoring tasks. However, one out-of-the-box CounterMeasure action requires elevated permissions reboot server. If you attempt to run this CounterMeasure before you've configured permissions, it will fail.


  • Open /etc/passwd. At the end of the panopta-agent line, remove /usr/sbin/nologin and replace it with /bin/bash
  • Save the file
Make sure the following steps are taken using the visudo command, which validates file integrity when saving.
  • Open /etc/sudoers. Under User privilege specification, add panopta-agent ALL=(ALL) NOPASSWD: /sbin/shutdown under the existing declaration.
  • Save the file

On a stock Ubuntu image, the sudoers file would now look like this:

Defaults        env_reset 
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
panopta-agent ALL=(ALL) NOPASSWD: /sbin/shutdown

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d