Linux packages that require root to execute should be marked accordingly. An example can be found here

This includes:

• system_audit (auditbeat)
• fim (auditbeat)
• auditd_manager (auditbeat)
• network_traffic (packetbeat)
• and maybe cloud_defend (I am not sure if we need root once the appropriate capabilities are exposed)