[Bro-Dev] Script reorg proposal
Matthias Vallentin
vallentin at icir.org
Mon Aug 1 12:36:38 PDT 2011
> Does this make an implicit assumption that only one user is
> configuring the Bro policy for a site or system?
No, I did not mean to imply a single "Bro admin" per system, although
this is probably common practice.
> Or does bro run as root and hence this would almost always be in
> /root/.bro ?
On many UNIX flavors [1], Bro will probably need to run as root in order to
access the network interfaces. But supporting ~/.bro has also benefits
for users who simply want to do trace analysis (i.e., no root
privileges required) and customize "their" Bro. Another plus is that
rolling Bro updates system-wide or uninstalling Bro is independent of a
user's configuration.
Matthias
[1] Some BSDs support access control via groups, and IIRC Robin wrote a
patch for Linux.
More information about the bro-dev
mailing list