[Bro] Problems Building Bro

Christian Kreibich christian at whoop.org
Sat Jun 24 10:25:26 PDT 2006

On Sat, 2006-06-24 at 17:45 +0100, Dominic Steinitz wrote: 
> >> 2. "make install" installed everything as root so I'm having to run bro 
> >> as root.
> > 
> > I don't understand -- who owns the installed files is determined by who
> > runs make install. I'd normally hope that everything is installed as
> > root. How does that prevent you from running bro non-root?
> I quote from the Bro Quick Start Guide:
> "The Bro-Lite configuration script can be used to automatically 
> configure Bro for you. It checks your system's BPF settings, creates a 
> 'bro' user account, installs a script to start bro at boot time, and 
> installs a number of cron jobs to checkpoint bro every night, run 
> perioidic reports, and manage log files."
> and
> "     User id to install and run Bro under [bro]
>          bro_config will create a new user account with this username if 
> the user does not exist."

Sorry but I don't see what this has to do with your earlier claim of
having to run Bro as root. You only have to run Bro as root if your
kernel requires it for the tasks your putting Bro to, packet capture
being the most likely candidate.

Maybe you could tell us what kind of setup you're aiming at. What user
*do* you want to run Bro under? If you want to run Bro to get a feel for
policy configuration, you don't even need to make install, not to
mention touch the Bro-Lite configuration stuff.

> I did make install as root and then make install-brolite. Should I not 
> have done make install but make install-brolite only?

No, it's okay to run both -- 'make install' installs the Bro executable,
Broccoli, policy files, etc, while 'make install-brolite' is responsible
for setting up an install script, configure report styles, etc.

> > If you want to do packet capture you'll likely be running it as root
> > anyway, if you want to process traces you don't need root, and if you
> > want to run a Bro-Bro communications node you can use high ports to
> > avoid root.
> Ok but I'm confused in that case. What is the point of creating the user 
> bro?

I believe on Linux you're not actually supposed to be presented with
"bro" as user account but "root" instead since it's more likely to work,
though I might be wrong. Try setting the suggested user to root unless
you know that your Linux kernel provides non-root capability to do
packet capture.

The point of a different user is simply one of least privilege -- if
your OS allows you to select capabilities selectively, then you might
not need root even if you do packet capture. Also there are the issues
of log maintenance & archival, and you might prefer a user different
from root for access to those.

Getting all of this set up smoothly has seen more exposure on the BSDs
than Linux, so sorry for the bumpy ride. Others can comment better than
I on the state of Bro-Lite and Linux.


More information about the Bro mailing list