[Bro] Problems Building Bro
dominic.steinitz at blueyonder.co.uk
Sun Jun 25 07:26:56 PDT 2006
Christian Kreibich wrote:
> On Sat, 2006-06-24 at 17:45 +0100, Dominic Steinitz wrote:
>>>> 2. "make install" installed everything as root so I'm having to run bro
>>>> as root.
>>> I don't understand -- who owns the installed files is determined by who
>>> runs make install. I'd normally hope that everything is installed as
>>> root. How does that prevent you from running bro non-root?
>> I quote from the Bro Quick Start Guide:
>> "The Bro-Lite configuration script can be used to automatically
>> configure Bro for you. It checks your system's BPF settings, creates a
>> 'bro' user account, installs a script to start bro at boot time, and
>> installs a number of cron jobs to checkpoint bro every night, run
>> perioidic reports, and manage log files."
>> " User id to install and run Bro under [bro]
>> bro_config will create a new user account with this username if
>> the user does not exist."
> Sorry but I don't see what this has to do with your earlier claim of
> having to run Bro as root. You only have to run Bro as root if your
> kernel requires it for the tasks your putting Bro to, packet capture
> being the most likely candidate.
Ok I'm capturing packets and so running Bro as root. I misunderstood the
documentation (and / or the question in the brolite scripte) which
seemed to imply that files would be installed as bro / wheel and Bro
would run as bro.
> Maybe you could tell us what kind of setup you're aiming at. What user
> *do* you want to run Bro under? If you want to run Bro to get a feel for
> policy configuration, you don't even need to make install, not to
> mention touch the Bro-Lite configuration stuff.
>> I did make install as root and then make install-brolite. Should I not
>> have done make install but make install-brolite only?
> No, it's okay to run both -- 'make install' installs the Bro executable,
> Broccoli, policy files, etc, while 'make install-brolite' is responsible
> for setting up an install script, configure report styles, etc.
>>> If you want to do packet capture you'll likely be running it as root
>>> anyway, if you want to process traces you don't need root, and if you
>>> want to run a Bro-Bro communications node you can use high ports to
>>> avoid root.
>> Ok but I'm confused in that case. What is the point of creating the user
> I believe on Linux you're not actually supposed to be presented with
> "bro" as user account but "root" instead since it's more likely to work,
You are right. I was presented with root but I must have mistunderstood
> though I might be wrong. Try setting the suggested user to root unless
> you know that your Linux kernel provides non-root capability to do
> packet capture.
Done. I've used pcap directly and know I have to be root to run the
> The point of a different user is simply one of least privilege -- if
> your OS allows you to select capabilities selectively, then you might
> not need root even if you do packet capture. Also there are the issues
> of log maintenance & archival, and you might prefer a user different
> from root for access to those.
This is was why I was worrying. But let's finish off this thread. I'll
post my remaining questions under a different title.
> Getting all of this set up smoothly has seen more exposure on the BSDs
> than Linux, so sorry for the bumpy ride. Others can comment better than
> I on the state of Bro-Lite and Linux.
I'd like to say a big thank you to you in particular and Vern and
everyone else that responded.
More information about the Bro