[Bro] [Not] Running Bro as root?
Samuel Oehlert
soehlert at es.net
Wed Jun 13 09:46:56 PDT 2018
Drew,
We run bro as the 'bro' user. It wasn't that much work really to get it to
happen. Our bro clusters are also all deployed using ansible. The relevant
snippets (just snippets, this obviously isn't all of the role here) are in
here, but I can work on publishing the necessary info to ansible-galaxy if
that would be useful to you as well.
- Sam
- name: Create Bro user
user:
name: "{{ bro_user }}"
comment: "Bro User"
state: present
generate_ssh_key: true
ssh_key_file: .ssh/id_rsa
- name: Fetch Bro user's ssh key
fetch:
src: "/home/{{ bro_user }}/.ssh/id_rsa.pub"
dest: /tmp/id_rsa.pub
flat: yes
when: "'bro_manager' in group_names"
- name: Push out Bro user's key
authorized_key:
user: "{{ bro_user }}"
key: "{{ lookup('file', '/tmp/id_rsa.pub') }}"
state: present
exclusive: yes
- name: Fix permissions on bro directory for bro user
file:
path: "{{ bro_path }}"
state: directory
mode: 0755
owner: "{{ bro_user }}"
group: "{{ bro_user }}"
recurse: yes
- name: Check if permissions exist for {{ bro_user }} to capture packets
shell: "getcap {{ bro_path }}/bin/bro"
register: bro_cap_perms
when: bro_install.changed
- name: Set permissions for {{ bro_user }} to capture packets
shell: "setcap cap_net_raw,cap_net_admin=eip {{ bro_path }}/bin/bro"
when: (bro_install.changed) and
(bro_cap_perms.stdout.find('/usr/local/bro/bin/bro =
cap_net_admin,cap_net_raw+eip') != 0)
On Wed, Jun 13, 2018 at 11:16 AM Drew Dixon <dwdixon at umich.edu> wrote:
> Hello,
>
> So from what I understand it is not at all a trivial task to get bro to
> properly run/function under a user account other than root (Linux
> [RHEL/CentOS]).
>
> Just mostly out of curiosity, I was wondering if anyone had taken on this
> task and are successfully running bro in production under a non-root user
> account? Further, has anyone perhaps automated/scripted some/all of the
> changes required in order to move bro to run as a non-root user account
> without issue?
>
> Thank you,
>
> -Drew
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180613/fad6319a/attachment-0001.html
More information about the Bro
mailing list