[Bro] [Not] Running Bro as root?

Samuel Oehlert soehlert at es.net
Wed Jun 13 09:46:56 PDT 2018 

Drew,

We run bro as the 'bro' user. It wasn't that much work really to get it to
happen. Our bro clusters are also all deployed using ansible. The relevant
snippets (just snippets, this obviously isn't all of the role here) are in
here, but I can work on publishing the necessary info to ansible-galaxy if
that would be useful to you as well.

- Sam


  - name: Create Bro user
    user:
      name: "{{ bro_user }}"
      comment: "Bro User"
      state: present
      generate_ssh_key: true
      ssh_key_file: .ssh/id_rsa

  - name: Fetch Bro user's ssh key
    fetch:
      src: "/home/{{ bro_user }}/.ssh/id_rsa.pub"
      dest: /tmp/id_rsa.pub
      flat: yes
    when: "'bro_manager' in group_names"

  - name: Push out Bro user's key
    authorized_key:
      user: "{{ bro_user }}"
      key: "{{ lookup('file', '/tmp/id_rsa.pub') }}"
      state: present
      exclusive: yes

    - name: Fix permissions on bro directory for bro user
      file:
        path: "{{ bro_path }}"
        state: directory
        mode: 0755
        owner: "{{ bro_user }}"
        group: "{{ bro_user }}"
        recurse: yes

  - name: Check if permissions exist for {{ bro_user }} to capture packets
    shell: "getcap {{ bro_path }}/bin/bro"
    register: bro_cap_perms
    when: bro_install.changed

  - name: Set permissions for {{ bro_user }} to capture packets
    shell: "setcap cap_net_raw,cap_net_admin=eip {{ bro_path }}/bin/bro"
    when: (bro_install.changed) and
(bro_cap_perms.stdout.find('/usr/local/bro/bin/bro =
cap_net_admin,cap_net_raw+eip') != 0)




On Wed, Jun 13, 2018 at 11:16 AM Drew Dixon <dwdixon at umich.edu> wrote:

> Hello,
>
> So from what I understand it is not at all a trivial task to get bro to
> properly run/function under a user account other than root (Linux
> [RHEL/CentOS]).
>
> Just mostly out of curiosity, I was wondering if anyone had taken on this
> task and are successfully running bro in production under a non-root user
> account?  Further, has anyone perhaps automated/scripted some/all of the
> changes required in order to move bro to run as a non-root user account
> without issue?
>
> Thank you,
>
> -Drew
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180613/fad6319a/attachment-0001.html

More information about the Bro mailing list