[Bro] [Not] Running Bro as root?

Michał Purzyński michalpurzynski1 at gmail.com
Wed Jun 13 10:17:53 PDT 2018 

It’s actually easy to run Bro as a generic user, that’s how our cluster has been working from day one.

For afpacket, cap net raw is required

Cap net admin is not and is strongly discouraged.

Bro needs to write it’s own directories, we have them owned by the Bro user.

> On Jun 13, 2018, at 9:46 AM, Samuel Oehlert <soehlert at es.net> wrote:
> 
> Drew,
> 
> We run bro as the 'bro' user. It wasn't that much work really to get it to happen. Our bro clusters are also all deployed using ansible. The relevant snippets (just snippets, this obviously isn't all of the role here) are in here, but I can work on publishing the necessary info to ansible-galaxy if that would be useful to you as well.
> 
> - Sam
> 
> 
>   - name: Create Bro user
>     user:
>       name: "{{ bro_user }}"
>       comment: "Bro User"
>       state: present
>       generate_ssh_key: true
>       ssh_key_file: .ssh/id_rsa
> 
>   - name: Fetch Bro user's ssh key
>     fetch:
>       src: "/home/{{ bro_user }}/.ssh/id_rsa.pub"
>       dest: /tmp/id_rsa.pub
>       flat: yes
>     when: "'bro_manager' in group_names"
> 
>   - name: Push out Bro user's key
>     authorized_key:
>       user: "{{ bro_user }}"
>       key: "{{ lookup('file', '/tmp/id_rsa.pub') }}"
>       state: present
>       exclusive: yes
> 
>     - name: Fix permissions on bro directory for bro user
>       file:
>         path: "{{ bro_path }}"
>         state: directory
>         mode: 0755
>         owner: "{{ bro_user }}"
>         group: "{{ bro_user }}"
>         recurse: yes
> 
>   - name: Check if permissions exist for {{ bro_user }} to capture packets
>     shell: "getcap {{ bro_path }}/bin/bro"
>     register: bro_cap_perms
>     when: bro_install.changed
> 
>   - name: Set permissions for {{ bro_user }} to capture packets
>     shell: "setcap cap_net_raw,cap_net_admin=eip {{ bro_path }}/bin/bro"
>     when: (bro_install.changed) and (bro_cap_perms.stdout.find('/usr/local/bro/bin/bro = cap_net_admin,cap_net_raw+eip') != 0)
> 
> 
> 
> 
>> On Wed, Jun 13, 2018 at 11:16 AM Drew Dixon <dwdixon at umich.edu> wrote:
>> Hello,
>> 
>> So from what I understand it is not at all a trivial task to get bro to properly run/function under a user account other than root (Linux [RHEL/CentOS]).
>> 
>> Just mostly out of curiosity, I was wondering if anyone had taken on this task and are successfully running bro in production under a non-root user account?  Further, has anyone perhaps automated/scripted some/all of the changes required in order to move bro to run as a non-root user account without issue?
>> 
>> Thank you,
>> 
>> -Drew 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180613/8b399d2f/attachment.html

More information about the Bro mailing list