[Bro] [Not] Running Bro as root?

Michał Purzyński michalpurzynski1 at gmail.com
Wed Jun 13 12:59:40 PDT 2018 

egrep -R CAP_NET_ADMIN linux-4.17 | egrep capable | wc -l

     379

egrep -R CAP_NET_RAW linux-4.17 | egrep capable | wc -l

      25

It’s basically about how many more privileges are granted by the net admin cap. None of them are necessary for the Bro or Suricata to work. I do not want the Bro user to be able to manage every network setting. This is especially important to people with containers.

Above is true unless your capture technology decides otherwise, of course. AF_Packet is OK with just net raw. Myricom SNF needs nothing (and that’s pretty scary).

M.

> On Jun 13, 2018, at 10:28 AM, Samuel Oehlert <soehlert at es.net> wrote:
> 
> Michal,
> 
> Can you expand on "Cap net admin is not and is strongly discouraged."
> 
> I set that as it's in the bro documentation as necessary. It'd be great to get that documentation updated if it's not actually required.
> 
> Thanks,
> Sam
> 
>> On Wed, Jun 13, 2018 at 12:17 PM Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
>> It’s actually easy to run Bro as a generic user, that’s how our cluster has been working from day one.
>> 
>> For afpacket, cap net raw is required
>> 
>> Cap net admin is not and is strongly discouraged.
>> 
>> Bro needs to write it’s own directories, we have them owned by the Bro user.
>> 
>>> On Jun 13, 2018, at 9:46 AM, Samuel Oehlert <soehlert at es.net> wrote:
>>> 
>>> Drew,
>>> 
>>> We run bro as the 'bro' user. It wasn't that much work really to get it to happen. Our bro clusters are also all deployed using ansible. The relevant snippets (just snippets, this obviously isn't all of the role here) are in here, but I can work on publishing the necessary info to ansible-galaxy if that would be useful to you as well.
>>> 
>>> - Sam
>>> 
>>> 
>>>   - name: Create Bro user
>>>     user:
>>>       name: "{{ bro_user }}"
>>>       comment: "Bro User"
>>>       state: present
>>>       generate_ssh_key: true
>>>       ssh_key_file: .ssh/id_rsa
>>> 
>>>   - name: Fetch Bro user's ssh key
>>>     fetch:
>>>       src: "/home/{{ bro_user }}/.ssh/id_rsa.pub"
>>>       dest: /tmp/id_rsa.pub
>>>       flat: yes
>>>     when: "'bro_manager' in group_names"
>>> 
>>>   - name: Push out Bro user's key
>>>     authorized_key:
>>>       user: "{{ bro_user }}"
>>>       key: "{{ lookup('file', '/tmp/id_rsa.pub') }}"
>>>       state: present
>>>       exclusive: yes
>>> 
>>>     - name: Fix permissions on bro directory for bro user
>>>       file:
>>>         path: "{{ bro_path }}"
>>>         state: directory
>>>         mode: 0755
>>>         owner: "{{ bro_user }}"
>>>         group: "{{ bro_user }}"
>>>         recurse: yes
>>> 
>>>   - name: Check if permissions exist for {{ bro_user }} to capture packets
>>>     shell: "getcap {{ bro_path }}/bin/bro"
>>>     register: bro_cap_perms
>>>     when: bro_install.changed
>>> 
>>>   - name: Set permissions for {{ bro_user }} to capture packets
>>>     shell: "setcap cap_net_raw,cap_net_admin=eip {{ bro_path }}/bin/bro"
>>>     when: (bro_install.changed) and (bro_cap_perms.stdout.find('/usr/local/bro/bin/bro = cap_net_admin,cap_net_raw+eip') != 0)
>>> 
>>> 
>>> 
>>> 
>>>> On Wed, Jun 13, 2018 at 11:16 AM Drew Dixon <dwdixon at umich.edu> wrote:
>>>> Hello,
>>>> 
>>>> So from what I understand it is not at all a trivial task to get bro to properly run/function under a user account other than root (Linux [RHEL/CentOS]).
>>>> 
>>>> Just mostly out of curiosity, I was wondering if anyone had taken on this task and are successfully running bro in production under a non-root user account?  Further, has anyone perhaps automated/scripted some/all of the changes required in order to move bro to run as a non-root user account without issue?
>>>> 
>>>> Thank you,
>>>> 
>>>> -Drew 
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180613/73700712/attachment.html

More information about the Bro mailing list