[Zeek] Install Bro as a non-root user

[Michał Purzyński]

There's a couple of things you should do. To keep Zeek LSB compliant, I use
something like this, when building an RPM (yeah, I rolled out my own
packages)

%cmake .. -DCMAKE_INSTALL_PREFIX=/usr -DBRO_ROOT_DIR=/usr
-DBRO_ETC_INSTALL_DIR=/etc -DINSTALL_BROCTL=true -DBRO_LOCAL_STATE_DIR=/var
-DBRO_SPOOL_DIR=/var/spool/bro -DBRO_LOG_DIR=/var/log/nsm/bro

You could also give rights for the zeek user to write to state directories
with Linux ACLs, just don't change owner of entire directory, that's not
necessary.

The net_admin capability is not necessary and dangerous, all that's needed
is CAP_NET_RAW.

*setcap cap_net_raw,cap=eip <path to zeek>*


What's the distribution you're trying to use? Where did you get those
packages? Did you build it yourself?


On Wed, Jun 19, 2019 at 4:59 AM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> Is there a way to install Bro as a non-root user? Everything works fine if
> its installed as root but I had problems sending Bro logs to logstash as a
> non-root user.
>
> When I tried to install as a regular user with sudo privilege, I noticed
> two errors mainly.
>
> 1) Error: unable to open database file: /usr/local/bro/spool/state.db
> 2) fatal error: /opt/bro/bin/bro: problem with interface eth0 -
> pcap_open_live: eth0: You don't have permission to capture on that device
> (socket: Operation not permitted)
>
> Any idea where to go next for me?
>
> Kind regards,
> Merril.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/9a42db9e/attachment.html