On 2019/06/04 10:21, Sebastian Reitenbach wrote:
> Hi,
>
> I'm experimenting with Suricata, but don't want to let suricata listen on network interface, as it has to run as root. Suricata has a user/group options, but they require libcap-ng.
I'm not sure what the libcap-ng is for, but with the standard config
in the port, Suricata starts as root and then drops to _suricata after
initialising.
$ ps axu|grep suric
_suricat 90110 3.4 21.9 429924 427220 ?? Ssp 9:32AM 1:07.16 /usr/local/bin/suricata -D -i em1
> Looking around, what we have, I came across dumpcap.
>
> So, put the _suricata user into the _wireshark group, and:
>
> rcctl enable dumpcap
> rcctl set dumpcap flags .....
> rcctl set dumpcap user _suricata
>
> dumpcap then happily runs as _suricata, and Suricata picks up and runs happily as _suricata user as well.
>
> that let's me feel much more comfortable.
> If someone has better ideas, I'm all ears.
>
> Therefore I added an rcscript to tshark package for dumpcap.
> Any concerns, comments, or even OK?
I don't like adding this to net/wireshark. It seems odd to add an rc script
for something which isn't a daemon (we don't have an rc.d script for tcpdump
either), and users will see the "The following new rcscripts were installed:
/etc/rc.d/dumpcap" and might think they need to use it.
No comments:
Post a Comment