Am Dienstag, Juni 04, 2019 10:37 CEST, Stuart Henderson <stu@spacehopper.org> schrieb:
> On 2019/06/04 10:21, Sebastian Reitenbach wrote:
> > Hi,
> >
> > I'm experimenting with Suricata, but don't want to let suricata listen on network interface, as it has to run as root. Suricata has a user/group options, but they require libcap-ng.
>
> I'm not sure what the libcap-ng is for, but with the standard config
that libcap-ng makes use of Linux capabilities to drop privileges
> in the port, Suricata starts as root and then drops to _suricata after
> initialising.
indeed, seems I spoiled myself reading the manpage, I found the --user and --group options, when I run it with these, I get:
suricata -c /etc/suricata/suricata.yaml -i alc0 --user=_suricata --group=_suricata
4/6/2019 -- 10:49:25 - <Error> - [ERRCODE: SC_ERR_LIBCAP_NG_REQUIRED(158)] - libcap-ng is required to drop privileges, but it was not compiled into Suricata.
omitting the parameters, and properly configure the run-as in suricata.yaml suricata indeed drops to the user.
Thanks for making me look at it again.
cheers,
Sebastian
>
> $ ps axu|grep suric
> _suricat 90110 3.4 21.9 429924 427220 ?? Ssp 9:32AM 1:07.16 /usr/local/bin/suricata -D -i em1
>
> > Looking around, what we have, I came across dumpcap.
> >
> > So, put the _suricata user into the _wireshark group, and:
> >
> > rcctl enable dumpcap
> > rcctl set dumpcap flags .....
> > rcctl set dumpcap user _suricata
> >
> > dumpcap then happily runs as _suricata, and Suricata picks up and runs happily as _suricata user as well.
> >
> > that let's me feel much more comfortable.
> > If someone has better ideas, I'm all ears.
> >
> > Therefore I added an rcscript to tshark package for dumpcap.
> > Any concerns, comments, or even OK?
>
> I don't like adding this to net/wireshark. It seems odd to add an rc script
> for something which isn't a daemon (we don't have an rc.d script for tcpdump
> either), and users will see the "The following new rcscripts were installed:
> /etc/rc.d/dumpcap" and might think they need to use it.
>
No comments:
Post a Comment