Install Bro as a non-root user

Hi all,

Is there a way to install Bro as a non-root user? Everything works fine if its installed as root but I had problems sending Bro logs to logstash as a non-root user.

When I tried to install as a regular user with sudo privilege, I noticed two errors mainly.

  1. Error: unable to open database file: /usr/local/bro/spool/state.db
  2. fatal error: /opt/bro/bin/bro: problem with interface eth0 - pcap_open_live: eth0: You don’t have permission to capture on that device (socket: Operation not permitted)

Any idea where to go next for me?

Kind regards,
Merril.

Hi Merril,

To address the first issue maybe you need to ensure that the user executing the bro process can read and write to /usr/local/bro/logs and /usr/local/bro/spool/

For the second issue, If you running a newer version of linux you can get around the packet capture permission issue by giving the bro binary the capability to perform a raw packet capture with a command like:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/zeek

Good luck,
Nick

There’s a couple of things you should do. To keep Zeek LSB compliant, I use something like this, when building an RPM (yeah, I rolled out my own packages)

%cmake … -DCMAKE_INSTALL_PREFIX=/usr -DBRO_ROOT_DIR=/usr -DBRO_ETC_INSTALL_DIR=/etc -DINSTALL_BROCTL=true -DBRO_LOCAL_STATE_DIR=/var -DBRO_SPOOL_DIR=/var/spool/bro -DBRO_LOG_DIR=/var/log/nsm/bro

You could also give rights for the zeek user to write to state directories with Linux ACLs, just don’t change owner of entire directory, that’s not necessary.

The net_admin capability is not necessary and dangerous, all that’s needed is CAP_NET_RAW.

setcap cap_net_raw,cap=eip

What’s the distribution you’re trying to use? Where did you get those packages? Did you build it yourself?