Hi, Gary, >> Hi, Gary, >> >>>>> Snort does far more than just read files. It links to libpcap and can >>>>> snoop on network interfaces in real time. To do *that*, it will >>>>> require elevated privileges. >>>>> >>>>> >>>>> >>>> Right. >>>> >>>> >>> What are those elevated privileges. >>> >>> >> For "privileges", I think you mean the auths of RBAC. >> > > No, I mean privileges(5). If it is a service then it also > requires authorizations that follow the policy: > http://opensolaris.org/os/community/arc/policies/SMF-policy/ > > And a further question if run as a service is what is the > method context? > > 1. For privileges(5), PRIV_NET_RAWACCESS is least required since snort depends on libpcap which sets NIC to RAW mode in order to monitor the flow of the box. And the "Network Management" profile is necessary. From definition of "net_observability" in priv_names in /etc/security, it says ################################################# net_observability Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ while not requiring them to need PRIV_NET_RAWACCESS. #################################################
But libpcap needs to set NIC to raw, so I think net_rawaccess is required, not net_observability. One note however: snort only read data packets from libpcap, and it doesn't try to encapsulate an IP/TCP/UDP/* packet to send because libpcap doesn't support it. 2. About the method context, I think user "root" and group "root" is necessary. As following, please: ################################################## <exec_method type='method' name='start' exec='/lib/svc/method/snortd start' timeout_seconds='60'> <method_context> <method_credential user='root' group='root' /> </method_context> </exec_method> <exec_method type='method' name='stop' exec=':kill -9' timeout_seconds='3'> <method_context> <method_credential user='root' group='root' /> </method_context> </exec_method> ################################################## >>> What will be delivered into what Rights Profile? >>> >>> >> It is very similiar to "wireshark" which has been delivered, since >> both of the utilities take advantage of libpcap to read data and handle >> them after set NIC to raw mode. For snort, it doesn't read data directly >> from kernel memory, raw I/O from NIC is the way it works. >> >> And I believe "Network Management" profile is enough. >> >> The project will deliver SUNWsnortr and SUNWsnortu. On SUNWsnortr, >> it will deliver profiles in /etc/security/exec_attr (added snort): >> >> Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess >> > > Why isn't net_observibility be sufficient? > Please see above section about the reason and tell me if I misunderstand it. Thank you in advance. > > <property_group name='general' type='framework'> > > <!-- to start stop snortd --> > > <propval name='action_authorization' type='astring' > > value='solaris.smf.manage.snort' /> > > </property_group> > > Don't you also want a value authorization? See the SMF policy: > http://opensolaris.org/os/community/arc/policies/SMF-policy/ Sorry I was not quite familiar with the SMF, and in my understanding about the SMF-policy after reading, it should be like following: ################################################## <property_group name='general' type='framework'> <propval name='action_authorization' type='astring' value='solaris.smf.manage.snort' /> <propval name='value_authorization' type='astring' value='solaris.smf.manage.snort' /> </property_group> ################################################## In this way, auth_attr should be inserted one item: ################################################## solaris.smf.manage.snort:::Manage Snort Service States::help=ManageSnort.html ################################################## In exec_attr, 1 item should be added. The related exec_attr, auth_attr, snort.xml are in attachment. ################################################## Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess ################################################## The snort.xml has been modified according to the above questions in attachment. Great Thanks Jason
