> Explicitly copied Seb since he was case owner for libpcap. > > >> 1. For privileges(5), PRIV_NET_RAWACCESS is least required since snort >> depends on >> libpcap which sets NIC to RAW mode in order to monitor the flow of the box. >> And the "Network Management" profile is necessary. From definition of >> "net_observability" >> in priv_names in /etc/security, it says >> ################################################# >> net_observability >> Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ >> while not requiring them to need PRIV_NET_RAWACCESS. >> ################################################# >> >> But libpcap needs to set NIC to raw, so I think net_rawaccess is >> required, not net_observability. >> One note however: snort only read data packets from libpcap, and it >> doesn't try to encapsulate >> an IP/TCP/UDP/* packet to send because libpcap doesn't support it. >> > > Not to belabor things here: Should libpcap be fixed so that > it only needs net_observibility when reading packets? > Thanks Seb for his answer. > >> 2. About the method context, I think user "root" and group "root" is >> necessary. As following, please: >> > > Why is that? Why isn't noaccess:noaccess, > privileges=net_raw_access (or net_observibility -- base on Seb's > reply) sufficient? > It fully depends on the device operation from libpcap (open NIC device and set it to promisc mode). I am trying it with noaccess:noaccess after give it certain auths. > P.S. I don't see a reason for your stop method to have a method > context. It appears to only be doing a :kill. > Thanks, I will remove it. > >>>> Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess >>>> >>>> <property_group name='general' type='framework'> >>>> <!-- to start stop snortd --> >>>> <propval name='action_authorization' type='astring' >>>> value='solaris.smf.manage.snort' /> >>>> </property_group> >>>> >>> >>> >>> Don't you also want a value authorization? See the SMF policy: >>> http://opensolaris.org/os/community/arc/policies/SMF-policy/ >>> >> Sorry I was not quite familiar with the SMF, and in my understanding >> about the SMF-policy after reading, it should be like following: >> > > Thus the policy. Project teams are responsible for following > applicable policies -;) > Thanks. > >> ################################################## >> <property_group name='general' type='framework'> >> <propval name='action_authorization' type='astring' >> value='solaris.smf.manage.snort' /> >> <propval name='value_authorization' type='astring' >> value='solaris.smf.manage.snort' /> >> </property_group> >> ################################################## >> >> In this way, auth_attr should be inserted one item: >> ################################################## >> solaris.smf.manage.snort:::Manage Snort Service >> States::help=ManageSnort.html >> ################################################## >> >> In exec_attr, 1 item should be added. >> The related exec_attr, auth_attr, snort.xml are in attachment. >> ################################################## >> Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess >> ################################################## >> > > Seem fine modulo the libpcap question. > Thank you very much for your help. :)
Thanks Jason
