> Explicitly copied Seb since he was case owner for libpcap. > > >> 1. For privileges(5), PRIV_NET_RAWACCESS is least required since snort >> depends on >> libpcap which sets NIC to RAW mode in order to monitor the flow of the box. >> And the "Network Management" profile is necessary. From definition of >> "net_observability" >> in priv_names in /etc/security, it says >> ################################################# >> net_observability >> Allows a process to access /dev/lo0 and the devices in /dev/ipnet/ >> while not requiring them to need PRIV_NET_RAWACCESS. >> ################################################# >> >> But libpcap needs to set NIC to raw, so I think net_rawaccess is >> required, not net_observability. >> One note however: snort only read data packets from libpcap, and it >> doesn't try to encapsulate >> an IP/TCP/UDP/* packet to send because libpcap doesn't support it. >> > > Not to belabor things here: Should libpcap be fixed so that > it only needs net_observibility when reading packets? > > >> 2. About the method context, I think user "root" and group "root" is >> necessary. As following, please: >> > > Why is that? Why isn't noaccess:noaccess, > privileges=net_raw_access (or net_observibility -- base on Seb's > reply) sufficient? > Yes, noaccess:noaccess method_context could work. But it needs another privileges (basic), I think it is because of trying to write log. So after this, the snort.xml start method is as following: #################################### <exec_method type='method' name='start' exec='/lib/svc/method/snortd start' timeout_seconds='60'> <method_context> <method_credential user='noaccess' group='noaccess' privileges='basic,net_rawaccess' /> </method_context> </exec_method> #################################### [root at beigai:/etc]# svccfg import /var/svc/manifest/network/snort.xml
[root at beigai:/etc]# svcadm disable snort [root at beigai:/etc]# svcadm enable snort [root at beigai:/etc]# ps -ef | grep snort noaccess 28653 1 0 14:31:05 ? 0:00 /usr/bin/snort -d -D Thanks Jason
