Hi, I'm experimenting with Suricata, but don't want to let suricata listen on network interface, as it has to run as root. Suricata has a user/group options, but they require libcap-ng. Looking around, what we have, I came across dumpcap.
So, put the _suricata user into the _wireshark group, and:
rcctl enable dumpcap
rcctl set dumpcap flags .....
rcctl set dumpcap user _suricata
dumpcap then happily runs as _suricata, and Suricata picks up and runs happily
as _suricata user as well.
that let's me feel much more comfortable.
If someone has better ideas, I'm all ears.
Therefore I added an rcscript to tshark package for dumpcap.
Any concerns, comments, or even OK?
cheers,
Sebastian
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/wireshark/Makefile,v
retrieving revision 1.91
diff -u -r1.91 Makefile
--- Makefile 23 May 2019 13:17:13 -0000 1.91
+++ Makefile 4 Jun 2019 08:05:39 -0000
@@ -10,6 +10,7 @@
DISTNAME = wireshark-$V
PKGNAME-main = wireshark-$V
PKGNAME-text = tshark-$V
+REVISION-text = 0
SHARED_LIBS += wscodecs 1.0
SHARED_LIBS += wsutil 4.0
Index: pkg/PLIST-text
===================================================================
RCS file: /cvs/ports/net/wireshark/pkg/PLIST-text,v
retrieving revision 1.10
diff -u -r1.10 PLIST-text
--- pkg/PLIST-text 1 Mar 2019 18:06:46 -0000 1.10
+++ pkg/PLIST-text 4 Jun 2019 08:05:39 -0000
@@ -1,5 +1,6 @@
@comment $OpenBSD: PLIST-text,v 1.10 2019/03/01 18:06:46 sthen Exp $
@newgroup _wireshark:735
+@rcscript ${RCDIR}/dumpcap
@bin bin/capinfos
@bin bin/captype
@mode 4550
Index: pkg/dumpcap.rc
===================================================================
RCS file: pkg/dumpcap.rc
diff -N pkg/dumpcap.rc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/dumpcap.rc 4 Jun 2019 08:05:39 -0000
@@ -0,0 +1,10 @@
+#!/bin/ksh
+#
+# $OpenBSD$
+
+daemon="/usr/local/bin/dumpcap"
+rc_bg=YES
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
wireshark-dumpcap-rcscript
Description: Binary data
