Support #1334
closedsudo suricata introduces vulnerabiltiy
Description
I am running Suricata on a SIFT Workstation 3.0 VM for an application security class assignment. According to the basic setup, to test suricata run as:
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 --init-errors-fatal
If you can own the suricata process, you immediately have root access to the system and can do anything the root user can do. This can be considered a misconfiguration bug.
I tried running without the sudo, and it aborts.
sansforensics@siftworkstation:~$ suricata c /etc/suricata/suricata.yaml -i eth0 04:26:19 - <Notice> - This is Suricata version 2.0.4 RELEASE
9/12/2014 -
9/12/2014 -- 04:26:19 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - fopen error opening file "/var/log/suricata//stats.log". Resorting to using the standard output for output
9/12/2014 -- 04:26:25 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied
9/12/2014 -- 04:26:25 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - failed to open /var/log/suricata//unified2.alert.1418099185: Permission denied
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//http.log": Permission denied
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error socket: Operation not permitted
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - Unix socket is not compiled
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RxPcapeth01" closed on initialization.
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...
Updated by Eric Leblond over 9 years ago
- Tracker changed from Bug to Support
A software need the CAP_NET_ADMIN to be able to capture traffic on an interface. So you could succesfully run suricata with a user who has only this capability. But this capability is quite large so this is a bit the same as being root.
So the common and easy case is to run as root, and that's why the documentation says sudo can be used.
But as you are concerned with securiy, a more secure option would be to use Suricata capability if switching user once it has done the operation requiring the CAP_NET_ADMIN. To do so simply create a user, setup the suricata.yaml as follow:
# Run suricata as user and group.
run-as:
user: suri
group: suri
And restart suricata.
Updated by Victor Julien over 9 years ago
- Status changed from New to Rejected
Suri doesn't require sudo for all it's operations. For example reading a pcap file works fine w/o sudo/root.
Some ops do require elevated permissions though, that is inherent to what we do. Closing this bug.