Project

General

Profile

Actions

Support #1334

closed

sudo suricata introduces vulnerabiltiy

Added by Laura Brodie about 10 years ago. Updated about 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I am running Suricata on a SIFT Workstation 3.0 VM for an application security class assignment. According to the basic setup, to test suricata run as:
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 --init-errors-fatal

If you can own the suricata process, you immediately have root access to the system and can do anything the root user can do. This can be considered a misconfiguration bug.

I tried running without the sudo, and it aborts.

sansforensics@siftworkstation:~$ suricata c /etc/suricata/suricata.yaml -i eth0
9/12/2014 -
04:26:19 - <Notice> - This is Suricata version 2.0.4 RELEASE
9/12/2014 -- 04:26:19 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - fopen error opening file "/var/log/suricata//stats.log". Resorting to using the standard output for output
9/12/2014 -- 04:26:25 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied
9/12/2014 -- 04:26:25 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - failed to open /var/log/suricata//unified2.alert.1418099185: Permission denied
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//http.log": Permission denied
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Couldn't activate the pcap handler, error socket: Operation not permitted
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - Unix socket is not compiled
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RxPcapeth01" closed on initialization.
9/12/2014 -- 04:26:25 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine initialization failed, aborting...

Actions #1

Updated by Eric Leblond about 10 years ago

  • Tracker changed from Bug to Support

A software need the CAP_NET_ADMIN to be able to capture traffic on an interface. So you could succesfully run suricata with a user who has only this capability. But this capability is quite large so this is a bit the same as being root.

So the common and easy case is to run as root, and that's why the documentation says sudo can be used.

But as you are concerned with securiy, a more secure option would be to use Suricata capability if switching user once it has done the operation requiring the CAP_NET_ADMIN. To do so simply create a user, setup the suricata.yaml as follow:

  # Run suricata as user and group.
  run-as:
    user: suri
    group: suri

And restart suricata.

Actions #2

Updated by Victor Julien about 10 years ago

  • Status changed from New to Rejected

Suri doesn't require sudo for all it's operations. For example reading a pcap file works fine w/o sudo/root.

Some ops do require elevated permissions though, that is inherent to what we do. Closing this bug.

Actions

Also available in: Atom PDF