snort [PSARC/2009/256 FastTrack timeout 05/04/2009]
Gary Winiger
gww at sac.sfbay.sun.com
Tue May 5 15:06:47 PDT 2009
> Hi, Gary,
> >>> Snort does far more than just read files. It links to libpcap and can
> >>> snoop on network interfaces in real time. To do *that*, it will
> >>> require elevated privileges.
> >>>
> >>>
> >> Right.
> >>
> >
> > What are those elevated privileges.
> >
> For "privileges", I think you mean the auths of RBAC.
No, I mean privileges(5). If it is a service then it also
requires authorizations that follow the policy:
http://opensolaris.org/os/community/arc/policies/SMF-policy/
And a further question if run as a service is what is the
method context?
> > What will be delivered into what Rights Profile?
> >
> It is very similiar to "wireshark" which has been delivered, since
> both of the utilities take advantage of libpcap to read data and handle
> them after set NIC to raw mode. For snort, it doesn't read data directly
> from kernel memory, raw I/O from NIC is the way it works.
>
> And I believe "Network Management" profile is enough.
>
> The project will deliver SUNWsnortr and SUNWsnortu. On SUNWsnortr,
> it will deliver profiles in /etc/security/exec_attr (added snort):
>
> Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess
Why isn't net_observibility be sufficient?
Gary..
More information about the opensolaris-arc
mailing list