Run Zeek as user zeek on FreeBSD
Introduction
This is the second blog post in a series of posts about running Zeek on FreeBSD. In the first post I covered a base implementation of Zeek on FreeBSD:
In this second blog post we configure Zeek to run as a normal user zeek instead of the user root.
Technical prerequisites
The following technical prerequisites have to be in place to be able to implement what is described in this post:
- have Zeek implemented as desribed in Implement Zeek on FreeBSD
Requirements
Zeek runs as the user root by default when it is implemented on FreeBSD using the package system.
But we want a more secure setup than this and run Zeek as a normal user. Fortunately this is possible on our favorite Operating System!
Configure Zeek to run as user zeek
Only a couple of commands are needed to configure Zeek to run as normal user zeek instead of root (1):
First we stop the Zeek processes:
$ sudo service zeek stop
Then we add some lines to the /etc/devfs.conf file:
$ sudo tee -a /etc/devfs.conf > /dev/null <<EOT ? own bpf root:bpf ? perm bpf 0660 ? EOT
Now we create a new group called bpf and add the zeek user to it:
$ sudo pw groupadd -n bpf -g 81 $ sudo pw group mod bpf -m zeek
and then we restart the devfs service:
$ sudo service devfs restart
Next we ‘tell’ to use the use zeek:
$ sudo sysrc zeek_user="zeek"
and check it:
$ cat /etc/rc.conf | grep zeek zeek_enable="YES" zeek_user="zeek"
Now we change the Zeek maintenance cron entry from user root to user zeek. First we remove the existing entry:
$ sudo sed '/zeekctl/d' /etc/crontab
And then we create a new one for the user zeek:
$ echo "zeek" | sudo tee -a /var/cron/allow > /dev/null $ sudo echo "*/5 * * * * /usr/local/bin/zeekctl cron" > /var/cron/tabs/zeek
And we restart the cron daemon:
$ sudo service cron restart
We are almost ready! Last item to do is change the owner on the Zeek log directories:
$ sudo chown -R zeek:zeek /var/zeek/
And we can start the Zeek processes again:
$ sudo service zeek deploy
(1): the user zeek is created when the Zeek package is installed.
Important: Although you can start and stop zeek through the zeekctl command, my experience is that with Zeek running as the zeek user it is best to start, stop and deploy Zeek through the service command, as this will use the sysrc variables set in the system rc.conf configuration file!
Wrap up
This blog post covered setting up the FreeBSD system to run Zeek as a normal user instaed of the root user.
This is the second blog post in a series of posts about Zeek on FreeBSD. In the next, third, blog post of this series we will discuss some basic queries on the Zeek logs.
Resources
Some (other) resources about this subject: