New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc/userguide: start on a security chapter #9027
Conversation
This is the start of a security consideration chapter, starting with directions on how to run Suricata as a non-root user.
cbba47d
to
ea9a092
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9027 +/- ##
==========================================
+ Coverage 82.23% 82.24% +0.01%
==========================================
Files 969 969
Lines 273684 273684
==========================================
+ Hits 225054 225100 +46
+ Misses 48630 48584 -46
Flags with carried forward coverage won't be shown. Click here to find out more. |
@@ -0,0 +1,137 @@ | |||
Security Considerations | |||
======================= | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we have a quick intro explaining why it matters to do so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I can into that under running as root, but will add a small blurb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now...
Suricata is a security tool that processes untrusted network data, as
well as requiring elevated system privileges to acquire that
data. This combination deserves extra security pre-cautions that we
discuss below.
Additionally, supply chain attacks, particularly around rule
distribution could potentially target Suricata installations.
itself. | ||
|
||
.. note:: Currently the ability to drop root privileges after startup | ||
is only available on Linux systems. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not even on freebsd?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Never tried, I don't see libcap-ng in the ports, and our privilege dropping is dependent on that. We have an open ticket with some work for generic support, but it needs to be revisited: https://redmine.openinfosecfoundation.org/issues/2931
+------------------+-----------+ | ||
|/var/log/suricata |Read, Write| | ||
+------------------+-----------+ | ||
|/var/lib/suricata |Read,Write | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add space between Read,Write for consistancy
Replaced by #9030. |
This is the start of a security consideration chapter, starting with directions on how to run Suricata as a non-root user.
Rendered sample: https://jasonish-suricata.readthedocs.io/en/security-guide-v1/security.html
Ticket: https://redmine.openinfosecfoundation.org/issues/6124
Cleanly cherry-picks into
master-6.0.x
.