doc/userguide: start on a security chapter #9027
Conversation
This is the start of a security consideration chapter, starting with directions on how to run Suricata as a non-root user.
jasonish
force-pushed
the
security-guide/v1
branch
from
cbba47d
to
ea9a092
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9027 +/- ##
==========================================
+ Coverage 82.23% 82.24% +0.01%
==========================================
Files 969 969
Lines 273684 273684
==========================================
+ Hits 225054 225100 +46
+ Misses 48630 48584 -46
Flags with carried forward coverage won't be shown. Click here to find out more. |
| @@ -0,0 +1,137 @@ | |||
| Security Considerations | |||
| ======================= | |||
|
|
|||
There was a problem hiding this comment.
should we have a quick intro explaining why it matters to do so?
There was a problem hiding this comment.
I think I can into that under running as root, but will add a small blurb.
There was a problem hiding this comment.
For now...
Suricata is a security tool that processes untrusted network data, as
well as requiring elevated system privileges to acquire that
data. This combination deserves extra security pre-cautions that we
discuss below.
Additionally, supply chain attacks, particularly around rule
distribution could potentially target Suricata installations.
| itself. | ||
|
|
||
| .. note:: Currently the ability to drop root privileges after startup | ||
| is only available on Linux systems. |
There was a problem hiding this comment.
Never tried, I don't see libcap-ng in the ports, and our privilege dropping is dependent on that. We have an open ticket with some work for generic support, but it needs to be revisited: https://redmine.openinfosecfoundation.org/issues/2931
| +------------------+-----------+ | ||
| |/var/log/suricata |Read, Write| | ||
| +------------------+-----------+ | ||
| |/var/lib/suricata |Read,Write | |
There was a problem hiding this comment.
add space between Read,Write for consistancy
|
Replaced by #9030. |
This is the start of a security consideration chapter, starting with directions on how to run Suricata as a non-root user.
Rendered sample: https://jasonish-suricata.readthedocs.io/en/security-guide-v1/security.html
Ticket: https://redmine.openinfosecfoundation.org/issues/6124
Cleanly cherry-picks into
master-6.0.x.