On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:
What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?
/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.
When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.
At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.
Thanks for the clarification, Doug!
submitted for testing: