Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSM: remove chown from /usr/sbin/so-bro-cron #1030

Closed
dougburks opened this issue Dec 7, 2016 · 6 comments

Comments

@dougburks
Copy link
Contributor

@dougburks dougburks commented Dec 7, 2016

On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:
https://groups.google.com/d/topic/security-onion/V8hjVrKARss/discussion

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 7, 2016

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Dec 7, 2016

What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 7, 2016

/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Dec 7, 2016

Thanks for the clarification, Doug!

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 7, 2016

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Dec 12, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.