NSM: remove chown from /usr/sbin/so-bro-cron #1030

dougburks opened this Issue Dec 7, 2016 · 6 comments


None yet

2 participants


On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:


What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?


/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.


Thanks for the clarification, Doug!

@dougburks dougburks closed this Dec 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment