NSM: remove chown from /usr/sbin/so-bro-cron #1030

Closed
dougburks opened this Issue Dec 7, 2016 · 6 comments

Projects

None yet

2 participants

@dougburks
Contributor

On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:
https://groups.google.com/d/topic/security-onion/V8hjVrKARss/discussion

@weslambert

What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?

@dougburks
Contributor

/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.

@weslambert

Thanks for the clarification, Doug!

@dougburks dougburks closed this Dec 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment