New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NSM: remove chown from /usr/sbin/so-bro-cron #1030

Closed
dougburks opened this Issue Dec 7, 2016 · 6 comments

Comments

Projects
None yet
2 participants
@dougburks
Contributor

dougburks commented Dec 7, 2016

On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:
https://groups.google.com/d/topic/security-onion/V8hjVrKARss/discussion

@dougburks

This comment has been minimized.

Show comment
Hide comment
@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Dec 7, 2016

Collaborator

What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?

Collaborator

weslambert commented Dec 7, 2016

What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Dec 7, 2016

Contributor

/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.

Contributor

dougburks commented Dec 7, 2016

/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.

@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Dec 7, 2016

Collaborator

Thanks for the clarification, Doug!

Collaborator

weslambert commented Dec 7, 2016

Thanks for the clarification, Doug!

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Dec 7, 2016

@dougburks

This comment has been minimized.

Show comment
Hide comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment