[Oisf-devel] Feature request 240

Victor Julien victor at inliniac.net
Thu Jun 30 09:13:15 UTC 2011 

On 06/30/2011 03:42 AM, James McQuaid wrote:
> Hello,
> 
> I am interested in a quick take from Victor and/or Will as to whether any of
> these might prove useful as a starting point for implementing feature
> request 240:
> 
> "Feature 240
> Explore options for dropping privs to a non-root user on FreeBSD and OSX
> We currently use libcap-ng to drop privs to a non-root user but this is only
> supported on Linux. We had a feature request to the team mailing-list for
> supporting similar functionality on OSX and FreeBSD."
> 
> 
> Possibility 1: Configure security/sudo to allow Suricata to execute as
> needed as root.
> sudo 1.8.1_5 security
> http://www.freshports.org/security/sudo
>     "Sudo is a program designed to allow a sysadmin to give limited root
>     privileges to users and log root activity.  The basic philosophy is to
>     give as few privileges as possible but still allow people to get their
>     work done."

This wouldn't help much. The key here is that we try to make sure the
Suricata process runs with as little privileges as possible. It needs
certain privs during setup, but after that can drop them. Sudo would
just be another way of giving it all privs.

> 
> 
> Possibility 2: The FreeBSD jail subsystem was significantly updated for
> FreeBSD 7.2, and includes the ability to establish multiple IPv4 and IPv6
> addresses per jail.

This I think would be more useful. Would an attacker get control of
Suricata then at least he is "jailed". But still with "root" privs I
think, but I'm not sure how that can be used inside a jail.

> 
> Possibility 3: "The tool is called httpd-guardian and can be used to defend
> against Denial of Service attacks. It uses the blacklist tool (from the same
> project) to interact with an iptables-based (Linux) or pf-based (*BSD)
> firewall, dynamically blacklisting the offending IP addresses. It can also
> interact with SnortSam (http://www.snortsam.net)."
> http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/07-logging.html

I don't think this solves the issue and in fact it broadens the attack
surface to more tools. A bug in Suricata could still lead to an attacker
getting root access to your sensor.

I still think we need a way to drop privs in other OS', but in addition
to that supporting chroot/jail setups would be very useful I think.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list