aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a8c63992fb'
${ noResults }
suricata/doc/userguide/security.rst

147 lines
4.6 KiB
ReStructuredText
Raw Blame History

Security Considerations
=======================
Suricata is a security tool that processes untrusted network data, as
well as requiring elevated system privileges to acquire that
data. This combination deserves extra security precautions that we
discuss below.
Additionally, supply chain attacks, particularly around rule
distribution, could potentially target Suricata installations.
Running as a User Other Than Root
---------------------------------
.. note:: If using the Suricata RPMs, either from the OISF COPR repo,
or the EPEL repo, the following is already configured for
you. The only thing you might want to do is add your
management user to the ``suricata`` group.
Many Suricata examples and guides will show Suricata running as the
*root* user, particularly when running on live traffic. As Suricata
generally needs low level read (and in IPS write) access to network
traffic, it is required that Suricata starts as root, however Suricata
does have the ability to drop down to a non-root user after startup,
which could limit the impact of a security vulnerability in Suricata
itself.
.. note:: Currently the ability to drop root privileges after startup
is only available on Linux systems.
Create User
~~~~~~~~~~~
Before running as a non-root user, you need to choose and possibly
create the user and group that will Suricata will run as. Typically
this user would be a sytem user with the name ``suricata``. Such a
user can be created with the following command::
useradd --no-create-home --system --shell /sbin/nologin suricata
This will create a user and group with the name ``suricata``.
File System Permissions
~~~~~~~~~~~~~~~~~~~~~~~
Before running Suricata as the user ``suricata``, some directory
permissions will need to be updated to allow the ``suricata`` read and
write access.
Assuming your Suricata was installed from source using the recommended
configuration of::
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
the following directories will need their permissions updated:
+------------------+-----------+
|Directory |Permissions|
+==================+===========+
|/etc/suricata |Read |
+------------------+-----------+
|/var/log/suricata |Read, Write|
+------------------+-----------+
|/var/lib/suricata |Read, Write|
+------------------+-----------+
|/var/run/suricata |Read, Write|
+------------------+-----------+
The following commands will setup the correct permissions:
* ``/etc/suricata``::
chgrp -R suricata /etc/suricata
chmod -R g+r /etc/suricata
* ``/var/log/suricata``::
chgrp -R suricata /var/log/suricata
chmod -R g+rw /var/log/suricata
* ``/var/lib/suricata``::
chgrp -R suricata /var/lib/suricata
chmod -R g+srw /var/lib/suricata
* ``/var/lib/suricata``::
chgrp -R suricata /var/run/suricata
chmod -R g+srw /var/run/suricata
Configure Suricata to Run as ``Suricata``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Suricata can be configured to run as an alternate user by updating the
configuration file or using command line arguments.
* Using the configuration file, update the ``run-as`` section to look like::
run-as:
user: suricata
group: suricata
* Or if using command line arguments, add the following to your command::
--user suricata --group suricata
Starting Suricata
~~~~~~~~~~~~~~~~~
It is important to note that Suricata still needs to be started with
**root** permissions in most cases. Starting as *root* allows Suricata
to get access to the network interfaces and set the *capabilities*
required during runtime before it switches down to the configured
user.
Other Commands: Suricata-Update, SuricataSC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the previous permissions setup, ``suricata-update`` and
``suricatasc`` can also be run without root or sudo. To allow a user
to access these commands, add them to the ``suricata`` group.
Containers
----------
Containers such as Docker and Podman are other methods to provide
isolation between Suricata and the host machine running Suricata.
However, we still recommend running as a non-root user, even in
containers.
Capabilities
~~~~~~~~~~~~
For both Docker and Podman the following capabilities should be
provided to the container running Suricata for proper operation::
--cap-add=net_admin --cap-add=net_raw --cap-add=sys_nice
Podman
~~~~~~
Unfortunately Suricata will not work with *rootless* Podman, this is
due to Suricata's requirement to start with root privileges to gain
access to the network interfaces. However, if started with the above
capabilities, and configured to run as a non-root user, it will drop
root privileges before processing network data.
Reference in New Issue View Git Blame Copy Permalink