Hi, Gary, >>> Snort does far more than just read files. It links to libpcap and can >>> snoop on network interfaces in real time. To do *that*, it will >>> require elevated privileges. >>> >>> >> Right. >> > > What are those elevated privileges. > For "privileges", I think you mean the auths of RBAC.
I believe "Network Management" is enough for snort. "solaris.smf.*" if it needs to deliver SMF manifest; "solaris.network.*" for network read or write. > >>> Do those come from RBAC, or is the user expected to use "sudo"? >>> >>> >> "sudo" could work. >> > > What will be delivered into what Rights Profile? > It is very similiar to "wireshark" which has been delivered, since both of the utilities take advantage of libpcap to read data and handle them after set NIC to raw mode. For snort, it doesn't read data directly from kernel memory, raw I/O from NIC is the way it works. And I believe "Network Management" profile is enough. The project will deliver SUNWsnortr and SUNWsnortu. On SUNWsnortr, it will deliver profiles in /etc/security/exec_attr (added snort): Network Management:solaris:cmd:::/usr/bin/snort:privs=net_rawaccess Hope I answer your question. Thanks Jason
