0

I'm trying to setting up a Zeek IDS cluster (v.3.2.0-dev.271) on 3 Ubuntu 18.04 LTS hosts to no avail - running zeek deploy command fails with the following output: 

fatal error: problem with interface ens3 (pcap_error: socket: Operation not permitted (pcap_activate))

I have followed the official documentation (which is pretty generic at best) and set up passwordless SSH authentication between the zeek nodes.

I also preemptively created the /usr/local/zeek path on all hosts and gave the zeek user full permissions on that directory. The documentation says The Zeek user must be able to either create this directory or, where it already exists, must have write permission inside this directory on all hosts.

The documentation also says that on the worker nodes this user must have access to the target network interface in promiscuous mode.

My zeek user is a sudoer AND a member of netdev group on all 3 nodes. Yet, the cluster deployment fails. Apparently, when zeekctl establishes the SSH connection to the workers it cannot get a hold of the network interfaces and set caps.

Eventually I was able to successfully run the cluster by following this article - however it requires you to set up the entire cluster as root, which I would like to avoid if at all possible.

So my question is, is there anything blatantly obvious that I am missing? To the best of my knowledge this setup should work, otherwise I don't know how to force zeekctl to run 'sudo' in front of every SSH command it is supposed to run on the workers, or how to satisfy this requirement.

Any guidance will be greatly appreciated, thanks!

piscesgeek
  • 200
  • 1
  • 6

2 Answers2

2

I was experiencing the same error for my standalone setup. Found this question from googling it. More googling the error brought me to a few blogs including one in which the comments mentioned the same error. The author mentioned giving the binaries permissions using setcap:

$sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/zeek/bin/zeek

$sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/zeek/bin/zeekctl

After running them both, my instance of zeek is now running successfully.

Source: https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-on-centos-8/#comment-1586

c0yn3_0p
  • 21
  • 1
  • For a cluster deployment, in theory you should only 'groom' the zeek manager server; `zeekctl` command is responsible for copying all the configurations over to the workers and, somehow, without being root, the zeek user couldn't accomplish that. – piscesgeek Apr 22 '20 at 07:29
0

So, just in case someone else stumbles upon the same issue - I figured out what was happening. I streamlined the cluster deployment with Ansible (using 'become' directive at task level) and did not elevate when running the handlers responsible for issuing the zeekctl deploy command. Once I did, the Zeek Cluster deployment succeeded.

piscesgeek
  • 200
  • 1
  • 6