NSM: remove chown from /usr/sbin/so-bro-cron

[dougburks]

On large sensors with lots of Bro logs, chown takes more than 5 minutes and the 5-minute cron jobs are piling up:
https://groups.google.com/d/topic/security-onion/V8hjVrKARss/discussion

[dougburks]

commit:
Security-Onion-Solutions/securityonion-nsmnow-admin-scripts@67aa7fa

[weslambert]

What is this script for? To just load in changes from securityonion.conf and pass them on to broctl? I'm assuming the chown was there to make sure that /nsm/bro has the appropriate permissions at every run?

[dougburks]

/etc/cron.d/bro runs every 5 minutes and calls so-bro-cron. so-bro-cron runs /opt/bro/bin/broctl cron, which is a cron job required by Bro.

When we transitioned from running Bro as root to running Bro as a non-root user, so-bro-cron needed to chown the Bro files so that the sguil user could access them properly. If that chown takes more than 5 minutes, then the cron jobs pile up.

At this point, all users should have their Bro files owned by sguil, so I think we can safely remove this. The chown will still happen on initial Bro startup via /usr/sbin/nsm_sensor_ps-start, it just won't happen every 5 minutes anymore to avoid disk thrashing and process pileups.

[weslambert]

Thanks for the clarification, Doug!

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/P67KxOYDuWs/discussion

[dougburks]

published:
http://blog.securityonion.net/2016/12/securityonion-nsmnow-admin-scripts.html