Zeekctl plugin for automatically executing 'setcap' on each node after an install
- Drop the setcap.py plugin into /opt/zeek/lib/zeekctl/plugins/, or starting with version 4 of zeek /opt/zeek/lib/zeek/python/zeekctl/plugins
- Add the following lines to zeekctl.cfg (adjust accordingly for your installation)
setcap.enabled=1
setcap.command=sudo /sbin/setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/zeek && sudo /sbin/setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/capstats
Edit the sudoers file (use visudo) and add the following lines to allow sudo execution (w/o password or tty) of setcap. If you're running Zeek as a different user, or from a different directory, adjust as necessary:
Cmnd_Alias ZEEK_SETCAP = /sbin/setcap cap_net_raw\,cap_net_admin=eip /opt/zeek/bin/zeek
Cmnd_Alias CAPSTATS_SETCAP = /sbin/setcap cap_net_raw\,cap_net_admin=eip /opt/zeek/bin/capstats
zeek ALL=NOPASSWD: ZEEK_SETCAP, CAPSTATS_SETCAP
Defaults!/sbin/setcap !requiretty
[ZeekControl] > install
removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ... done.
removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ... done.
creating policy directories ... done.
installing site policies ... done.
generating cluster-layout.zeek ... done.
generating local-networks.zeek ... done.
generating zeekctl-config.zeek ... done.
updating nodes ... done.
setcap plugin: executing setcap on each node:
10.1.2.141 - Executing setcap: SUCCESS
10.1.2.142 - Executing setcap: SUCCESS
10.1.2.143 - Executing setcap: SUCCESS