From: Jason Ish Date: Tue, 20 Jun 2023 16:22:26 +0000 (-0600) Subject: userguide/security: grammar fixes X-Git-Tag: suricata-7.0.0~108 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90bb73046c3ba5b90d6fcb1ba688e93dfa8194a3;p=thirdparty%2Fsuricata.git userguide/security: grammar fixes Apply grammer fixes brought up in GitHub review comments by Juliana. --- diff --git a/doc/userguide/security.rst b/doc/userguide/security.rst index 381e6f23be..415a5b38ea 100644 --- a/doc/userguide/security.rst +++ b/doc/userguide/security.rst @@ -7,13 +7,13 @@ data. This combination deserves extra security precautions that we discuss below. Additionally, supply chain attacks, particularly around rule -distribution could potentially target Suricata installations. +distribution, could potentially target Suricata installations. Running as a User Other Than Root --------------------------------- .. note:: If using the Suricata RPMs, either from the OISF COPR repo, - or the EPEL repo the following is already configured for + or the EPEL repo, the following is already configured for you. The only thing you might want to do is add your management user to the ``suricata`` group. @@ -21,7 +21,7 @@ Many Suricata examples and guides will show Suricata running as the *root* user, particularly when running on live traffic. As Suricata generally needs low level read (and in IPS write) access to network traffic, it is required that Suricata starts as root, however Suricata -does have the ability to drop down to a non-root user after startup +does have the ability to drop down to a non-root user after startup, which could limit the impact of a security vulnerability in Suricata itself. @@ -31,7 +31,7 @@ itself. Create User ~~~~~~~~~~~ -Before running as a non-root user you have to choose, and possibly +Before running as a non-root user, you need to choose and possibly create the user and group that will Suricata will run as. Typically this user would be a sytem user with the name ``suricata``. Such a user can be created with the following command:: @@ -124,8 +124,9 @@ Containers ---------- Containers such as Docker and Podman are other methods to provide -isolation between Suricata and host machine running Suricata, however -we still recommend running as a non-root user even in containers. +isolation between Suricata and the host machine running Suricata. +However, we still recommend running as a non-root user, even in +containers. Capabilities ~~~~~~~~~~~~ @@ -141,5 +142,5 @@ Podman Unfortunately Suricata will not work with *rootless* Podman, this is due to Suricata's requirement to start with root privileges to gain access to the network interfaces. However, if started with the above -capabilities, and configured to run as a non-root user it will drop +capabilities, and configured to run as a non-root user, it will drop root privileges before processing network data.