I really dislike running any service as root. But Edge needs to access files all over my system. Is there a way to address both requirements?
Solved
Is there a way to run Edge as non-root while still being able to monitor all files?
Best answer by Jon Rust
You can set the CAP_DAC_READ_SEARCH ability as with allowing sub 1024 port numbers. Run systemctl edit cribl-edgeand add the CAP_DAC_READ_SEARCH capability. Save the file and restart Cribl Edge:
[Service]
AmbientCapabilities=CAP_DAC_READ_SEARCH
You could create facl rules to allow the user running Edge to various parts of the file system. There's really nothing stopping you from having that user access every location on disk, but it would be a fairly challenging facl to write.
To do this for the /var/log directory, you can run the following:
setfacl -m user<user>:rx /var/log
You can set the CAP_DAC_READ_SEARCH ability as with allowing sub 1024 port numbers. Run systemctl edit cribl-edgeand add the CAP_DAC_READ_SEARCH capability. Save the file and restart Cribl Edge:
[Service]
AmbientCapabilities=CAP_DAC_READ_SEARCH
We have the method @Wayne Gillo is describing documented here: https://docs.cribl.io/edge/usecase-edge-acls
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.