The domain that loves BSD

Home About Me Archive Contact

Run Zeek as user zeek on FreeBSD


This is the second blog post in a series of posts about running Zeek on FreeBSD. In the first post I covered a base implementation of Zeek on FreeBSD:

In this second blog post we configure Zeek to run as a normal user zeek instead of the user root.

Technical prerequisites

The following technical prerequisites have to be in place to be able to implement what is described in this post:


Zeek runs as the user root by default when it is implemented on FreeBSD using the package system. But we want a more secure setup than this and run Zeek as a normal user. Fortunately this is possible on our favorite Operating System!

Configure Zeek to run as user zeek

Only a couple of commands are needed to configure Zeek to run as normal user zeek instead of root (1):

First we stop the Zeek processes:

$ sudo service zeek stop

Then we add some lines to the /etc/devfs.conf file:

$ sudo tee -a /etc/devfs.conf > /dev/null <<EOT
? own     bpf     root:bpf
? perm    bpf     0660

Now we create a new group called bpf and add the zeek user to it:

$ sudo pw groupadd -n bpf -g 81
$ sudo pw group mod bpf -m zeek

and then we restart the devfs service:

$ sudo service devfs restart

Next we ‘tell’ to use the use zeek:

$ sudo sysrc zeek_user="zeek"

and check it:

$ cat /etc/rc.conf | grep zeek

Now we change the Zeek maintenance cron entry from user root to user zeek. First we remove the existing entry:

$ sudo sed '/zeekctl/d' /etc/crontab

And then we create a new one for the user zeek:

$ echo "zeek" | sudo tee -a /var/cron/allow > /dev/null
$ sudo echo "*/5 * * * * /usr/local/bin/zeekctl cron" > /var/cron/tabs/zeek

And we restart the cron daemon:

$ sudo service cron restart

We are almost ready! Last item to do is change the owner on the Zeek log directories:

$ sudo chown -R zeek:zeek /var/zeek/

And we can start the Zeek processes again:

$ sudo service zeek deploy

(1): the user zeek is created when the Zeek package is installed.

Important: Although you can start and stop zeek through the zeekctl command, my experience is that with Zeek running as the zeek user it is best to start, stop and deploy Zeek through the service command, as this will use the sysrc variables set in the system rc.conf configuration file!

Wrap up

This blog post covered setting up the FreeBSD system to run Zeek as a normal user instaed of the root user.

This is the second blog post in a series of posts about Zeek on FreeBSD. In the next, third, blog post of this series we will discuss some basic queries on the Zeek logs.


Some (other) resources about this subject:

Updated: January 5, 2021