NetWitness Community

OmarGarciaGilio · ‎2017-07-25

Hello,

I always work with sasftpagent.sh v2.7.10 when I need send logs from linux host, so I always create a user "sftp" with root privileges:

$ sudo useradd -ou 0 -g 0 -c "Usuario SIEM sftp" sftp

That way works fine, but I need to know if is possible to work with a user with less privileges (of course, that You previously tested and worked). I also heard that the version 3 don't need an user with root privileges. Anyway, I would like to know wich version of "sasftpagent.sh" and what command (for create user) let me work without root privileges.

NaushadKasu1 · ‎2017-07-25

You don't need elevated rights to run the script. However, the script requires the user it is run as to have read access to the logs it needs to process so it can:

1. Read the logs

2. Create temp files stored in a persistence directory (that you configure in the script)

3. Track position files also in the persistence directory

So, the script can be run as any user that has rights to read logs locally where ever they are stored on the file system and a "home" to store the files as they are processed from Steps 2 & 3 above. The user can be newly created OR an existing user you leverage to run the script (via Cron).

<https://community.rsa.com/welcome>

NetWitness Community

Privileges for local user to run "sasftpagent.sh" on linux host.