From d52abcbcbdfcd29b0d29ce2bbe39a3bdef26cdaf Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 25 Feb 2021 09:58:07 -0500
Subject: [PATCH] ensure zeekctl is run as user zeek
 https://github.com/Security-Onion-Solutions/securityonion/issues/3130

---
 salt/common/tools/sbin/so-zeek-stats | 4 ++--
 salt/zeek/cron/packetloss.sh         | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats
index ff89c6506..9ebef1217 100755
--- a/salt/common/tools/sbin/so-zeek-stats
+++ b/salt/common/tools/sbin/so-zeek-stats
@@ -24,11 +24,11 @@ show_stats() {
   echo
   echo "Average throughput:"
   echo
-  docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats
+  docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl capstats'"
   echo
   echo "Average packet loss:"
   echo
-  docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats
+  docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'"
   echo
 }
 
diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh
index c8750dd92..a083895d7 100755
--- a/salt/zeek/cron/packetloss.sh
+++ b/salt/zeek/cron/packetloss.sh
@@ -1,2 +1,2 @@
 #!/bin/bash
-/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1
+/usr/bin/docker exec so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1