guide to snare for linux-4.0

8/11/2019 Guide to Snare for Linux-4.0

1/28

Guide to

Snare for Linux

v4.0


2/28

Guide to Snare for Linux

1999-2014 Intersect Alliance Pty Ltd. All rights reserved worldwide.

Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct or indirect da!ages in connection with the "se

of this !aterial. #o $art of this wor% !ay be re$rod"ced or trans!itted in any for! or by any !eans e&ce$t as e&$ressly $er!itted

by Intersect Alliance Pty Ltd. 'his does not incl"de those doc"!ents and software develo$ed "nder the ter!s of the o$en so"rce

(eneral P"blic Licence which covers the )nare agents and so!e other software.

'he Intersect Alliance logo and )nare logo are registered trade!ar%s of Intersect Alliance Pty Ltd. *ther trade!ar%s and trade

na!es are !ar%s+ and na!es of their owners as !ay or !ay not be indicated. All trade!ar%s are the $ro$erty of their res$ective

owners and are "sed here in an editorial conte&t witho"t intent of infringe!ent. )$ecifications and content are s"b,ect to change

witho"t notice.

Inter)ect Alliance "ne 2014 Page 2 of 2 /ersion 4.0


3/28


About this guide

'his g"ide introd"ces yo" to the f"nctionality of the )nare Agent for the Lin"& o$erating syste!.

)nare for Lin"& $rovides an event a"diting s"bsyste! for the Lin"& o$erating syste! and facilitates

ob,ective-based filtering and re!ote a"dit event delivery. )nare for Lin"& will also allow a sec"rity

ad!inistrator to f"lly re!ote control the a$$lication thro"gh a standard web browser if so desired.

)nare has been designed in s"ch a way as to allow the re!ote control f"nctions to be easily effected

!an"ally or by an a"to!ated $rocess.

*ther g"ides that !ay be "sef"l to read incl"de

)nare *verview - htt$swww.intersectalliance.co!w$-content"$loads201403)nare-

*verview-roch"re.$df

'he )nare 'oolset - A 5hite Pa$er at htt$swww.intersectalliance.co!w$-

content"$loads201604)nare7'oolset75hite7Pa$er-2.8.$df

Table of contents:

1 Introduction..............................................................................................................4

2 Overvie of Snare for Linux..........................................................................................!

" Installing and running Snare...........................................................................................#

6.1 )nare installation....................................................................................................8

6.2 A"dit config"ration..................................................................................................

4 The $e%ote &ontrol Interface........................................................................................'

4.1 #etwor% :onfig"ration............................................................................................10

4.2 ;e!ote :ontrol :onfig"ration...................................................................................12

4.6 *b,ectives config"ration..........................................................................................14

4.4


4/28


1 Introduction

'he tea! at Inter)ect Alliance have e&$erience with a"diting and intr"sion detection on a wide

range of $latfor!s - )olaris 5indows Android AI> even ?/) @A:2;A:BC and within a wide range

of I' sec"rity in b"sinesses s"ch as #ational )ec"rity and


5/28


2 Overview of Snare for Linux

)nare o$erates thro"gh the actions of three co!$le!entary co!$onents

'he native Lin"& a"dit s"bsyste!

'he "ser-s$ace a"dit dae!on @a"ditdB

'he )nare Fdis$atcherF a$$lications.

'he a"dit dae!on and %ernel co!$onent act in concert to config"re the "nderlying a"dit

s"bsyste! and e&tract events of interest fro! the o$erating syste!.

)nare for Lin"& o$erates as an Fa"dit dis$atcherF a$$lication that receives the a"dit log data with

)nare directing a"ditd what events to selectively filter o"t that yo" are not interested in for!ats

the res"lting data into so!ething that is !ore s"ited to follow-on $rocessing and delivers it to oneor !ore re!ote syste!s over the networ%.

)nare for!ats the a"dit log data into a series of Fto%ensF. 'wo different field se$arators are "sed in

order to facilitate follow-on $rocessing - 'A) se$arate Fto%ensF and :*??A) se$arate data within

each to%en. 'his for!at is f"rther disc"ssed inAppendix B-Event Output Format. 'he res"lt is that a

raw event as $rocessed by )nare !ay a$$ear as follows

localhost.localdomain LinuxKAudit 2 event,open,Jun 20 06:00:16sequence,30430 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot e&id,0,%oot

p%ocess,,'opt'()ox*uestAdditions+4.2.1's-in'()oxe%vice %etu%n,4,/es

name,'va%'%un'utmp exe,'opt'()ox*uestAdditions+4.2.1's-in'()oxe%vicesuccess,/es %etu%n,4 s/scall,",open uid,un#no$n euid,%oot &id,%oot

e&id,%oot a%ch, name,'va%'%un'utmp a0,-!ea!003 a1,2 a2,0 a3,-!ea!00items,1 ppid,1 pid,233 uid,0 suid,0 suid,0 s&id,0 s&id,0 tt/,none

comm,()oxe%vice #e/,o-+1+1 c$d,' item,0 inode,6! dev,03:02 mode,0100664

ouid,0 o&id," %dev,00:00

)nare also incor$orates a tiny e!bedded web server the ;e!ote :ontrol Interface which allows

ad!inistrators to re!otely control which events are collected and re$orted. 'he ;e!ote :ontrol

Interface also $rovides infor!ation on "sers gro"$s and gro"$ !e!bershi$ on the local !achine

which can be "sed to satisfy vario"s reg"latory sec"rity reD"ire!ents.

)nare for Lin"& is %nown to wor% on ;ed Hat =nter$rise 38 :ent*) 38 edora :ore > )")= 1011

b"nt" 121614


6/28


3 Installing and running Snare

3.1 Snare installation

An a$$ro$riate Lin"& rpm -Uvh snarelinux-supp-4.0.0-SLED-10.i686.rpm

Or

>dpkg -i filename.deb

E.g. >dpkg -i snarelinux-supp-4.0.0-Debian-7.3.x86_64.deb

4. 'his will install )nare for Lin"& and restart the a"dit dae!on @a"ditdB.

;e!ove )nare for Lin"& binary ;P? $ac%age @if reD"iredB.

1. G"ery the ;P? database to ens"re )nare for Lin"& is installed

>rpm -q snarelinux-supp

2. ;e!ove the )nare for Lin"& $ac%age

>rpm -e snarelinux-supp

;e!ove )nare for Lin"& binary dpkg -r snarelinux-supp

https://www.intersectalliance.com/https://www.intersectalliance.com/


7/28


3.2 Audit configuration

'he )nare config"ration is stored as /etc/audit/snare.conf (note, for SuSE ! and users, the"ocation of snare.conf is /etc/snare.conf#. 'his file contains all the details reD"ired by )nare to

config"re the a"dit s"bsyste! to s"ccessf"lly e&ec"te.

'he config"ration of /etc/audit/snare.confcan be changed either

directly

:are sho"ld be ta%en if !an"ally editing the snare.conf config"ration file to ens"re

that it confor!s to the reD"ired for!at for the a"dit dae!on. Also any "se of the

;e!ote :ontrol Interface to !odify sec"rity ob,ectives or selected events !ay res"lt

in !an"al config"ration file changes being overwritten. /etc/init.d/auditd restart

#ote or ad!inistrators the syste! log files will be "$dated whenever settings are a$$lied to

the snare.conf for e&a!$le varlog!essages. 'his infor!ation !ay assist yo" when yo"

reD"ire it.

Inter)ect Alliance "ne 2014 Page of 2 /ersion 4.0


8/28


4 Te !e"ote #ontrol Interface

'he ;e!ote :ontrol Interface is accessible by entering htt$localhost8181in the web browser as

shown in ig"re 1. 'he ;e!ote :ontrol Interface is t"rned on by defa"lt and also $assword

$rotected for sec"rity reasons. 'he defa"lt "serna!e and $assword are

serna%e snare

3assord snare

0OT-: The (assord is not encr/(ted at this ti%e. -nsure /ou change the default Snare

(assord i%%ediatel/ after installation so that it is encr/(ted for securit/ (ur(oses. It is

reco%%ended /ou use a strong co%(lex (assord of at least 12 characters.

ig"re 1 'he ;e!ote :ontrol Interface-/iew )tat"s

'he ;e!ote :ontrol Interface $rovides a n"!ber of ca$abilities incl"ding

#etwor% :onfig"ration

;e!ote :ontrol :onfig"ration

*b,ectives :onfig"ration

/iewing ;ecent =vents

Inter)ect Alliance "ne 2014 Page of 2 /ersion 4.0
http://localhost:6161/http://localhost:6161/


9/28



10/28


4.1 $etwor% #onfiguration

'o set the a"dit config"ration $ara!eters select the F#etwor% :onfig"rationF lin%.

ig"re 2 :onfig"re the networ% settings

'he config"ration $ara!eters available are as follows as dis$layed in ig"re 2

Override detected hostname with::an be "sed to override the na!e that is given to the

host. nless a different na!e is reD"ired to be sent in the $rocessed event log record leave

this field blan%. 'he defa"lt is to "se the f"lly D"alified na!e for the !achine.

Destination:)nare can send a"dit events to one or !ore networ% destinations. )nare can

send data either to a )nare-co!$atible server or a )K)L*( co!$atible destination. Pleasebe aware that !ost )K)L*( servers are inco!$atible with the e&tre!ely high vol"!es of

data )nare is ca$able of generating.

Server Details: =nter a


11/28


for!atted so it is acce$ted by a )yslog or a )nare server. #ote 'he agent will

override the s$ecified for!at in so!e cases. )$ecifying $ort 8181 will force the

"se of )nare for!at. )$ecifying a $ort of 314 will force the "se of the )yslogfor!at.

FileName:Log the o"t$"t to dis% as well as the networ%.

:lic% :hange :onfig"ration to allow another destination to be added. Li%ewise to

re!ove a destination then delete the entry in the Server %etai"sand clic% :hange

:onfig"ration.

Allow SNARE to automatically set audit configuration: y defa"lt )nare will ta%e control

and !anage yo"r a"dit event settings for yo". #or!ally on a ni& syste! yo" will need to

!odify the file/etc/audit/audit.ru"esin order to establish a new !onitored event. )nare

has the ca$ability to Ft"rn onF event a"diting in res$onse to the ob,ectives yo" set within the

;e!ote :ontrol Interface. It is reco!!ended that this $ara!eter is enabled.

Cache sie:Allow )nare to store !essages that co"ld not be sent. :o!bined with the ':P or

'L) this o$tion will allow the agent to cache !essages if there is a networ% fail"re or the

)nare )erver is otherwise "navailable. Any cached !essage is %e$t "ntil it is sent or the siEe

of the cache e&ceeds the s$ecified allot!ent in which case the oldest !essage is re!oved.

If the agent is restarted any cached !essages are lost.

S!S"O# Facility $o%tional&:If yo" are sending yo"r data to a )K)L*( server s$ecifies the

s"bsyste! that $rod"ced the !essage. 'he list dis$lays defa"lt facility levels.

S!S"O# Priority $o%tional&:If yo" are sending yo"r data to a )K)L*( server the agent can

be config"red to "se a static or dyna!ic $riority level.

'se '(C time re%orting:=nables ': @:oordinated niversal 'i!eB ti!esta!$ for!at for

events instead of local !achine ti!e Eone for!at.

'o save and set changes to these settings and to ens"re the a"dit dae!on has received the new

config"ration $erfor! the following

1. :lic% on :hange :onfig"ration to save any changes.

2. :lic% on the A((l/ the Latest Audit &onfiguration!en" ite!. 'here will be a D"ic% notice

that )nare is restarting as dis$layed below.



12/28


4.2 !e"ote #ontrol #onfiguration

'he )nare for Lin"& agent can be controlled re!otely by ad!inistrators if reD"ired. ;e!ote controlis enabled by defa"lt. 'he re!ote control $age is dis$layed in ig"re 6.

ig"re 6 :onfig"re the ;e!ote :ontrol

'he $ara!eters which !ay be set for re!ote control o$eration incl"de

Restrict remote control of SNARE agent to certain hosts: y defa"lt )nare allows any IP

address to connect to the re!ote control interface. =nabling this o$tion restricts connections

to the re!ote control interface to the IP given in the following o$tion.

)P Address allowed to remote control SNARE:;e!ote control actions !ay be li!ited to a

given host. 'his host entered as an IP address will only allow re!ote connections to be

effected fro! the stated IP address. A$$lication-level firewall ca$abilities are also available

which bloc% "sers fro! accessing the ;e!ote :ontrol Interface fro! any IP address other

than the one s$ecified.

Re*uire a %assword for remote control+: Indicate whether a $assword will be set so that

only a"thorised individ"als !ay access the re!ote control f"nctions. Highly reco!!ended.

Password to allow remote control of SNARE: If above chec%bo& is chec%ed $assword !"st

be set. A $assword of a$$ro$riate strength sho"ld be set for the re!ote control facility.



13/28


,e- Server Port: An o$tional $ort that the ;e!ote :ontrol Interface listens on can be

s$ecified. sers of the )nare )erver sho"ld generally leave this as 8181 in order to ta%e

advantage of the )nare )erverFs "ser and gro"$ a"dit ca$abilities.'o save and set changes to these settings and to ens"re the a"dit dae!on has received the new

config"ration $erfor! the following

1. :lic% on :hange :onfig"ration to save any changes.

2. :lic% on the A((l/ the Latest Audit &onfiguration!en" ite!.



14/28


4.3 O&'ectives configuration

)nareFs ability to filter events is acco!$lished via the a"diting Fob,ectivesF ca$ability. 'he ter!Fob,ectiveF is "sed within )nare Agents to describe an a"diting goal. It is generally !ade "$ of events

that )nare sho"ld watch for a filter ter! containing a Fto%enF and a criticality level. )ee ig"re 4.

'he ob,ective config"ration $age s"$$lied as $art of the web based re!ote control is intended as a

way to enable "sers to co!!ence a"dit f"nctions reasonably D"ic%ly. or $ower "sers a far !ore

$owerf"l and f"nctional way is to !an"ally control the /etc/audit/snare.conffile. 'his is described

in !ore detail inA%%endi. A-:onfig"ration ile


15/28


(vent O&'ectives

)elect FAddF to insert an ob,ective or F?odifyF to edit an ob,ective. (enerally the order of ob,ectivesis not i!$ortant.

ig"re 3 Adding?odifying a )yscall *b,ective

'he following $ara!eters !ay be set as dis$layed in ig"re 3

)dentify the high level event:=ach of the ob,ectives $rovides a high level of control over

which events are selected and re$orted. =vents are selected fro! a gro"$ of high level

reD"ire!ents and f"rther refined "sing selected filters. =vents are generally gro"$ed intothe following

)tart or sto$ $rogra! e&ec"tion execve,fork,exit,kill,tkill,tgkill

*$en a filedir for reading or writing open,close

:hange a file or directory attrib"te fch!odch!odfch!odatchownlchown

fchownfchownat

;e!ove a file or directory r!dir "nlin%

?o"nt a new filesyste! !o"nt "!o"nt2



16/28


:hange "ser or gro"$ identity

setfs"idset"idsetre"idsetfsgidsetregidsetgidsetresgid

Ad!inistration ;elated =vents rebootsetti!eofdaycloc%7setti!esetdo!ainna!e

sethostna!e

LoginLogo"t events login7startlogin7a"thlogo"t

In addition any event that can be generated by the a"dit s"bsyste! can be s$ecified

@co!!a se$aratedB by "sing the FAny =vent@sBF high level gro"$.

'i$ '"rning on file-related events can $rod"ce a very high vol"!e of a"dit events on so!e

syste!s and therefore res"lt in a considerable a!o"nt of :P ti!e being "sed by )nare and

the a"dit s"bsyste!.

Syscall "ist:If FAny =vent@sBF is selected as the high level event then add a co!!a se$arated

list of a"dit events to search for.

Audit Filter (erm$s&: A filter ter! containing a Fto%enF which a$$ears within the events of

interest and the search criteria that )nare sho"ld "se to incl"de or e&cl"de the event. or

e&a!$le a search ter! of /etc/.*wo"ld !atch any event which !entions any file in

/etc. Another e&a!$le

"oca"host."oca"domain &inux'Audit Critica"it,) event,execve,)!*!+)5 !*)

seuence,5) uid,5!!,$eor$e $id,5!!,$eor$e euid,5!!,$eor$e e$id,5!!,$eor$e

process,,0/1in/uname0 return,!,es name,0/1in/uname0 *++)!.25)#

arch,x2343 ssca"",5,execve success,es return,! a!,*!f+! a,*!!

a),*2d1! a*,2 items,) ppid,*) pid,*)*3 auid/011/george uid,5!!,$eor$e

$id,5!!,$eor$e euid,5!!,$eor$e suid,5!!,$eor$e fsuid,5!!,$eor$e e$id,5!!,$eor$e

s$id,5!!,$eor$e fs$id,5!!,$eor$e tt,pts ses, comm,0uname0 exe,0/1in/uname0

e,0o16-)-!0 ar$c, a!,0uname0 c7d,0/home/$eor$e0 item,! name,0/1in/uname0

inode,)*!**3 dev,fd!! mode,!!!+55 ouid,!,root o$id,!,root rdev,!!!! item,

'he to%en highlighted in red co"ld be "sed to only select events where the Ma"idN

@the Fa"ditF I


17/28


)ile *atces

ile watches are so!ewhat different to event filters. ;ather than as%ing the %ernel to re$ort on allfile activity a Ffile watchF will ca"se )nare to as% the %ernel to FtagF certain files or directories and

only generate file-related events when activity associated with those $artic"lar files or directories

occ"r. 'his generally res"lts in a s$ectac"lar dro$ in reso"rce "sage by the )nare and a"dit

$rocesses as $otentially tho"sands of file-related events-$er-second no longer have to be discarded

when they do not !atch a )nare agent ob,ective. 'his !ethod does not reD"ire that each targeted

file or directory e&ist $rior to )nare starting "$. 5here a directory is s$ecified )nare will also

watch for the creation of new files and directories.

)ee ig"re 8for config"ring a )nare file watch.

ig"re 8 Adding?odifying a ile 5atch *b,ective

'he following $ara!eters !ay be set

File watch %ath:Any file or directory c"rrently e&isting or not can be s$ecified. In order

not to generate too !any events it is strongly reco!!ended that file watches be set on the

e&act directory@iesB of choice with as few $er!issions as $ossible. It is far !ore desirable to

"se file watches to !onitor accesses to files and directories than to "se syscallevent

filters.



18/28


Permissions to trigger an event:A file watch is associated with !onitoring fo"r ty$es of

$er!issions na!ely r7xa. 'hese are read @rB write @wB e&ec"te @&B or attrib"tes @aB. A file

?)' be s$ecified with a !ini!"! of 1 and a !a&i!"! of 4 $er!issions.

Rege. String 2atch:A filter ter! the ob,ective sho"ld !atch. or e&a!$le .Oroot.O wo"ld

ca"se the ob,ective to !atch the word FrootF in the whole string.

Select the Alert "evel: 'he criticality levels are :ritical Priority 5arning Infor!ation and

:lear. 'hese sec"rity levels are $rovided to enable the )nare "ser to !a$ a"dit events to

their !ost $ressing b"siness sec"rity ob,ectives.

#ote


19/28


4.4 +is,la- of Latest (vents +estination Status

A s!all rotating cache of a"dit events is %e$t by the )nare for Lin"& web server. :lic%ing on theLatest -vents!en" ite! will dis$lay twenty of the !ost recent events as dis$layed in ig"re .

ig"re


20/28


I#I'IAL - 'he re!ote log location is abo"t to begin set"$

;=)*L/I#( -


21/28


/ Snare Server

'he )nare )erver is a log collection analysis re$orting forensics and storage a$$liance that hel$s

yo"r !eet de$art!ental organisational ind"stry and national sec"rity reD"ire!ents and

reg"lations. It integrates closely with the ind"stry standard )nare agents to $rovide a cohesive

end-to-end sol"tion for yo"r log-related sec"rity reD"ire!ents.

'he )nare )erver as shown in ig"re collects events and logs fro! a variety of o$erating syste!s

a$$lications and a$$liances incl"ding b"t not li!ited to 5indows @#' thro"gh 2012B )olaris AI>

*)> Iri& Lin"& 'r"84 A:2 ;A: :I):* ;o"ters :I):* PI> irewall :yber("ard irewall

:hec%$oint irewall1 (a"ntlet irewall #etgear irewall IP'ables irewall ?icrosoft I)A )erver

?icrosoft II) )erver Lot"s #otes ?icrosoft Pro&y )erver A$ache )D"id )nort #etwor% Intr"sion


22/28


)o!e of the %ey feat"res of the )nare )erver incl"de

Ability to collect any arbitrary log data either via


23/28


A&out InterSect Alliance

Intersect Alliance $art of the Pro$hecy International Holdings (ro"$ is a tea! of leading

infor!ation technology sec"rity s$ecialists. In $artic"lar Intersect Alliance are noted leaders in %ey

as$ects of I' )ec"rity incl"ding host intr"sion detection. *"r sol"tions have and contin"e to be "sed

in the !ost sensitive areas of (overn!ent and b"siness sectors.

Intersect Alliance intend to contin"e releasing tools that enable "sers ad!inistrators and clients

worldwide to achieve a greater level of $rod"ctivity and effectiveness in the area of I' )ec"rity by

si!$lifying abstracting andor solving co!$le& sec"rity $roble!s.

Intersect Alliance welco!es and val"es yo"r s"$$ort co!!ents and contrib"tions.

or !ore infor!ation on the =nter$rise Agents )nare )erver and other )nare $rod"cts and licensing

o$tions $lease contact "s as follows

The A%ericasQ1 @00B 64 1080 'oll ree R Q1 @606B 1 2888


24/28


A,,endix A #onfiguration )ile +escri,tion

'he $"r$ose of this section is to disc"ss the $ara!eter settings of the config"ration file. 'he )nare

config"ration file is located at /etc/audit/snare.conf and this location !ay not be changed. If the

config"ration file does not e&ist the a"dit dae!on will not actively a"dit events "ntil a correctly

for!atted config"ration file is $resent.

)nare can be config"red in several different ways na!ely

a. /ia the e!bedded web server @recommended for novice usersB or

b. y !an"ally editing the config"ration file @recommended for advanced usersB.

'he for!at of theaudit configuration fileis disc"ssed below. Any line beginning with MTN will be

treated as a co!!ent line and ignored. Any n"!ber of tabs or s$aces can be "sed. ?a,or to%ens

s"ch as [on!ig]!"st be s"rro"nded by the sD"are brac%ets.

[on!ig] 'his section allows yo" to s$ecify settings relating to the

o$eration of the )nare agent.

clientname=o"erride 'he hostna!e of the client. If no hostna!e is set the

val"e of Mhostna!e --fDdnN will be "sed

set7a"ditUV1R0W 'his val"e deter!ines if )nare sho"ld set the a"diting

config"ration for the local !achine.

s#slog$!acilit#=!acilit# 'he )K)L*( facility "sed when sending to a )K)L*(

server.

s#slog$priorit#=priorit# 'he )K)L*( $riority "sed when sending to a )K)L*(server.

cac%e$si&e='0 - 100000( 'his val"e deter!ines the siEe of the event cacheieC the

n"!ber of events that )nare sho"ld %ee$ if it cannot

reach at least one of the hosts. 'he val"e !"st be

between 0 and 100000. 'his feat"re only a$$ears in

=nter$rise Agents only.

use$utc=1 =nable ': @niversal :oordinated 'i!eB. 'his feat"re

only a$$ears in =nter$rise Agents only.

versionU4 "t"re incl"sion )nare version for infor!ational

$"r$oses.



25/28


[Remote] 'his section allows yo" to s$ecify settings relating to the

;e!ote :ontrol Interface "sed to control )nare.

allow=[1)0] '"rn the ;e!ote :ontrol Interface on or off.

listen$port=11 )et a $ort that the )nare for Lin"& agent sho"ld listen on.

accesske#$enabled=on Password is reD"ired to be set

accesske#=md+password ?d3 chec%s"! of the $assword "sed to $rotect the

e!bedded web server

restrict$ip$enabled=0 ;estrict the ;e!ote :ontrol Interface to an IP.

restrict$ip=1.,.. IP address of a syste! that is "sed to re!otely control

the agent. All reD"ests fro! other syste!s will be

dro$$ed.

[utput] y defa"lt if no o"t$"t section e&ists within the

config"ration file the a"dit dae!on will not send any

data to anywhere. *therwise a"dit events will be sent to

all valid destinations s$ecified in the *"t$"t section. As

s"ch events can be sent to one or all of a file or to a

re!ote networ% destination

!ile=/!ull#/uali!ied/!ile/name 'he a"dit dae!on will send data to the f"lly D"alified

filena!e. 'he director!"st e&ist. 'hefi"ewill be

created if it doesnFt e&ist. =.g

!ile=/"ar/log/!ilewatc%.lognetwork=%ostnameportprotocol!ormat


26/28


[becti"es] 'his section describes the for!at of the ob,ectives.

*b,ectives are co!$osed of

1. :riticality - an integer between 0 and 4 that

indicates the severity of the event. 0 is

FclearF 4 is XcriticalN. Any integer less than 0

will ca"se the line to be re,ected.

2. 'he event - this !"st either corres$ond to

a valid syscall event or a series of events

se$arated by co!!as and !ay be

s"rro"nded with ro"nd brac%ets @B. #ote

that the e!bedded web server will convert

the generic Xgro"$sX in the A"dit

:onfig"ration window to the reD"ired

events. or e&a!$le the abstracted gro"$

FAd!inistrative =ventsF will res"lt in the

event entry

FeventU@re1oot,settimeofda,c"oc4settime,

setdomainname,sethostnameBF

being written.

6. ;et"rn either )"ccess ail"re or O to

indicate both )"ccess and ail"re

4. ser 'he "sers@sB to watch. 'his can be a

single "ser a list of "sers se$arated with

co!!as or O to indicate all "sers

3. !atch An o$tional string to !atch. 'hiscan be either a string literal a reg"lar

e&$ression or .O to indicate all events

#ote that whites$ace will be tri!!ed fro! the start and

end of ite!s.

criticalit#=1 e"ent=exec"ereturn=6uccess user=mariamatc%=/sbin

;e$ort at criticality level 1 whenever the "ser F!ariaF

atte!$ts to e&ec"te a binary within sbin

criticalityU0for :lear @ordinary sec"rity levelB1

for Infor!ation ,for 5arning for Priorityfor

:ritical.



27/28


)hown below is an e&a!$le /etc/audit/snare.conffile. It is an e&a!$le file only and sho"ld #*' be

"sed for o$erational $"r$oses. It has been incl"ded to de!onstrate the %ey conce$ts of for!"lating

a snare.conf file as disc"ssed above.

(xa",le ersion 4.0 snare.conf file

?5%is is a comment line wit% no leading spaces[on!ig]clientname=set$audit=1cac%e$si&e=10000use$utc=0s#slog$!acilit#=1s#slog$priorit#=+

[;inux]audit$bu!!ersi&e=0

? 54 and multiple network entries onl# allowed b# t%e 9nterprise agent[utput]networkutput0=10.1.1.01154678R9networkutput1=10.1.1.+12346:6;

criticalit#=e"ent=setgroupsCsetpgrpCsetuidCsetgidCseteuidCsetegidCsetauidCsetreuidCsetregidCsetuidCosetpgrp return=6uccess user=.* matc%=.* criticalit#=e"ent=c%modC!c%modCc%ownC!c%ownCmctlC!cntlClc%ownCaclsetC!aclsetreturn=6uccess user=.* matc%=.* criticalit#=e"ent=loginClogoutCtelnetCrloginCsuCrexecdCpasswdCrexdC!tpdCadmin$aut%enticateCss% return=6uccess user=.* matc%=.*

[Datc%]criticalit#=1 matc%=B.*user01.*B pat%=/etc/test perms=waxr



28/28


A,,endix (vent Out,ut )or"at

'he )nare dis$atcher receives data fro! the native Lin"& a"dit s"bsyste!.

'he native a"dit dae!on re$orts data in s"ch a way that

It is F$rogra!!aticallyF diffic"lt to deter!ine how !any FlinesF !a%e "$ an a"dit event. )o!e

lines can be re$eated with slightly different val"es.

Ko" can have !"lti$le identical to%ens for an event @e.g. two M$athUN to%ensB

=vent lines !ay be interleaved @i.e. yo" !ight get two lines fro! event T 1000 then one line

fro! event T 1001 then another line fro! event T 1000B.

)o!e filena!e characters are translated into their H=> eD"ivalents which will !a%e

!atching filena!es diffic"lt.

)nare for Lin"& "ses an internal cache to a!alga!ate all lines relating to an individ"al event into

Mone line $er eventN for!at once a$$ro$riate filteringevent selection has ta%en $lace. An event

will loo% li%e this once $rocessed by )nare

localhost.localdomain LinuxKAudit 2 event,execve,Jun 20 06:10:03

sequence,34"1 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot

e&id,0,%oot p%ocess,,'s-in'auditctl %etu%n,0,/es name,null

exe,'s-in'auditctl success,/es %etu%n,0 s/scall,11,execve uid,un#no$n

euid,%oot &id,%oot e&id,%oot a%ch, name,null a0,0ca! a1,0ca0

a2,0caa a3,0 items,2 ppid,2404! pid,240"1 uid,0 suid,0 suid,0

s&id,0 s&id,0 tt/,none comm,auditctl #e/,o-+0+0 a0,'s-in'auditctla1,+v c$d,' item,0 inode,3!!"1 dev,03:02 mode,0100!"0 ouid,0 o&id,0

%dev,00:00 item,1 inode,1!644 dev,03:02 mode,0100!"" ouid,0 o&id,0

%dev,00:00

)nare for Lin"& $resents the infor!ation in a series of to%endata gro"$s. 'hree different field

se$arators are "sed in order to facilitate follow-on $rocessing - 'A) se$arate Fto%ensF :*??A)

se$arate data within each to%en. A Fto%enF is a gro"$ of related data co!$rising a FheaderF and a

series of co!!a se$arated fields which !a%e "$ data that relates to the header. =&a!$les of

to%ens fro! the above event incl"de s/scall,11,execve

's-in'auditctl

guide to snare for linux-4.0

Documents