guide to snare for linux-4.0
TRANSCRIPT
-
8/11/2019 Guide to Snare for Linux-4.0
1/28
Guide to
Snare for Linux
v4.0
-
8/11/2019 Guide to Snare for Linux-4.0
2/28
Guide to Snare for Linux
1999-2014 Intersect Alliance Pty Ltd. All rights reserved worldwide.
Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct or indirect da!ages in connection with the "se
of this !aterial. #o $art of this wor% !ay be re$rod"ced or trans!itted in any for! or by any !eans e&ce$t as e&$ressly $er!itted
by Intersect Alliance Pty Ltd. 'his does not incl"de those doc"!ents and software develo$ed "nder the ter!s of the o$en so"rce
(eneral P"blic Licence which covers the )nare agents and so!e other software.
'he Intersect Alliance logo and )nare logo are registered trade!ar%s of Intersect Alliance Pty Ltd. *ther trade!ar%s and trade
na!es are !ar%s+ and na!es of their owners as !ay or !ay not be indicated. All trade!ar%s are the $ro$erty of their res$ective
owners and are "sed here in an editorial conte&t witho"t intent of infringe!ent. )$ecifications and content are s"b,ect to change
witho"t notice.
Inter)ect Alliance "ne 2014 Page 2 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
3/28
Guide to Snare for Linux
About this guide
'his g"ide introd"ces yo" to the f"nctionality of the )nare Agent for the Lin"& o$erating syste!.
)nare for Lin"& $rovides an event a"diting s"bsyste! for the Lin"& o$erating syste! and facilitates
ob,ective-based filtering and re!ote a"dit event delivery. )nare for Lin"& will also allow a sec"rity
ad!inistrator to f"lly re!ote control the a$$lication thro"gh a standard web browser if so desired.
)nare has been designed in s"ch a way as to allow the re!ote control f"nctions to be easily effected
!an"ally or by an a"to!ated $rocess.
*ther g"ides that !ay be "sef"l to read incl"de
)nare *verview - htt$swww.intersectalliance.co!w$-content"$loads201403)nare-
*verview-roch"re.$df
'he )nare 'oolset - A 5hite Pa$er at htt$swww.intersectalliance.co!w$-
content"$loads201604)nare7'oolset75hite7Pa$er-2.8.$df
Table of contents:
1 Introduction..............................................................................................................4
2 Overvie of Snare for Linux..........................................................................................!
" Installing and running Snare...........................................................................................#
6.1 )nare installation....................................................................................................8
6.2 A"dit config"ration..................................................................................................
4 The $e%ote &ontrol Interface........................................................................................'
4.1 #etwor% :onfig"ration............................................................................................10
4.2 ;e!ote :ontrol :onfig"ration...................................................................................12
4.6 *b,ectives config"ration..........................................................................................14
4.4
-
8/11/2019 Guide to Snare for Linux-4.0
4/28
Guide to Snare for Linux
1 Introduction
'he tea! at Inter)ect Alliance have e&$erience with a"diting and intr"sion detection on a wide
range of $latfor!s - )olaris 5indows Android AI> even ?/) @A:2;A:BC and within a wide range
of I' sec"rity in b"sinesses s"ch as #ational )ec"rity and
-
8/11/2019 Guide to Snare for Linux-4.0
5/28
Guide to Snare for Linux
2 Overview of Snare for Linux
)nare o$erates thro"gh the actions of three co!$le!entary co!$onents
'he native Lin"& a"dit s"bsyste!
'he "ser-s$ace a"dit dae!on @a"ditdB
'he )nare Fdis$atcherF a$$lications.
'he a"dit dae!on and %ernel co!$onent act in concert to config"re the "nderlying a"dit
s"bsyste! and e&tract events of interest fro! the o$erating syste!.
)nare for Lin"& o$erates as an Fa"dit dis$atcherF a$$lication that receives the a"dit log data with
)nare directing a"ditd what events to selectively filter o"t that yo" are not interested in for!ats
the res"lting data into so!ething that is !ore s"ited to follow-on $rocessing and delivers it to oneor !ore re!ote syste!s over the networ%.
)nare for!ats the a"dit log data into a series of Fto%ensF. 'wo different field se$arators are "sed in
order to facilitate follow-on $rocessing - 'A) se$arate Fto%ensF and :*??A) se$arate data within
each to%en. 'his for!at is f"rther disc"ssed inAppendix B-Event Output Format. 'he res"lt is that a
raw event as $rocessed by )nare !ay a$$ear as follows
localhost.localdomain LinuxKAudit 2 event,open,Jun 20 06:00:16sequence,30430 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot e&id,0,%oot
p%ocess,,'opt'()ox*uestAdditions+4.2.1's-in'()oxe%vice %etu%n,4,/es
name,'va%'%un'utmp exe,'opt'()ox*uestAdditions+4.2.1's-in'()oxe%vicesuccess,/es %etu%n,4 s/scall,",open uid,un#no$n euid,%oot &id,%oot
e&id,%oot a%ch, name,'va%'%un'utmp a0,-!ea!003 a1,2 a2,0 a3,-!ea!00items,1 ppid,1 pid,233 uid,0 suid,0 suid,0 s&id,0 s&id,0 tt/,none
comm,()oxe%vice #e/,o-+1+1 c$d,' item,0 inode,6! dev,03:02 mode,0100664
ouid,0 o&id," %dev,00:00
)nare also incor$orates a tiny e!bedded web server the ;e!ote :ontrol Interface which allows
ad!inistrators to re!otely control which events are collected and re$orted. 'he ;e!ote :ontrol
Interface also $rovides infor!ation on "sers gro"$s and gro"$ !e!bershi$ on the local !achine
which can be "sed to satisfy vario"s reg"latory sec"rity reD"ire!ents.
)nare for Lin"& is %nown to wor% on ;ed Hat =nter$rise 38 :ent*) 38 edora :ore > )")= 1011
b"nt" 121614
-
8/11/2019 Guide to Snare for Linux-4.0
6/28
Guide to Snare for Linux
3 Installing and running Snare
3.1 Snare installation
An a$$ro$riate Lin"& rpm -Uvh snarelinux-supp-4.0.0-SLED-10.i686.rpm
Or
>dpkg -i filename.deb
E.g. >dpkg -i snarelinux-supp-4.0.0-Debian-7.3.x86_64.deb
4. 'his will install )nare for Lin"& and restart the a"dit dae!on @a"ditdB.
;e!ove )nare for Lin"& binary ;P? $ac%age @if reD"iredB.
1. G"ery the ;P? database to ens"re )nare for Lin"& is installed
>rpm -q snarelinux-supp
2. ;e!ove the )nare for Lin"& $ac%age
>rpm -e snarelinux-supp
;e!ove )nare for Lin"& binary dpkg -r snarelinux-supp
Inter)ect Alliance "ne 2014 Page 8 of 2 /ersion 4.0
https://www.intersectalliance.com/https://www.intersectalliance.com/ -
8/11/2019 Guide to Snare for Linux-4.0
7/28
Guide to Snare for Linux
3.2 Audit configuration
'he )nare config"ration is stored as /etc/audit/snare.conf (note, for SuSE ! and users, the"ocation of snare.conf is /etc/snare.conf#. 'his file contains all the details reD"ired by )nare to
config"re the a"dit s"bsyste! to s"ccessf"lly e&ec"te.
'he config"ration of /etc/audit/snare.confcan be changed either
directly
:are sho"ld be ta%en if !an"ally editing the snare.conf config"ration file to ens"re
that it confor!s to the reD"ired for!at for the a"dit dae!on. Also any "se of the
;e!ote :ontrol Interface to !odify sec"rity ob,ectives or selected events !ay res"lt
in !an"al config"ration file changes being overwritten. /etc/init.d/auditd restart
#ote or ad!inistrators the syste! log files will be "$dated whenever settings are a$$lied to
the snare.conf for e&a!$le varlog!essages. 'his infor!ation !ay assist yo" when yo"
reD"ire it.
Inter)ect Alliance "ne 2014 Page of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
8/28
Guide to Snare for Linux
4 Te !e"ote #ontrol Interface
'he ;e!ote :ontrol Interface is accessible by entering htt$localhost8181in the web browser as
shown in ig"re 1. 'he ;e!ote :ontrol Interface is t"rned on by defa"lt and also $assword
$rotected for sec"rity reasons. 'he defa"lt "serna!e and $assword are
serna%e snare
3assord snare
0OT-: The (assord is not encr/(ted at this ti%e. -nsure /ou change the default Snare
(assord i%%ediatel/ after installation so that it is encr/(ted for securit/ (ur(oses. It is
reco%%ended /ou use a strong co%(lex (assord of at least 12 characters.
ig"re 1 'he ;e!ote :ontrol Interface-/iew )tat"s
'he ;e!ote :ontrol Interface $rovides a n"!ber of ca$abilities incl"ding
#etwor% :onfig"ration
;e!ote :ontrol :onfig"ration
*b,ectives :onfig"ration
/iewing ;ecent =vents
Inter)ect Alliance "ne 2014 Page of 2 /ersion 4.0
http://localhost:6161/http://localhost:6161/ -
8/11/2019 Guide to Snare for Linux-4.0
9/28
Guide to Snare for Linux
-
8/11/2019 Guide to Snare for Linux-4.0
10/28
Guide to Snare for Linux
4.1 $etwor% #onfiguration
'o set the a"dit config"ration $ara!eters select the F#etwor% :onfig"rationF lin%.
ig"re 2 :onfig"re the networ% settings
'he config"ration $ara!eters available are as follows as dis$layed in ig"re 2
Override detected hostname with::an be "sed to override the na!e that is given to the
host. nless a different na!e is reD"ired to be sent in the $rocessed event log record leave
this field blan%. 'he defa"lt is to "se the f"lly D"alified na!e for the !achine.
Destination:)nare can send a"dit events to one or !ore networ% destinations. )nare can
send data either to a )nare-co!$atible server or a )K)L*( co!$atible destination. Pleasebe aware that !ost )K)L*( servers are inco!$atible with the e&tre!ely high vol"!es of
data )nare is ca$able of generating.
Server Details: =nter a
-
8/11/2019 Guide to Snare for Linux-4.0
11/28
Guide to Snare for Linux
for!atted so it is acce$ted by a )yslog or a )nare server. #ote 'he agent will
override the s$ecified for!at in so!e cases. )$ecifying $ort 8181 will force the
"se of )nare for!at. )$ecifying a $ort of 314 will force the "se of the )yslogfor!at.
FileName:Log the o"t$"t to dis% as well as the networ%.
:lic% :hange :onfig"ration to allow another destination to be added. Li%ewise to
re!ove a destination then delete the entry in the Server %etai"sand clic% :hange
:onfig"ration.
Allow SNARE to automatically set audit configuration: y defa"lt )nare will ta%e control
and !anage yo"r a"dit event settings for yo". #or!ally on a ni& syste! yo" will need to
!odify the file/etc/audit/audit.ru"esin order to establish a new !onitored event. )nare
has the ca$ability to Ft"rn onF event a"diting in res$onse to the ob,ectives yo" set within the
;e!ote :ontrol Interface. It is reco!!ended that this $ara!eter is enabled.
Cache sie:Allow )nare to store !essages that co"ld not be sent. :o!bined with the ':P or
'L) this o$tion will allow the agent to cache !essages if there is a networ% fail"re or the
)nare )erver is otherwise "navailable. Any cached !essage is %e$t "ntil it is sent or the siEe
of the cache e&ceeds the s$ecified allot!ent in which case the oldest !essage is re!oved.
If the agent is restarted any cached !essages are lost.
S!S"O# Facility $o%tional&:If yo" are sending yo"r data to a )K)L*( server s$ecifies the
s"bsyste! that $rod"ced the !essage. 'he list dis$lays defa"lt facility levels.
S!S"O# Priority $o%tional&:If yo" are sending yo"r data to a )K)L*( server the agent can
be config"red to "se a static or dyna!ic $riority level.
'se '(C time re%orting:=nables ': @:oordinated niversal 'i!eB ti!esta!$ for!at for
events instead of local !achine ti!e Eone for!at.
'o save and set changes to these settings and to ens"re the a"dit dae!on has received the new
config"ration $erfor! the following
1. :lic% on :hange :onfig"ration to save any changes.
2. :lic% on the A((l/ the Latest Audit &onfiguration!en" ite!. 'here will be a D"ic% notice
that )nare is restarting as dis$layed below.
Inter)ect Alliance "ne 2014 Page 11 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
12/28
Guide to Snare for Linux
4.2 !e"ote #ontrol #onfiguration
'he )nare for Lin"& agent can be controlled re!otely by ad!inistrators if reD"ired. ;e!ote controlis enabled by defa"lt. 'he re!ote control $age is dis$layed in ig"re 6.
ig"re 6 :onfig"re the ;e!ote :ontrol
'he $ara!eters which !ay be set for re!ote control o$eration incl"de
Restrict remote control of SNARE agent to certain hosts: y defa"lt )nare allows any IP
address to connect to the re!ote control interface. =nabling this o$tion restricts connections
to the re!ote control interface to the IP given in the following o$tion.
)P Address allowed to remote control SNARE:;e!ote control actions !ay be li!ited to a
given host. 'his host entered as an IP address will only allow re!ote connections to be
effected fro! the stated IP address. A$$lication-level firewall ca$abilities are also available
which bloc% "sers fro! accessing the ;e!ote :ontrol Interface fro! any IP address other
than the one s$ecified.
Re*uire a %assword for remote control+: Indicate whether a $assword will be set so that
only a"thorised individ"als !ay access the re!ote control f"nctions. Highly reco!!ended.
Password to allow remote control of SNARE: If above chec%bo& is chec%ed $assword !"st
be set. A $assword of a$$ro$riate strength sho"ld be set for the re!ote control facility.
Inter)ect Alliance "ne 2014 Page 12 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
13/28
Guide to Snare for Linux
,e- Server Port: An o$tional $ort that the ;e!ote :ontrol Interface listens on can be
s$ecified. sers of the )nare )erver sho"ld generally leave this as 8181 in order to ta%e
advantage of the )nare )erverFs "ser and gro"$ a"dit ca$abilities.'o save and set changes to these settings and to ens"re the a"dit dae!on has received the new
config"ration $erfor! the following
1. :lic% on :hange :onfig"ration to save any changes.
2. :lic% on the A((l/ the Latest Audit &onfiguration!en" ite!.
Inter)ect Alliance "ne 2014 Page 16 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
14/28
Guide to Snare for Linux
4.3 O&'ectives configuration
)nareFs ability to filter events is acco!$lished via the a"diting Fob,ectivesF ca$ability. 'he ter!Fob,ectiveF is "sed within )nare Agents to describe an a"diting goal. It is generally !ade "$ of events
that )nare sho"ld watch for a filter ter! containing a Fto%enF and a criticality level. )ee ig"re 4.
'he ob,ective config"ration $age s"$$lied as $art of the web based re!ote control is intended as a
way to enable "sers to co!!ence a"dit f"nctions reasonably D"ic%ly. or $ower "sers a far !ore
$owerf"l and f"nctional way is to !an"ally control the /etc/audit/snare.conffile. 'his is described
in !ore detail inA%%endi. A-:onfig"ration ile
-
8/11/2019 Guide to Snare for Linux-4.0
15/28
Guide to Snare for Linux
(vent O&'ectives
)elect FAddF to insert an ob,ective or F?odifyF to edit an ob,ective. (enerally the order of ob,ectivesis not i!$ortant.
ig"re 3 Adding?odifying a )yscall *b,ective
'he following $ara!eters !ay be set as dis$layed in ig"re 3
)dentify the high level event:=ach of the ob,ectives $rovides a high level of control over
which events are selected and re$orted. =vents are selected fro! a gro"$ of high level
reD"ire!ents and f"rther refined "sing selected filters. =vents are generally gro"$ed intothe following
)tart or sto$ $rogra! e&ec"tion execve,fork,exit,kill,tkill,tgkill
*$en a filedir for reading or writing open,close
:hange a file or directory attrib"te fch!odch!odfch!odatchownlchown
fchownfchownat
;e!ove a file or directory r!dir "nlin%
?o"nt a new filesyste! !o"nt "!o"nt2
Inter)ect Alliance "ne 2014 Page 13 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
16/28
Guide to Snare for Linux
:hange "ser or gro"$ identity
setfs"idset"idsetre"idsetfsgidsetregidsetgidsetresgid
Ad!inistration ;elated =vents rebootsetti!eofdaycloc%7setti!esetdo!ainna!e
sethostna!e
LoginLogo"t events login7startlogin7a"thlogo"t
In addition any event that can be generated by the a"dit s"bsyste! can be s$ecified
@co!!a se$aratedB by "sing the FAny =vent@sBF high level gro"$.
'i$ '"rning on file-related events can $rod"ce a very high vol"!e of a"dit events on so!e
syste!s and therefore res"lt in a considerable a!o"nt of :P ti!e being "sed by )nare and
the a"dit s"bsyste!.
Syscall "ist:If FAny =vent@sBF is selected as the high level event then add a co!!a se$arated
list of a"dit events to search for.
Audit Filter (erm$s&: A filter ter! containing a Fto%enF which a$$ears within the events of
interest and the search criteria that )nare sho"ld "se to incl"de or e&cl"de the event. or
e&a!$le a search ter! of /etc/.*wo"ld !atch any event which !entions any file in
/etc. Another e&a!$le
"oca"host."oca"domain &inux'Audit Critica"it,) event,execve,)!*!+)5 !*)
seuence,5) uid,5!!,$eor$e $id,5!!,$eor$e euid,5!!,$eor$e e$id,5!!,$eor$e
process,,0/1in/uname0 return,!,es name,0/1in/uname0 *++)!.25)#
arch,x2343 ssca"",5,execve success,es return,! a!,*!f+! a,*!!
a),*2d1! a*,2 items,) ppid,*) pid,*)*3 auid/011/george uid,5!!,$eor$e
$id,5!!,$eor$e euid,5!!,$eor$e suid,5!!,$eor$e fsuid,5!!,$eor$e e$id,5!!,$eor$e
s$id,5!!,$eor$e fs$id,5!!,$eor$e tt,pts ses, comm,0uname0 exe,0/1in/uname0
e,0o16-)-!0 ar$c, a!,0uname0 c7d,0/home/$eor$e0 item,! name,0/1in/uname0
inode,)*!**3 dev,fd!! mode,!!!+55 ouid,!,root o$id,!,root rdev,!!!! item,
'he to%en highlighted in red co"ld be "sed to only select events where the Ma"idN
@the Fa"ditF I
-
8/11/2019 Guide to Snare for Linux-4.0
17/28
Guide to Snare for Linux
)ile *atces
ile watches are so!ewhat different to event filters. ;ather than as%ing the %ernel to re$ort on allfile activity a Ffile watchF will ca"se )nare to as% the %ernel to FtagF certain files or directories and
only generate file-related events when activity associated with those $artic"lar files or directories
occ"r. 'his generally res"lts in a s$ectac"lar dro$ in reso"rce "sage by the )nare and a"dit
$rocesses as $otentially tho"sands of file-related events-$er-second no longer have to be discarded
when they do not !atch a )nare agent ob,ective. 'his !ethod does not reD"ire that each targeted
file or directory e&ist $rior to )nare starting "$. 5here a directory is s$ecified )nare will also
watch for the creation of new files and directories.
)ee ig"re 8for config"ring a )nare file watch.
ig"re 8 Adding?odifying a ile 5atch *b,ective
'he following $ara!eters !ay be set
File watch %ath:Any file or directory c"rrently e&isting or not can be s$ecified. In order
not to generate too !any events it is strongly reco!!ended that file watches be set on the
e&act directory@iesB of choice with as few $er!issions as $ossible. It is far !ore desirable to
"se file watches to !onitor accesses to files and directories than to "se syscallevent
filters.
Inter)ect Alliance "ne 2014 Page 1 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
18/28
Guide to Snare for Linux
Permissions to trigger an event:A file watch is associated with !onitoring fo"r ty$es of
$er!issions na!ely r7xa. 'hese are read @rB write @wB e&ec"te @&B or attrib"tes @aB. A file
?)' be s$ecified with a !ini!"! of 1 and a !a&i!"! of 4 $er!issions.
Rege. String 2atch:A filter ter! the ob,ective sho"ld !atch. or e&a!$le .Oroot.O wo"ld
ca"se the ob,ective to !atch the word FrootF in the whole string.
Select the Alert "evel: 'he criticality levels are :ritical Priority 5arning Infor!ation and
:lear. 'hese sec"rity levels are $rovided to enable the )nare "ser to !a$ a"dit events to
their !ost $ressing b"siness sec"rity ob,ectives.
#ote
-
8/11/2019 Guide to Snare for Linux-4.0
19/28
Guide to Snare for Linux
4.4 +is,la- of Latest (vents +estination Status
A s!all rotating cache of a"dit events is %e$t by the )nare for Lin"& web server. :lic%ing on theLatest -vents!en" ite! will dis$lay twenty of the !ost recent events as dis$layed in ig"re .
ig"re
-
8/11/2019 Guide to Snare for Linux-4.0
20/28
Guide to Snare for Linux
I#I'IAL - 'he re!ote log location is abo"t to begin set"$
;=)*L/I#( -
-
8/11/2019 Guide to Snare for Linux-4.0
21/28
Guide to Snare for Linux
/ Snare Server
'he )nare )erver is a log collection analysis re$orting forensics and storage a$$liance that hel$s
yo"r !eet de$art!ental organisational ind"stry and national sec"rity reD"ire!ents and
reg"lations. It integrates closely with the ind"stry standard )nare agents to $rovide a cohesive
end-to-end sol"tion for yo"r log-related sec"rity reD"ire!ents.
'he )nare )erver as shown in ig"re collects events and logs fro! a variety of o$erating syste!s
a$$lications and a$$liances incl"ding b"t not li!ited to 5indows @#' thro"gh 2012B )olaris AI>
*)> Iri& Lin"& 'r"84 A:2 ;A: :I):* ;o"ters :I):* PI> irewall :yber("ard irewall
:hec%$oint irewall1 (a"ntlet irewall #etgear irewall IP'ables irewall ?icrosoft I)A )erver
?icrosoft II) )erver Lot"s #otes ?icrosoft Pro&y )erver A$ache )D"id )nort #etwor% Intr"sion
-
8/11/2019 Guide to Snare for Linux-4.0
22/28
Guide to Snare for Linux
)o!e of the %ey feat"res of the )nare )erver incl"de
Ability to collect any arbitrary log data either via
-
8/11/2019 Guide to Snare for Linux-4.0
23/28
Guide to Snare for Linux
A&out InterSect Alliance
Intersect Alliance $art of the Pro$hecy International Holdings (ro"$ is a tea! of leading
infor!ation technology sec"rity s$ecialists. In $artic"lar Intersect Alliance are noted leaders in %ey
as$ects of I' )ec"rity incl"ding host intr"sion detection. *"r sol"tions have and contin"e to be "sed
in the !ost sensitive areas of (overn!ent and b"siness sectors.
Intersect Alliance intend to contin"e releasing tools that enable "sers ad!inistrators and clients
worldwide to achieve a greater level of $rod"ctivity and effectiveness in the area of I' )ec"rity by
si!$lifying abstracting andor solving co!$le& sec"rity $roble!s.
Intersect Alliance welco!es and val"es yo"r s"$$ort co!!ents and contrib"tions.
or !ore infor!ation on the =nter$rise Agents )nare )erver and other )nare $rod"cts and licensing
o$tions $lease contact "s as follows
The A%ericasQ1 @00B 64 1080 'oll ree R Q1 @606B 1 2888
-
8/11/2019 Guide to Snare for Linux-4.0
24/28
Guide to Snare for Linux
A,,endix A #onfiguration )ile +escri,tion
'he $"r$ose of this section is to disc"ss the $ara!eter settings of the config"ration file. 'he )nare
config"ration file is located at /etc/audit/snare.conf and this location !ay not be changed. If the
config"ration file does not e&ist the a"dit dae!on will not actively a"dit events "ntil a correctly
for!atted config"ration file is $resent.
)nare can be config"red in several different ways na!ely
a. /ia the e!bedded web server @recommended for novice usersB or
b. y !an"ally editing the config"ration file @recommended for advanced usersB.
'he for!at of theaudit configuration fileis disc"ssed below. Any line beginning with MTN will be
treated as a co!!ent line and ignored. Any n"!ber of tabs or s$aces can be "sed. ?a,or to%ens
s"ch as [on!ig]!"st be s"rro"nded by the sD"are brac%ets.
[on!ig] 'his section allows yo" to s$ecify settings relating to the
o$eration of the )nare agent.
clientname=o"erride 'he hostna!e of the client. If no hostna!e is set the
val"e of Mhostna!e --fDdnN will be "sed
set7a"ditUV1R0W 'his val"e deter!ines if )nare sho"ld set the a"diting
config"ration for the local !achine.
s#slog$!acilit#=!acilit# 'he )K)L*( facility "sed when sending to a )K)L*(
server.
s#slog$priorit#=priorit# 'he )K)L*( $riority "sed when sending to a )K)L*(server.
cac%e$si&e='0 - 100000( 'his val"e deter!ines the siEe of the event cacheieC the
n"!ber of events that )nare sho"ld %ee$ if it cannot
reach at least one of the hosts. 'he val"e !"st be
between 0 and 100000. 'his feat"re only a$$ears in
=nter$rise Agents only.
use$utc=1 =nable ': @niversal :oordinated 'i!eB. 'his feat"re
only a$$ears in =nter$rise Agents only.
versionU4 "t"re incl"sion )nare version for infor!ational
$"r$oses.
Inter)ect Alliance "ne 2014 Page 24 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
25/28
Guide to Snare for Linux
[Remote] 'his section allows yo" to s$ecify settings relating to the
;e!ote :ontrol Interface "sed to control )nare.
allow=[1)0] '"rn the ;e!ote :ontrol Interface on or off.
listen$port=11 )et a $ort that the )nare for Lin"& agent sho"ld listen on.
accesske#$enabled=on Password is reD"ired to be set
accesske#=md+password ?d3 chec%s"! of the $assword "sed to $rotect the
e!bedded web server
restrict$ip$enabled=0 ;estrict the ;e!ote :ontrol Interface to an IP.
restrict$ip=1.,.. IP address of a syste! that is "sed to re!otely control
the agent. All reD"ests fro! other syste!s will be
dro$$ed.
[utput] y defa"lt if no o"t$"t section e&ists within the
config"ration file the a"dit dae!on will not send any
data to anywhere. *therwise a"dit events will be sent to
all valid destinations s$ecified in the *"t$"t section. As
s"ch events can be sent to one or all of a file or to a
re!ote networ% destination
!ile=/!ull#/uali!ied/!ile/name 'he a"dit dae!on will send data to the f"lly D"alified
filena!e. 'he director!"st e&ist. 'hefi"ewill be
created if it doesnFt e&ist. =.g
!ile=/"ar/log/!ilewatc%.lognetwork=%ostnameportprotocol!ormat
-
8/11/2019 Guide to Snare for Linux-4.0
26/28
Guide to Snare for Linux
[becti"es] 'his section describes the for!at of the ob,ectives.
*b,ectives are co!$osed of
1. :riticality - an integer between 0 and 4 that
indicates the severity of the event. 0 is
FclearF 4 is XcriticalN. Any integer less than 0
will ca"se the line to be re,ected.
2. 'he event - this !"st either corres$ond to
a valid syscall event or a series of events
se$arated by co!!as and !ay be
s"rro"nded with ro"nd brac%ets @B. #ote
that the e!bedded web server will convert
the generic Xgro"$sX in the A"dit
:onfig"ration window to the reD"ired
events. or e&a!$le the abstracted gro"$
FAd!inistrative =ventsF will res"lt in the
event entry
FeventU@re1oot,settimeofda,c"oc4settime,
setdomainname,sethostnameBF
being written.
6. ;et"rn either )"ccess ail"re or O to
indicate both )"ccess and ail"re
4. ser 'he "sers@sB to watch. 'his can be a
single "ser a list of "sers se$arated with
co!!as or O to indicate all "sers
3. !atch An o$tional string to !atch. 'hiscan be either a string literal a reg"lar
e&$ression or .O to indicate all events
#ote that whites$ace will be tri!!ed fro! the start and
end of ite!s.
criticalit#=1 e"ent=exec"ereturn=6uccess user=mariamatc%=/sbin
;e$ort at criticality level 1 whenever the "ser F!ariaF
atte!$ts to e&ec"te a binary within sbin
criticalityU0for :lear @ordinary sec"rity levelB1
for Infor!ation ,for 5arning for Priorityfor
:ritical.
Inter)ect Alliance "ne 2014 Page 28 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
27/28
Guide to Snare for Linux
)hown below is an e&a!$le /etc/audit/snare.conffile. It is an e&a!$le file only and sho"ld #*' be
"sed for o$erational $"r$oses. It has been incl"ded to de!onstrate the %ey conce$ts of for!"lating
a snare.conf file as disc"ssed above.
(xa",le ersion 4.0 snare.conf file
?5%is is a comment line wit% no leading spaces[on!ig]clientname=set$audit=1cac%e$si&e=10000use$utc=0s#slog$!acilit#=1s#slog$priorit#=+
[;inux]audit$bu!!ersi&e=0
? 54 and multiple network entries onl# allowed b# t%e 9nterprise agent[utput]networkutput0=10.1.1.01154678R9networkutput1=10.1.1.+12346:6;
criticalit#=e"ent=setgroupsCsetpgrpCsetuidCsetgidCseteuidCsetegidCsetauidCsetreuidCsetregidCsetuidCosetpgrp return=6uccess user=.* matc%=.* criticalit#=e"ent=c%modC!c%modCc%ownC!c%ownCmctlC!cntlClc%ownCaclsetC!aclsetreturn=6uccess user=.* matc%=.* criticalit#=e"ent=loginClogoutCtelnetCrloginCsuCrexecdCpasswdCrexdC!tpdCadmin$aut%enticateCss% return=6uccess user=.* matc%=.*
[Datc%]criticalit#=1 matc%=B.*user01.*B pat%=/etc/test perms=waxr
Inter)ect Alliance "ne 2014 Page 2 of 2 /ersion 4.0
-
8/11/2019 Guide to Snare for Linux-4.0
28/28
Guide to Snare for Linux
A,,endix (vent Out,ut )or"at
'he )nare dis$atcher receives data fro! the native Lin"& a"dit s"bsyste!.
'he native a"dit dae!on re$orts data in s"ch a way that
It is F$rogra!!aticallyF diffic"lt to deter!ine how !any FlinesF !a%e "$ an a"dit event. )o!e
lines can be re$eated with slightly different val"es.
Ko" can have !"lti$le identical to%ens for an event @e.g. two M$athUN to%ensB
=vent lines !ay be interleaved @i.e. yo" !ight get two lines fro! event T 1000 then one line
fro! event T 1001 then another line fro! event T 1000B.
)o!e filena!e characters are translated into their H=> eD"ivalents which will !a%e
!atching filena!es diffic"lt.
)nare for Lin"& "ses an internal cache to a!alga!ate all lines relating to an individ"al event into
Mone line $er eventN for!at once a$$ro$riate filteringevent selection has ta%en $lace. An event
will loo% li%e this once $rocessed by )nare
localhost.localdomain LinuxKAudit 2 event,execve,Jun 20 06:10:03
sequence,34"1 uid,4246!2",un#no$n euid,0,%oot &id,0,%oot
e&id,0,%oot p%ocess,,'s-in'auditctl %etu%n,0,/es name,null
exe,'s-in'auditctl success,/es %etu%n,0 s/scall,11,execve uid,un#no$n
euid,%oot &id,%oot e&id,%oot a%ch, name,null a0,0ca! a1,0ca0
a2,0caa a3,0 items,2 ppid,2404! pid,240"1 uid,0 suid,0 suid,0
s&id,0 s&id,0 tt/,none comm,auditctl #e/,o-+0+0 a0,'s-in'auditctla1,+v c$d,' item,0 inode,3!!"1 dev,03:02 mode,0100!"0 ouid,0 o&id,0
%dev,00:00 item,1 inode,1!644 dev,03:02 mode,0100!"" ouid,0 o&id,0
%dev,00:00
)nare for Lin"& $resents the infor!ation in a series of to%endata gro"$s. 'hree different field
se$arators are "sed in order to facilitate follow-on $rocessing - 'A) se$arate Fto%ensF :*??A)
se$arate data within each to%en. A Fto%enF is a gro"$ of related data co!$rising a FheaderF and a
series of co!!a se$arated fields which !a%e "$ data that relates to the header. =&a!$les of
to%ens fro! the above event incl"de s/scall,11,execve
's-in'auditctl