Guide to Snare for Linux v4.
Guide to Snare for Linux © 1999-2014 Intersect Alliance Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance Pty Ltd.
Guide to Snare for Linux About this guide This guide introduces you to the functionality of the Snare Agent for the Linux operating system. Snare for Linux provides an event, auditing subsystem for the Linux operating system, and facilitates objective-based filtering, and remote audit event delivery. Snare for Linux will also allow a security administrator to fully remote control the application through a standard web browser if so desired.
Guide to Snare for Linux 1 Introduction The team at InterSect Alliance have experience with auditing and intrusion detection on a wide range of platforms - Solaris, Windows, Android, AIX, even MVS (ACF2/RACF); and within a wide range of IT security in businesses such as National Security and Defence Agencies, Financial Service firms, Government Departments and Service Providers.
Guide to Snare for Linux 2 Overview of Snare for Linux Snare operates through the actions of three complementary components: • The native Linux audit subsystem • The user-space audit daemon (auditd) • The Snare 'dispatcher' applications. The audit daemon, and kernel component act in concert to configure the underlying audit subsystem, and extract events of interest from the operating system.
Guide to Snare for Linux 3 Installing and running Snare 3.1 Snare installation • An appropriate Linux Distribution • The snarelinux package available for Enterprise customers from the Snare Secure Area at https://www.intersectalliance.com. Install Snare for Linux binary RPM package. 1. To install the Snare package perform the following: 2. Download the required RPM or DEB 3. Logon as root user, i.e. at the command prompt enter the command /bin/su and enter the root password when prompted.
Guide to Snare for Linux 3.2 Audit configuration The Snare configuration is stored as /etc/audit/snare.conf (SuSE 10 and 11 users the location is /etc/snare.conf). This file contains all the details required by Snare to configure the audit subsystem to successfully execute. The configuration of /etc/audit/snare.conf can be changed either: • directly Care should be taken if manually editing the snare.conf configuration file to ensure that it conforms to the required format for the audit daemon.
Guide to Snare for Linux 4 The Remote Control Interface The Remote Control Interface is accessible by entering http://localhost:6161 in the web browser as shown in Figure 1. The Remote Control Interface is turned on by default, and also password protected for security reasons. The default username and password are: Username: snare Password: snare Figure 1: The Remote Control Interface-View Status Note: The password is not encrypted at this time.
Guide to Snare for Linux Note: For Red Hat users to access the remote control interface, will need to ensure: • the firewall rule allows access to the agent. • to disable or set to permissive mode with SELinux. The Remote Control Interface provides a number of capabilities including: ● Network Configuration ● Remote Control Configuration ● Objectives Configuration ● Viewing Recent Events ● Displaying User and Group metadata.
Guide to Snare for Linux 4.1 Network Configuration To set the audit configuration parameters, select the 'Network Configuration' link. Figure 2: Configure the network settings The configuration parameters available are as follows, as displayed in Figure 2: • Override detected hostname with: Can be used to override the name that is given to the host. Unless a different name is required to be sent in the processed event log record, leave this field blank.
Guide to Snare for Linux Format: Select this option if the requirement is that the event records need to be in a specific format. This feature will allow the event log record to be formatted so it is accepted by a Syslog or a Snare server. Note: The agent will override the specified format in some cases. Specifying port 6161 will force the use of Snare format. Specifying a port of 514 will force the use of the Syslog format. FileName: Log the output to disk as well as the network.
Guide to Snare for Linux 4.2 Remote Control Configuration The Snare for Linux agent can be controlled remotely by administrators, if required. Remote control is enabled by default. The remote control page is displayed in Figure 3. Figure 3: Configure the Remote Control The parameters which may be set for remote control operation include: • Restrict remote control of SNARE agent to certain hosts: By default Snare allows any IP address to connect to the remote control interface.
Guide to Snare for Linux • Web Server Port: An optional port that the Remote Control Interface listens on, can be specified. Users of the Snare Server should generally leave this as 6161, in order to take advantage of the Snare Server's user and group audit capabilities. To save and set changes to these settings, and to ensure the audit daemon has received the new configuration, perform the following: 1. Click on Change Configuration to save any changes. 2.
Guide to Snare for Linux 4.3 Objectives configuration Snare's ability to filter events is accomplished via the auditing 'objectives' capability. The term 'objective' is used within Snare Agents to describe an auditing goal. It is generally made up of events that Snare should watch for, a filter term containing a 'token' and a criticality level. See Figure 4.
Guide to Snare for Linux Event Objectives Select 'Add' to insert an objective or 'Modify' to edit an objective. Generally the order of objectives is not important. Figure 5: Adding/Modifying a Syscall Objective The following parameters may be set as displayed in Figure 5: • Identify the high level event: Each of the objectives provides a high level of control over which events are selected and reported.
Guide to Snare for Linux • Administration Related Events: reboot,settimeofday,clock_settime,setdomainname, sethostname • Login/Logout events: login_start,login_auth,logout In addition, any event that can be generated by the audit subsystem can be specified (comma separated) by using the 'Any Event(s)' high level group.
Guide to Snare for Linux • Select the REGEX Match Type: Select to either include the regex match in the search or exclude the regex match set below. • Regex Match: A filter term the objective should match. For example .*data.* would cause the objective to match the word 'data' in the whole string. To use multiple matches use the virtual bar symbol which will act as the OR operator. Complex matches such as the following are possible.
Guide to Snare for Linux File Watches File watches are somewhat different to event filters. Rather than asking the kernel to report on all file activity, a 'file watch' will cause Snare to ask the kernel to 'tag' certain files, or directories, and only generate file-related events when activity associated with those particular files or directories, occur.
Guide to Snare for Linux • Select the REGEX Match Type: Select to either include the regex match in the search or exclude the regex match set below. • Regex String Match: A filter term the objective should match. For example .*root.* would cause the objective to match the word 'root' in the whole string. The Regex format uses the same basic format as discussed in the objective section above. • Select the Alert Level: The criticality levels are Critical, Priority, Warning, Information and Clear.
Guide to Snare for Linux 4.4 Display of Latest Events / Destination Status A small rotating cache of audit events is kept by the Snare for Linux web server. Clicking on the Latest Events menu item will display twenty of the most recent events as displayed in Figure 7. Figure 7: Display the latest events Additionally this page shows the status for each Destination that was configured for logging. An example of this destination status is: 10.1.1.
Guide to Snare for Linux ◦ INITIAL - The remote log location is about to begin setup ◦ RESOLVING - DNS resolution for a hostname is occurring ◦ RESOLVE_DELAY(x) - DNS resolution failed, a retry will occur in X seconds ◦ CONNECTING - Snare is trying to connect to the destination ◦ CONNECT_FAILED - The connection to the destination failed ◦ CONNECT_DELAY(x) - Connecting to the remote end failed, it will be retried again in X seconds ◦ CONNECTED - Snare has an active connection to the destination
Guide to Snare for Linux 4.5 List Displays A list of Users, Groups, Group Members, Logins and Reboots may be displayed by selecting on the appropriate link in the menu. © InterSect Alliance, September 2014 Page 22 of 30 Version 4.
Guide to Snare for Linux 5 Snare Server The Snare Server is a log collection, analysis, reporting, forensics, and storage appliance that helps your meet departmental, organisational, industry, and national security requirements and regulations. It integrates closely with the industry standard Snare agents, to provide a cohesive, end-to-end solution for your log-related security requirements.
Guide to Snare for Linux Some of the key features of the Snare Server include: • Ability to collect any arbitrary log data, either via UDP or TCP • Secure, encrypted channel for log data using TLS/SSL • Proven technology that works seamlessly with the Snare agents • Snare reflector technology that allows for all collected events to be sent, in real time, to a standby/backup Snare Server, or a third party collection system • Ability to continuously collect large numbers of events.
Guide to Snare for Linux 6 About InterSect Alliance Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors.
Guide to Snare for Linux Appendix A - Configuration File Description The purpose of this section is to discuss the parameter settings of the configuration file. The Snare configuration file is located at /etc/audit/snare.conf, and this location may not be changed. If the configuration file does not exist, the audit daemon will not actively audit events until a correctly formatted configuration file is present. Snare can be configured in several different ways, namely: a.
Guide to Snare for Linux [Remote] This section allows you to specify settings relating to the Remote Control Interface used to control Snare. allow=[1|0] Turn the Remote Control Interface on or off. listen_port=6161 Set a port that the Snare for Linux agent should listen on. accesskey_enabled=on Password is required to be set accesskey=md5password Md5 checksum of the password used to protect the embedded web server restrict_ip_enabled=0 Restrict the Remote Control Interface to an IP.
Guide to Snare for Linux [Objectives] This section describes the format of the objectives. Objectives are composed of: 1. Criticality - an integer between 0 and 4 that indicates the severity of the event. 0 is 'clear', 4 is "critical”. Any integer less than 0 will cause the line to be rejected. 2. The match function will either be include match=”” or exclude match! =””. The value follows standard regular expression format. 3.
Guide to Snare for Linux Shown below is an example /etc/audit/snare.conf file. It is an example file only, and should NOT be used for operational purposes. It has been included to demonstrate the key concepts of formulating a snare.conf file, as discussed above. Example Version 4.1 snare.
Guide to Snare for Linux Appendix B - Event Output Format The Snare dispatcher receives data from the native Linux audit subsystem. The native audit daemon reports data in such a way that: ● It is 'programmatically' difficult to determine how many 'lines' make up an audit event. Some lines can be repeated, with slightly different values. ● You can have multiple, identical tokens for an event (e.g. two “path=” tokens) ● Event lines may be interleaved (i.e.
