Specifications
Guide to Snare for Linux
4.3 Objectives configuration
Snare's ability to filter events is accomplished via the auditing 'objectives' capability. The term
'objective' is used within Snare Agents to describe an auditing goal. It is generally made up of events
that Snare should watch for, a filter term containing a 'token' and a criticality level. See Figure 4.
The objective configuration page supplied as part of the web based remote control is intended as a
way to enable users to commence audit functions reasonably quickly. For power users, a far more
powerful and functional way is to manually control the /etc/audit/snare.conf file. This is described
in more detail in Appendix A-Configuration File Description, and is intended for users who have a
very detailed knowledge of Linux administration and security. It is NOT recommended for novice
users.
Figure 4: Display the Set objectives
Snare for Linux has two ways of auditing file-related events – event (syscall) objectives, and/or file
watches. Either or both, can be employed depending on your requirements.
© InterSect Alliance, September 2014 Page 14 of 30 Version 4.1