Specifications

Guide to Snare for Linux

• Administration Related Events: reboot,settimeofday,clock_settime,setdomainname,

sethostname

• Login/Logout events: login_start,login_auth,logout

In addition, any event that can be generated by the audit subsystem can be specified

(comma separated) by using the 'Any Event(s)' high level group.

Tip: Turning on file-related events can produce a very high volume of audit events on some

systems, and therefore result in a considerable amount of CPU time being used by Snare and

the audit subsystem.

• Syscall List: If 'Any Event(s)' is selected as the high level event, then add a comma separated

list of audit events to search for.

• Audit Filter Term(s): A filter term containing a 'token' which appears within the events of

interest, and the search criteria that Snare should use to include or exclude the event. For

example, a search term of: /etc/.* would match any event which mentions any file in

/etc. Another example:

localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29

sequence,524 uid,500,george gid,500,george euid,500,george egid,500,george

process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524):

arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040

a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,george uid,500,george

gid,500,george euid,500,george suid,500,george fsuid,500,george egid,500,george

sgid,500,george fsgid,500,george tty,pts1 ses,1 comm,"uname" exe,"/bin/uname"

key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/george" item,0 name,"/bin/uname"

inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1

The token highlighted in red could be used to only select events where the “auid” (the 'audit'

ID) is a certain value, in this case “audit,500,george” or a more general term, such as

“george”.