Versions Compared

Version Old Version 1 New Version 2
Changes made by

Steve Challans

Steve Challans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Remote Control Interface is accessible by entering http://localhost:6161 in the web browser as shown in Figure 1. The Remote Control Interface is turned on by default, and also password protected for security reasons. The default username and password are:
Username: snare Password: snare

Anchor
Figure_1
Figure_1
Figure 1: The Remote Control Interface-View StatusNote: The password is not encrypted at this time. Ensure you change the default Snare password immediately after installation so that it is encrypted, for security purposes. It is recommended you use a strong complex password of at least 12 characters. To update the password go to the Remote Control Configuration page and update the password.

Note: For Red Hat users to access the remote control interface, will need to ensure:

...

Please note that some options on these pages that are only available to users with the purchased Enterprise version. The OpenSource agents will not include any features that are new to this version of the Snare for Linux agent.

Network Configuration

To set the audit configuration parameters, select the 'Network Configuration' link.

Anchor
Figure_2
Figure_2
Figure 2: Configure the network settings
The configuration parameters available are as follows, as displayed in Figure 2:

...

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item. There will be a quick notice that Snare is restarting as displayed below.

Remote Control Configuration

The Snare for Linux agent can be controlled remotely by administrators, if required. Remote control is enabled by default. The remote control page is displayed in Figure 3.

Anchor
Figure_3
Figure_3
Figure 3: Configure the Remote Control
The parameters which may be set for remote control operation include:

...

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item.

Objectives configuration

Snare's ability to filter events is accomplished via the auditing 'objectives' capability. The term 'objective' is used within Snare Agents to describe an auditing goal. It is generally made up of events that Snare should watch for, a filter term containing a 'token' and a criticality level. See Figure 4.
The objective configuration page supplied as part of the web based remote control is intended as a way to enable users to commence audit functions reasonably quickly. For power users, a far more powerful and functional way is to manually control the /etc/audit/snare.conf file. This is described in more detail in Appendix A-Configuration File Description, and is intended for users who have a very detailed knowledge of Linux administration and security. It is NOT recommended for novice users.

Anchor
Figure_4
Figure_4
Figure 4: Display the Set objectives
Snare for Linux has two ways of auditing file-related events – event (syscall) objectives, and/or file watches. Either or both, can be employed depending on your requirements.

Event Objectives

Select 'Add' to insert an objective or 'Modify' to edit an objective. Generally the order of objectives is not important.

Anchor
Figure_5
Figure_5
Figure 5: Adding/Modifying a Syscall Objective
The following parameters may be set as displayed in Figure 5:

...

  • Syscall List: If 'Any Event(s)' is selected as the high level event, then add a comma separated list of audit events to search for.
  • Audit Filter Term(s): A filter term containing a 'token' which appears within the events of interest, and the search criteria that Snare should use to include or exclude the event. For example, a search term of: /etc/.* would match any event which mentions any file in /etc. Another example:

localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29 sequence,524 uid,500,george gid,500,george euid,500,george egid,500,george process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524): arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040 a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,george uid,500,george gid,500,george euid,500,george suid,500,george fsuid,500,george egid,500,george sgid,500,george fsgid,500,george tty,pts1 ses,1 comm,"uname" exe,"/bin/uname" key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/george" item,0 name,"/bin/uname" inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1
The token highlighted in red could be used to only select events where the "auid" (the 'audit' ID) is a certain value, in this case "audit,500,george" or a more general term, such as "george".

  • Select the REGEX Match Type: Select to either include the regex match in the search or exclude the regex match set below.
  • Regex Match: A filter term the objective should match. For example .data. would cause the objective to match the word 'data' in the whole string. To use multiple matches use the virtual bar symbol which will act as the OR operator.

...

  1. Click on Change Configuration to save any changes.
  2. Click on the Apply the Latest Audit Configuration menu item.

File Watches

File watches are somewhat different to event filters. Rather than asking the kernel to report on all file activity, a 'file watch' will cause Snare to ask the kernel to 'tag' certain files, or directories, and only generate file-related events when activity associated with those particular files or directories, occur. This generally results in a spectacular drop in resource usage by the Snare and audit processes, as potentially thousands of file-related events-per-second no longer have to be discarded when they do not match a Snare agent objective. This method does not require that each targeted file or directory exist prior to Snare starting up. Where a directory is specified, Snare will also watch for the creation of new files and directories.
See Figure 6 for configuring a Snare file watch.

Anchor
Figure_6
Figure_6
{_}Figure 6: Adding/Modifying a File Watch Objective_The following parameters may be set:

...

Note: Depending on your Linux kernel there may be an issue with the creation/deletion of file watches. This bug in the kernel occurs if you create a file watch, and then do not apply the audit configuration, and then delete the file watch, with the result locking up your operating system. To prevent this issue ensure you set the audit configuration after creation.

Display of Latest Events / Destination Status

A small rotating cache of audit events is kept by the Snare for Linux web server. Clicking on the Latest Events menu item will display twenty of the most recent events as displayed in Figure 7.

Anchor
Figure_7
Figure_7
Figure 7: Display the latest events
Additionally this page shows the status for each Destination that was configured for logging. An example of this destination status is: 10.1.1.30:6161 (TCP), status: CONNECTED This information can be used to help debug potential logging issues. The status can be explained as follows:

...

  • Available
    • Indicates if Snare can use the destination to send logs. A value of 1 indicates that logs can be sent. A value of 0 indicates logs can't be sent
  • ReadyToSend
    • Indicates if the destination is setup in a state where logs can be sent. For instance if Snare is already sending to the destination, ReadyToSend will be 0.

4.5 List Displays

A list of Users, Groups, Group Members, Logins and Reboots may be displayed by selecting on the appropriate link in the menu.

...