Audit Policy Configuration

Owned by Andrew Madge
Last updated: May 18, 2021 by Svetlana Sheptiy
6 min read

A major function of the Snare system is to filter events.  This is accomplished via the advanced auditing 'audit policies' capability also known as 'objectives' capability in earlier releases.  Any number of audit policies may be specified and are displayed on the Audit Policy Configuration page.  By default a set of audit policies is available with the Snare Enterprise Agent for Windows installation.

Audit Policy

To create a new audit policy click Add, or to view/edit an existing audit policy select Modify.  The following parameters may be set:


  • Identify the high level event: Each of the audit policies provides a high level of control over which events are selected and reported. Events are selected from a group of high level requirements, and further refined using selected filters. Events are generally grouped into the following:

    High Level EventCommands
    Start or stop program executionexecve,fork,exit,kill,tkill,tgkill
    Open a file/dir for reading or writingopen,close
    Change a file or directory attributefchmod,chmod,fchmodat,chown,lchown, fchown,fchownat
    Remove a file or directoryrmdir, unlink
    Mount a new filesystemmount, umount2
    Change user or group identitysetfsuid,setuid,setreuid,setfsgid,setregid,setgid,setresgid
    Administration Related Eventsreboot,settimeofday,clock_settime,setdomainname, sethostname
    Login/Logout eventslogin_start,login_auth,logout

    Login/Logout & Authentication events rely on userspace programs sending events to the audit subsystem. Not all distributions are configured to do this.

The above groups are provided to service the most common security audit policies that are likely to be encountered.  If Any Event is selected as the high level event, then add a comma separated list of audit events to search for.

The following filters can be applied to incoming audit events:

  • Event Source. If the high level event Any event is selected, then the user is able to filter by specifying the source that caused the event to occur. If multiple event sources are required, the user may enter the event source name as a comma separated string. For example: swapon, swapoff.
    Using the wildcard character '*' will select all events. Use the wildcard with caution since ALL events will be collected and passed to the remote host. For all other high level events, this field is ignored and automatically managed by the agent.

  • Audit Filter Term. A filter term containing a 'token' which appears within the events of interest, and the search criteria that Snare should use to include or exclude the event. For example, a search term of: /etc/.* would match any event which mentions any file in /etc. Another example:

    localhost.localdomain LinuxKAudit Criticality,2 event,execve,20130725 11:03:29 sequence,524 uid,500,maria gid,500,maria euid,500,maria egid,500,maria process,,"/bin/uname" return,0,yes name,"/bin/uname" 1374714209.448:524): arch,x86_64 syscall,59,execve success,yes return,0 a0,3190f70 a1,3191040 a2,318d4b0 a3,8 items,2 ppid,3214 pid,3236 auid,500,maria uid,500,maria gid,500,maria euid,500,maria suid,500,maria fsuid,500,maria egid,500,maria sgid,500,maria fsgid,500,maria tty,pts1 ses,1 comm,"uname" exe,"/bin/uname" key,"obj-2-0" argc,1 a0,"uname" cwd,"/home/maria" item,0 name,"/bin/uname" inode,21430336 dev,fd:00 mode,0100755 ouid,0,root ogid,0,root rdev,00:00 item,1

    The token highlighted in red could be used to only select events where the "auid" (the 'audit' ID) is a certain value, in this case "audit,500,maria" or a more general term, such as "maria".

  • Regular Expression Match Type: The user may select whether to include or exclude events that match this audit policy by selecting the Include or Exclude radio buttons. If an audit policy is set to 'Exclude', matching event logs will be immediately discarded.
  • Regular Expression Match: A filter term the audit policy should match. For example .data. would cause the audit policy to match the word 'data' in the whole string. To use multiple matches use the virtual bar symbol which will act as the OR operator. 
    Complex matches are possible. For example to include/exclude various commands from the log output use the following syntax: ./bin/grep.|./bin/bash.|./bin/sleep.|./usr/bin/wc.|./usr/bin/cut.|./usr/bin/expr.|./usr/bin/bc.|./usr/bin/du.|./usr/bin/tail.|./usr/bin/head.|./usr/bin/sum.|./usr/bin/who.
    It is recommended to perform all the excludes for a particular high level event in one audit policy 
  • Select the Alert Level.  A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security objectives, and to quickly identify the level of importance via the criticality options in the drop down list.  The Latest Events page will highlight the event in the selected Snare criticality color assigned to your audit policy . User can choose the criticality level depending on the destination the event is being sent. There are options to assign criticality for each destination based on the format Snare, Syslog, CEF or LEEF. Each of these criticalites is then assigned to the event. While sending to the destination, specific criticality is assigned to the final event string depending on the destination type ie Snare, Syslog, CEF or LEEF.
    • Snare - Critical, Priority, Warning, Information, Clear
    • Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
    • CEF - 0 - 10, 0 is least severe and 10 is most severe.
    • LEEF - 1 - 10, 1 is least severe and 10 is most severe.

Filters

Audit Policy filters support negative values. This is useful when you are only interested in events from system calls with specific return values. For example, an audit policy to collect unauthorised file accesses for all users and root could set the Audit Filter Term to:

exit=-EPERM,auid>=500,auid!=4294967295

To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:

  1. Click on Change Configuration to save any changes to the registry.
  2. Click on the Apply Configuration & Restart Service menu item.


Tip

Audit Policies will be processed by the agent in the order they appear, that is, top to bottom. Use the up and down arrows in the Order column to reorganize your audit policies into the appropriate order.

Place any Exclude audit policies (where you are excluding an Event ID) at the top of the list to ensure unwanted events are discarded.

File Watches

File watches are somewhat different to event filters. Rather than asking the kernel to report on all file activity, a 'file watch' will cause Snare to ask the kernel to 'tag' certain files, or directories, and only generate file-related events when activity associated with those particular files or directories, occur. This generally results in a spectacular drop in resource usage by the Snare and audit processes, as potentially thousands of file-related events-per-second no longer have to be discarded when they do not match a Snare agent audit policy. This method does not require that each targeted file or directory exist prior to Snare starting up. Where a directory is specified, Snare will also watch for the creation of new files and directories.


Parameters to set are as follows:

  • File watch path: Any file or directory, currently existing or not, can be specified. In order not to generate too many events, it is strongly recommended that file watches be set on the exact directory(ies) of choice, with as few permissions as possible. It is far more desirable to use file watches to monitor accesses to files and directories, than to use syscall/event filters.
  • Permissions to trigger an event: A file watch is associated with monitoring four types of permissions, namely rwxa. These are read (r), write (w), execute (x) or attributes (a). A file MUST be specified with a minimum of 1 and a maximum of 4 permissions.
  • Regular Expression Match: A filter term the audit policy should match. For example .root. would cause the audit policy to match the word 'root' in the whole string. The Regex format uses the same basic format as discussed in the audit policy section above.
  • Select the Alert Level.   A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security audit policies, and to quickly identify the level of importance via the criticality options in the drop down list.  The Latest Events page will highlight the event in the selected Snare criticality color assigned to your audit policy. User can choose the criticality level depending on the destination the event is being sent. There are options to assign criticality for each destination based on the format Snare, Syslog, CEF or LEEF. Each of these criticalites is then assigned to the event. While sending to the destination, specific criticality is assigned to the final event string depending on the destination type ie Snare, Syslog, CEF or LEEF.
    • Snare - Critical, Priority, Warning, Information, Clear
    • Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
    • CEF - 0 - 10, 0 is least severe and 10 is most severe.
    • LEEF - 1 - 10, 1 is least severe and 10 is most severe.

To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:

  1. Click on Change Configuration to save any changes to the registry.
  2. Click on the Apply Configuration & Restart Service menu item.