Overview of Snare for OSX

Snare operates through the actions of three complementary components:

• • The native OSX audit subsystem
  • The user-space audit daemon (auditd)
  • The Snare 'dispatcher' applications.

The audit daemon, and kernel component act in concert to configure the underlying audit subsystem, and extract events of interest from the operating system.
Snare for OSX operates as an 'audit dispatcher' application that receives the audit log data, with Snare directing auditd what events to selectively filter out that you are not interested in, formats the resulting data into something that is more suited to follow-on processing, and delivers it to one or more remote systems over the network.
Snare formats the audit log data into a series of 'tokens'. Two different field separators are used in order to facilitate follow-on processing - TABS separate 'tokens', and COMMAS separate data within each token. This format is further discussed in the section on the Snare output format. The result is that a raw event, as processed by Snare, may appear as follows:
snares-MacBook-Air.local AppleBSM 1 header,283,11,open(2) - write,0,Wed Mar 19 10:44:32 2014, + 857 msec argument,2,0x1,flags path,/Users/snare/Library/Saved Application State/com.apple.Safari.savedState/data.data path,/Users/snare/Library/Saved Application State/com.apple.Safari.savedState/data.data attribute,100600,snare,staff,16777218,713775,0 subject, nnare,snare,staff,snare,staff,231,100003,50331650,0.0.0.0 return,success,25 trailer,283 snareseq,11076
Snare also incorporates a tiny embedded web server, the Remote Control Interface, which allows administrators to remotely control which events are collected and reported. The Remote Control Interface also provides information on users, groups, and group membership on the local machine, which can be used to satisfy various regulatory security requirements.