About InterSect Alliance Linux

Owned by Steve Challans
Last updated: Feb 20, 2019

Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors.
Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
Intersect Alliance welcomes and values your support, comments, and contributions.
For more information on the Enterprise Agents, Snare Server and other Snare products and licensing options, please contact us as follows:
The Americas +1 (800) 834 1060 Toll Free | +1 (303) 771 2666 Denver
Asia Pacific +61 8 8213 1200 Adelaide Australia
Europe and the UK +44 (797) 090 5011
Email intersect@intersectalliance.com
Visit www.intersectalliance.com

  1. Configuration File Description

The purpose of this section is to discuss the parameter settings of the configuration file. The Snare configuration file is located at /etc/audit/snare.conf, and this location may not be changed. If the configuration file does not exist, the audit daemon will not actively audit events until a correctly formatted configuration file is present.
Snare can be configured in several different ways, namely:
a. Via the embedded web server (recommended for novice users), or b. By manually editing the configuration file (recommended for advanced users).
The format of the audit configuration file is discussed below. Any line beginning with "#" will be treated as a comment line and ignored. Any number of tabs or spaces can be used. Major tokens such as [Config] must be surrounded by the square brackets.

[Config]

This section allows you to specify settings relating to the operation of the Snare agent.

clientname=override

The hostname of the client. If no hostname is set, the value of "hostname --fqdn" will be used

set_audit=[1

0]

This value determines if Snare should set the auditing configuration for the local machine.

syslog_facility=facility

The SYSLOG facility used when sending to a SYSLOG server.

syslog_priority=priority

The SYSLOG priority used when sending to a SYSLOG server.

cache_size=(0 - 100000)

This value determines the size of the event cache,ie; the number of events, that Snare should keep if it cannot reach at least one of the hosts. The value must be between 0 and 100000. This feature only appears in Enterprise Agents only.

use_utc=1

Enable UTC (Universal Coordinated Time). This feature only appears in Enterprise Agents only.

version=4

Future inclusion: Snare version for informational purposes.



[Remote]

This section allows you to specify settings relating to the Remote Control Interface used to control Snare.

allow=[1

0]

Turn the Remote Control Interface on or off.

listen_port=6161

Set a port that the Snare for Linux agent should listen on.

accesskey_enabled=on

Password is required to be set

accesskey=md5password

Md5 checksum of the password used to protect the embedded web server

restrict_ip_enabled=0

Restrict the Remote Control Interface to an IP.

restrict_ip=1.2.3.4

IP address of a system that is used to remotely control the agent. All requests from other systems will be dropped.


[Output]

By default, if no output section exists within the configuration file, the audit daemon will not send any data to anywhere. Otherwise, audit events will be sent to all valid destinations specified in the Output section. As such, events can be sent to one or all of a file, or to a remote network destination

file=/fully/qualified/file/name

The audit daemon will send data to the fully qualified filename. The directory must exist. The file will be created if it doesn't exist. E.g file=/var/log/filewatch.log

network=hostname:port:protocol:format

Data will be sent to the remote host, and network port specified here. Audit data can be sent to a remote system using the UDP or TCP protocol. SSL may also be used to indicate an encrypted TCP connection. Format may be either SNARE or SYSLOG. E.g networkOutput0=10.1.1.30:6161:TCP:SNARE


[Linux]


audit_buffersize=360

Adjustment of audit buffers if required to avoid causing a too heavy audit load on your system. To be added to the Remote Control Interface as a setting in the future release of version 5.0 of the Snare for Linux agent.


[Objectives]

This section describes the format of the objectives. Objectives are composed of:

  1. Criticality - an integer between 0 and 4 that indicates the severity of the event. 0 is 'clear', 4 is "critical". Any integer less than 0 will cause the line to be rejected.
  2. The match function will either be include match="<value>" or exclude match!="<value>". The value follows standard regular expression format.
  3. The event - this must either correspond to a valid syscall event, or a series of events separated by commas, and may be surrounded with round brackets (). Note that the embedded web server will convert the generic "groups" in the Audit Configuration window to the required events. For example, the abstracted group 'Administrative Events', will result in the event entry: 'event=(reboot,settimeofday,clock_settime,setdomainname,sethostname)'

    being written.
  4. Audit Filter Term – The filter expressions to apply to the audit rule. It must match the filter expressions as documented in the auditctl Unix man page. Eg uid=root, success=1
  5. Return – either Success, Failure or * to indicate both Success and Failure
  6. Regex Match – An optional string to match. This can be a regular expression or .* to indicate all events. Eg ./bin.
    Note that whitespace will be trimmed from the start and end of items.

criticality=1 match="./bin." event=execve uid=maria,sucess=1
criticality=1 match!="./bin." event=execve uid=maria,success=1

Report at criticality level 1, whenever the user 'maria', attempts to execute a binary within /sbin,
Using match!="./bin." will make an exclude rule to not send events that contain this string match.

criticality=0 for Clear (ordinary security level), 1 for Information, 2 for Warning, 3 for Priority, 4 for Critical.


Shown below is an example /etc/audit/snare.conf file. It is an example file only, and should NOT be used for operational purposes. It has been included to demonstrate the key concepts of formulating a snare.conf file, as discussed above.
Example Version 4.1 snare.conf file
#This is a comment line with no leading spaces

  1. Snare configuration file
  2. Note: This file may be automatically updated by the Snare agent
  3. This file was generated by at: Mon Sep 22 15:22:26 2014
    [Config]
    use_criticality=1
    encrypt_msg=0
    clientname=
    set_audit=1
    cache_size=10000
    use_utc=1
    syslog_facility=1
    syslog_priority=5
    [Linux]
    audit_buffersize=360
    #TCP and multiple network entries only allowed by the Enterprise agent
    [Output]
    networkOutput0=10.1.1.30:514:UDP:SYSLOG
    networkOutput1=10.1.1.46:6161:TCP:SNARE
    fileOutput0=/tmp/41logging.txt
    [Remote]
    allow=1
    accesskey_enabled=on
    restrict_ip=
    listen_port=6161
    accesskey=snare
    restrict_ip_enabled=0
    [Objectives]
    criticality=1 match="" event=execve,fork,exit,kill,tkill,tgkill
    criticality=3 match="" event=fchmod,chmod,fchmodat,chown,lchown,fchown,fchownat
    criticality=2 match="" event=link,linkat,mknod,unlink,unlinkat,symlink,symlinkat
    criticality=3 match="" event=mount,umount2
    criticality=3 match="" event=setfsuid,setuid,setreuid,setfsgid,setregid,setgid,setresgid
    criticality=4 match="" event=reboot,settimeofday,clock_settime,setdomainname,sethostname
    criticality=1 match="" event=login_start,login_auth,logout
    [Watch]
    criticality=1 match=".usesr01." path=/etc perms=waxr
  4. Event Output Format

The Snare dispatcher receives data from the native Linux audit subsystem.
The native audit daemon reports data in such a way that:

  • It is 'programmatically' difficult to determine how many 'lines' make up an audit event. Some lines can be repeated, with slightly different values.
  • You can have multiple, identical tokens for an event (e.g. two "path=" tokens)
  • Event lines may be interleaved (i.e. you might get two lines from event # 1000, then one line from event # 1001, then another line from event # 1000).
  • Some filename characters are translated into their HEX equivalents which will make matching filenames difficult.

Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into "one line per event" format, once appropriate filtering/event selection has taken place. An event will look like this once processed by Snare:
localhost.localdomain LinuxKAudit 2 event,execve,Jun 20 06:10:03 sequence,345199 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/sbin/auditctl return,0,yes name,null exe,/sbin/auditctl success,yes return,0 syscall,11,execve uid,unknown euid,root gid,root egid,root arch, name,null a0,80ca7f8 a1,80ca980 a2,80ca8a8 a3,0 items,2 ppid,24047 pid,24051 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none comm,auditctl key,obj-0-0 a0,/sbin/auditctl a1,-v cwd,/ item,0 inode,37751 dev,03:02 mode,0100750 ouid,0 ogid,0 rdev,00:00 item,1 inode,17644 dev,03:02 mode,0100755 ouid,0 ogid,0 rdev,00:00
Snare for Linux presents the information in a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header. Examples of tokens from the above event include:

  • syscall,11,execve
  • /sbin/auditctl


  1. Oracle Linux

From v4.1.10 of the Snare Linux agent, the build is available on Oracle Linux v7. To allow it to run, perform the following as root on the Linux host to enable the agent to run:

  • # setenforce 0

This will disable selinux environment, or you can modify /etc/selinux/config file param SELINUX=enforcing to SELINUX=permissive then reboot the system. The agent will only work with an enforced selinux environment if the user sets up the relevant selinux policy rules.

  • The Linux firewall may need to be updated to allow the syslog messages to be sent to the destination as well as allow access to the web management port on the host being TCP 6161.