Audit Policy Configuration - v5.5.0

A major function of the Snare system is to filter events.  This is accomplished via the advanced 'audit policies' also known as 'objectives' capability in previous releases.  Any number of audit policies may be specified and are displayed on the Audit Policy Configuration page.  By default a set of audit policies is available with the Snare Enterprise Agent for macOS installation.

To create a new audit policy click Add, or to view/edit an existing audit policy select Modify.  The following parameters may be set:

• Identify the high level event: Each of the audit policies provides a high level of control over which events are selected and reported. Events are selected from a group of high level requirements, and further refined using selected filters. Events are generally grouped into the following:

  High Level Event	Events
  Change user or group identity	setgroups,setpgrp,setuid,setgid,seteuid,setegid,setauid,setreuid,setregid,osetpgrp, create_user,modify_user,delete_user,disable_user,enable_user,create_group,delete_group,modify_group,add_to_group,remove_from_group
  Establish an outgoing network connection	connect,shutdown,setsockopt
  Login/Logout events	login,logout,telnet,rlogin,su,rexecd,passwd,rexd,ftpd,admin_authenticate,auth_user,ssh,openssh,rshd, init,ftpd_logout,role_login,lw_login,lw_logout,newgrp_login,ssconn,ssauthorize,ssauthint,sudo
  Modify system, file or directory attributes	chmod,fchmod,chown,fchown,mctl,lchown,aclset,faclset
  Mount a new filesystem	mountd_mount,mountd_umount,umount2
  Open a file/dir for reading only	open_r,readlink
  Remove a file or directory	rmdir,unlink
  Start or stop program execution	exec,execve
  Write or create a file or directory	open_rc,open_rt,open_rtc,open_w,open_wc,open_wt,open_wtc,open_rw,open_rwc,open_rwt,open_rwtc, creat,mkdir,mknod,xmknod,link,symlink,rmdir,unlink,rename,truncate,extattr_delete_file,ftruncate

  The above groups are provided to service the most common security objectives that are likely to be encountered.

  In addition, any event that can be generated by the macOS audit subsystem can be specified (comma separated) by using the Any Event(s) high level group.
  
  

Tip: Turning on file-related events can produce a very high volume of audit events on some systems, and therefore result in a considerable amount of CPU time being used by Snare and the audit subsystem.

The following filters can be applied to incoming audit events:

• Event ID Search Term.  If Any Event(s) is selected as the high level event, then add a comma separated list of macOS audit events to search for.
  Using the wildcard character '*' will select all events. Use the wildcard with caution since ALL events will be collected and passed to the remote host.
  For all other high level events, this field is ignored and automatically managed by the agent.
• General Match Type.  Allows to define whether to include or exclude events that match this audit policy by selecting the Include or Exclude radio buttons. If an audit policy is set to Exclude, matching event logs will be immediately discarded. 
  It is recommended to perform all the excludes for a particular high level event in one audit policy .

• General Search Term.  Allows to further filter the collected audit events, by defining a regular expression to search for in the content of an event.
  For example, a search term of: /etc/.* would match any event which mentions any file in /etc.
  Complex matches are possible. For example to include/exclude various commands from the log output use the following syntax: ./bin/grep.|./bin/bash.|./bin/sleep.|./usr/bin/wc.|./usr/bin/cut.

• User Match Type.  Allows to define whether to include or exclude events that match a user defined in User Search Term, by selecting Include or Exclude radio buttons. If an audit policy is set to 'Exclude' the user(s), matching event logs will be immediately discarded.

• User Search Term.  A filter term containing users the audit policy should match. Multiple users may be entered using a comma separated list. For example using: root,snare would cause the audit policy to match if users root or snare caused the event. Additionally the value .* may be used to match any user.

• Identify the event types to be captured.  Allows to define whether to capture Success Audit events only, Failure Audit events only, or both types. By default, both Success and Failure audit events are captured.
• Select the Alert Level.  A criticality level may be assigned to enable the Snare user to designate audit events to their most pressing business security objectives, and to quickly identify the level of importance via the criticality options in the drop down list.  The Latest Events page will highlight the event in the selected Snare criticality color assigned to your audit policy. User can choose the criticality level depending on the destination the event is being sent. There are options to assign criticality for each destination based on the format Snare, Syslog, CEF or LEEF. Each of these criticalites is then assigned to the event. While sending to the destination, specific criticality is assigned to the final event string depending on the destination type ie Snare, Syslog, CEF or LEEF.
  
  • Snare - Critical, Priority, Warning, Information, Clear
  • Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
  • CEF - 0 - 10, 0 is least severe and 10 is most severe.
  • LEEF - 1 - 10, 1 is least severe and 10 is most severe

To save and set the changes to the above settings, and to ensure the configuration file has been updated perform the following:

1. Click on Change Configuration to save any changes to the configuration file.
2. Click on the Apply Configuration & Restart Service menu item.