_____________________________________________________________________________________
Snare installation in Ubuntu:
----------------------------
Snare installation in Fedora/Redhat distribution is very easy and there are many documents for help. But i could not find single complete document so i spent few days for successful working of Snare in Ubuntu linux :)
--------------------------------------------------------------------------------------------------------
Steps for usage of Snare on Ubuntu/debian (I tested it on Ubuntu12.04)
-> Install auditd ,libaudit-dev ,libaudit0
-> install selinux
-> i also installed system-config-audit (Graphical utility for editing audit config)
Download SnareLinux from sourceforge and then install it.
commands:
1. make
2. ./Install.sh
it will create files under /usr/sbin and /etc directories
contents of /etc/snare.conf file :
******START***
[Remote]
allow=1
listen_port=6161
[Output]
network=127.0.0.1:6161
file=/var/log/audit/audit.log #####important ,snare use this
[Config]
use_criticality=0
set_audit=1
use_regex=0
use_watch=1
syslog_facility=local0
syslog_priority=information
[Watch]
path=/usr/sbin
[Objectives]
criticality=0 event=execve exe=/sbin/auditctl
criticality=1 event=execve exe=passwd
criticality=2 event=execve uid=,(root)
criticality=2 event=(login_auth,login_start,logout)
criticality=3
event=(mount,umount,umount2,settimeofday,clock_settime,swapon,swapoff,reboot,setdomainname,create_module,delete_module,quotactl)
****END******
contents of /etc/audit/auditd.conf
****START***
log_file = /var/log/audit/audit.log
log_format = raw
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
name_format = NONE
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
dispatcher = /usr/sbin/SnareDispatchHelper
********END***
contents of audit.rules file
****START***
-e 1
-f 1
-b 8192
-r 0
-D
-w /bin/ls -p x
-a task,always
-a user,always******END***
Note: plz verify that 6161 is in listen mode
tcp 0 0 0.0.0.0:6161 0.0.0.0:* LISTEN
Hopefully this will be usefull.
Reference: Got help from snare mailing list. :)
