Thursday, June 27, 2013

Snare on Debian and Ubuntu


_____________________________________________________________________________________

Snare installation in Ubuntu:
----------------------------
Snare installation in Fedora/Redhat distribution  is very easy and there are many documents for help. But i could not find single complete document so i spent few days for successful working of Snare in Ubuntu linux :)

--------------------------------------------------------------------------------------------------------

Steps for usage of Snare on Ubuntu/debian (I tested it on Ubuntu12.04)

-> Install auditd ,libaudit-dev ,libaudit0
-> install selinux
-> i also installed system-config-audit (Graphical utility for editing audit config)
Download SnareLinux from sourceforge and then install it.
commands:
1. make
2. ./Install.sh

it will create files under /usr/sbin and /etc directories

contents of /etc/snare.conf file :

******START*** [Remote]
allow=1
listen_port=6161 [Output]
network=127.0.0.1:6161
file=/var/log/audit/audit.log #####important ,snare use this [Config]
use_criticality=0
set_audit=1
use_regex=0
use_watch=1
syslog_facility=local0
syslog_priority=information [Watch]
path=/usr/sbin [Objectives]
criticality=0 event=execve exe=/sbin/auditctl
criticality=1 event=execve exe=passwd
criticality=2 event=execve uid=,(root)
criticality=2 event=(login_auth,login_start,logout)
criticality=3 event=(mount,umount,umount2,settimeofday,clock_settime,swapon,swapoff,reboot,setdomainname,create_module,delete_module,quotactl)
****END******

contents of /etc/audit/auditd.conf

****START***
log_file = /var/log/audit/audit.log
log_format = raw
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
name_format = NONE
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
dispatcher = /usr/sbin/SnareDispatchHelper ********END***

contents of audit.rules file

****START***
-e 1
-f 1
-b 8192
-r 0
-D
-w /bin/ls -p x
-a task,always
-a user,always******END***

Note: plz verify that 6161 is in listen mode

tcp 0 0 0.0.0.0:6161 0.0.0.0:* LISTEN
Hopefully this will be usefull.


Reference: Got help from snare mailing list. :)
Posted by at
Labels: , ,

No comments:

Post a Comment


Good Bye:)

Subscribe to: Post Comments (Atom)