![[SNARE Logo]](snare-logo.png){kind=logo}
Enhancing the security of the Linux operating
system, by providing a comprehensive event logging facility
|
|
Enhancing the security of the Linux operating
system, by providing a comprehensive event logging facility
|
| Table of Contents |
1. Introduction
2. SNARE Overview
3. Installing and Removing SNARE
4. Setting the Audit Configuration
5. Audit Event Viewer Functions
6. Audit Management Functions
7. Setting the Network Configuration
8. About Intersect AllianceAnnex A - List of Audited System Calls
Annex B - Kernel Module Description
Annex C - SNARE Configuration File
Annex D - Event Output Format
| 1. Introduction |
1.2 As long time users of the Linux operating system, we believe that one of the key features that is preventing Linux from wider deployment, particularly in organisations with security requirements, is the availability of a host based intrusion detection system, in other words, a native system event auditing or event logging facility. However, we recognise that Linux is many things to many people, and building audit/event logging capabilities directly into the Linux kernel will only contribute to kernel bloat. The facility may simply never be required in some Linux installations.
1.3 As such, in the spirit of the recent announcement of the push towards modular security extensions to the Linux kernel (Linux Security Module Interface) in the Kernel 2.5 summit, InterSect Alliance are proud to release a dynamically loadable kernel module that will form the basis for a host intrusion detection and "C2-style" auditing/event logging capability for Linux. The dynamic kernel module precludes the need for a kernel recompile. The overall project is called 'SNARE' - System iNtrusion Analysis & Reporting Environment. InterSect Alliance have released the components of SNARE under the terms of the GNU Public License.
1.4 So why put all this effort into the tools? Two primary reasons:
| 2. SNARE Overview |
2.3 The (user-space) audit daemon reads event data from the dynamic kernel audit module via the device "/proc/audit". It converts the binary audit data into text format , and separates information into a series of "tokens". Three different field separators are used in order to facilitate follow-on processing - TABS separate 'tokens', COMMAS separate data within each token, and SPACES separate elements within data. This format, is further discussed in the section on the audit daemon output format. The net result is that a raw event, as processed by the audit daemon may appear as follows:
objective,clear,Mon Aug 6 19:43:25 2001,The program /usr/bin/gimp has been executed by the user leigh event,execve(),Mon Aug 6 19:43:25 2001 user,leigh(500),users(500),leigh(500),users(500) process,1651,sh path,/usr/bin/gimp arguments,gimp return,0
Figure 1: Main Window
| 3. Installing, Removing and Running SNARE |
a. snare-core-0.8-1.i386.rpm. This provides the necessary binaries to install the auditmodule and audit kernel components of SNARE. Although the snare-core components may be installed alone, it is recommended that the snare graphical user interface is also installed. NOTE that this binary includes a module built for the default Redhat Kernel version (2.4.2) only. If you have a different version of the kernel, then you will need to recompile snare-core from the source RPMs.3.2 Installation of the two main components (SNARE core and SNARE front end) is undertaken as follows:b. snare-0.8-1.i386.rpm. This rpm only installs the SNARE front end, as shown in Figure 1. However, the graphical user interface will not be of significant use, without the installation of the snare-core RPM above.
c. snare-core-0.8-1.src.rpm. This includes the source code for the snare-core package. This should only installed if there is a requirement to view or change any of the SNARE components, or you need to rebuild snare for a different kernel version.
d. snare-0.8-1.src.rpm. This includes all the source code for the graphical components of SNARE. This should only installed if there is a requirement to either view or change any of the SNARE components.
a. Download the required RPMs, as above.
b. Logon as root user, ie; enter the command /bin/su - at the command prompt, and enter the root password when prompted.
c. Issue the commands, as root, rpm --install snare-core-0.8-1.i386.rpm snare-0.8-1.i386.rpm
d. Note that for release 0.8, the audit daemon will not be started automatically. In order to start the audit daemon, the command (as root) /etc/init.d/auditd start may be issued, or the system may be rebooted.
For those systems that
do not use the default RedHat 7.1 kernel, the command
rpm --rebuild snare-core-0.8-1.src.rpm, followed by
rpm --install /usr/src/redhat/i386/snare-core-0.8-1.i386.rpm will
create an audit module that is likely to work with your version of the kernel.
Manual Installation
3.3 If you
do not the Redhat Package Manager to facilitate installation, then retrieve
the snare-core and snare tar files, uncompress and untar them, and issue
the following commands:
For snare-core:
make clean
make
make install
For the snare GUI:
./autogen.sh
make
make install
cp snare-icon.png /usr/share/pixmaps
cp snare.desktop /usr/share/gnome/apps/System
cp snare.desktop /usr/share/gnome/ximian/Programs/Utilities
cp Snare.kdelnk /usr/share/applnk/System
Running SNARE
3.4 Upon
installation of the SNARE front end, menu items will installed in the Ximian
(if installed), KDE, and Gnome program menu. The SNARE launch menu on the
Gnome Program menu is available in Programs->System->Snare - Event
Logging. On the Ximian menu, the launcher is available from Programs->Utilities->Snare
- Event Logging. Snare is located under System for KDE. If these launchers
are not available, the SNARE front end may be started by typing snare
on the command line. For those installations that do
not use the SNARE front end, manual configuration of the audit configuration
file needs to be undertaken.
| 4. Setting the Audit Configuration |
4.2 The most effective and simplest way to configure the SNARE audit daemon is to use the graphical front end tool. The audit configuration window can be selected from the Setup -> Audit Configuration menu, or directly from the associated toolbar button.
Auditing Control
4.3 The initial audit
configuration parameters to consider are:
a. The reliability of audit reporting required,4.4 These three parameters are shown in the first ("Auditing Control") tab of the audit configuration window, shown in Figure 2 below.
b. The type of reporting, and
c. The desired location of the log event file.
Figure 2: Audit Configuration Window - Auditing Control Tab
4.5 Linux uses a system whereby active system tasks all share the system processor(s). Because audit events can potentially be generated by any or all active process, the audit kernel module must 'cache' audit events until the audit daemon "grabs" it's slice of processor time, and can retrieve the data from the cache. In situations where one task uses a significant amount of processor time without releasing the processor to other tasks, or where the audit daemon is only one of MANY tasks active on the system, there is a possibility that the audit daemon will not receive an adequate slice of processor time to retrieve data from the cache before the amount of memory allocated to the cache is used up by the audit events generated by other tasks on the system. If all available cache within the audit module is consumed, and unless the audit-generating processes are "suspended" to allow the audit daemon to "catch up", then audit data could be lost. As such, the integrity of the event collection process can be 100% guaranteed by selecting the "C2 Style" radio button. However, this will impact on system resources, which may result in the system appearing to temporarilly "hang" or run slower. The "C2 Style" configuration 'pauses' audited system calls for all processes except the audit daemon, until the audit daemon has read some data from the cache, and therefore frees some memory. Selecting the "Normal" radio button will not noticeably impact system resources, but there is a potential for some events to be lost. The quantity of lost events will depend significantly on the system load.
4.7 The type of auditing may either be by "raw kernel events" or by "objectives" (user defined filters). Auditing by raw kernel events will result in all selected system calls being written to the log file, without any form of filtering (other than selecting which system calls are to be audited). The system calls to be audited can be selected via the "Kernel" tab in the Audit Configuration window, as shown in Figure 3 below. This method of auditing is more suited to the classic "C2" style of auditing, where all calls are recorded.
Figure 3: "Kernel" Tab
4.8 A more refined method of auditing is available by selecting events via the advanced auditing "objectives" capability. Any number of objectives may be specified, and are listed in the "Objectives" tab, within the audit configuration window, as shown in Figure 4.
Figure 4: "Objectives" Tab
4.9 Each of the objectives provides a high level of control over which events are selected and reported. Events are selected from a group of high level requirements, and further refined using selected filters. All events detailed in Annex A - List of Audited System Calls are contained within all the following high level groups:
a. Open or create a file or directory.4.10 From each of these groups, a criticality level can be applied. These criticality levels are critical, priority, warning, information and clear. These security levels are provided to enable the SNARE user to map audit events to their most pressing business security objectives, and to quickly identify the criticality of an event, via the coloured "buttons" on the SNARE graphical user interface, as shown in Figure 1.
b. Remove a file or directory.
c. Start or stop a program execution.
d. Modify system, file or directory attributes.
e. Change or user group identity.
f. Login or Logout (not available in SNARE Version 0.8)
4.11 The following filters can be applied to incoming audit events:
a. Filter on the event-specific matchable item.
Each event contains a particular piece of information that represents the core data that needs to be communicated. For the "Open or create a file or directory" group, for example, this would be the name of the file and/or directory opened or created. For the "Start or stop program execution" group, this would be the name of the program in question. The event match allows a "partial", "exact" or "regular expression" match term to check against the event-specific matchable item. A "partial " match will look for the sequence of characters specified somewhere within the event-specific matchable item. For example, if the partial match of "pass" is specified for "Open or create a file or directory", then the following example filenames would all match the term:A "exact" match will match the specified term exactly. For example, if the term is /etc/passwd, then the file /etc/passwd would match, but the file /etc/passwd.backup will NOT match.
- /etc/ passwd
- /usr/lib/ passfilt.so
- /home/red/khyber_ pass.txt
A "regular expression " match matches the supplied extended regular expression against the event-specific matchable item. Regular expressions are an advanced form of specifying filters, and should only be used by those experienced in using them. For example, the term ".*[Pp]ass(word|wd).*" would match the following:
but would not match:
- /etc/passwd
- /tmp/PasswordFile
- /etc/PASSWD
b. Filter on user.4.12 Once the above settings have been finalised, the configuration may be saved to the configuration file, via the "Save Configuration" button. However, to ensure the audit daemon has received the new configuration, the "Save and Apply" button should be selected.
Any number of users can be selected, and should be entered with commas separating each user. If no users are entered, ALL users are assumed to be audited.
It is intended that a user exception list will be included into a future release, however, as at version 0.8 of SNARE, this functionality is not yet available.c. Filter on return value
An audit event will either return a success or failure return code. SNARE allows a user to filter on the return value.
| 5. Audit Event Viewer Functions |
5.2 A summary version of the event is displayed on the main window. For more details on a specific event, the relevant row from the main window can be selected using the mouse. A pop-up window will then display more comprehensive details related to the event. The details are event context dependant; For example, an "execution" event will display the executed program name, whilst a "file open" event will display the path name of the opened file. The event details window is shown in Figure 5. Note that only certain fields are shown, and others are "greyed out". The fields which are displayed depend entirely on the event (system call) that is being displayed. Once an event window is displayed, other events may be displayed by selecting the "prev" and "next" key.
5.3 The fields shown in the event window relate to the parameters of the system call that was audited. The brief interpretation of the individual fields is discussed below:
Figure 5: Event Details Window
5.4 In order to view all previous events contained in the log file, the "Reload" menu item can be selected from Activity->Reload Log File, or from the corresponding button from the toolbar. Note that displaying the entire log file may take some time, depending on the size of the file. Alternatively, the main window event list may be cleared from the menu by selecting the item Activity->Clear all Current Events, or from the corresponding button from the toolbar. Note that clearing the main event viewer, DOES NOT clear the log file.
5.5 The main display will alert the user as to whether the events being generated by the audit daemon are being filtered using the defined objectives, or if events are being passed on without any filtering. This wil be shown to the user via the graphic display at the bottom of the main window which will show either "Display Mode: Objective Information" or "Display Mode: Raw Event Log Data". This is shown at the bottom of Figure 1 .
| 6. Audit Management Functions |
6.2 The audit daemon can be restarted directly from the menu item Activity->Apply and Restart Audit. This will instruct the audit daemon to re-read the configuration file, clear the buffers and restart. This function is useful when changes to the audit configuration have simply been saved to the configuration file, without being "applied". The user can therefore select when to activate a new configuration by selecting this menu item, or its corresponding button on the toolbar.
6.3 The audit
daemon status can be viewed by selecting the View->Audit Status
menu item, or its corresponding toolbar button. This will display whether
the audit daemon is active, its process ID, the SNARE version (specifically
of the version of the dynamic kernel module, but will apply to all SNARE components),
and the total number of events processed by the kernel module. Note that
the total events reported are those that have been collected by the kernel,
before filtering (if any) by the audit daemon.The audit status window is
shown in Figure 6 below.
Figure 6: Audit Status Window
Log Rotation
6.4 Depending
on the SNARE configuration, the log file may be small or large. In any case,
it is normal houskeeping practice that logs either be rotated or archived.
Depending on the site requirements, a rotation scheme that keeps old copies
of the last (say) 7 days may be sufficient. In this case, it may be sufficient
to simply include a CRON or ANACRON job, and use a program such as logrotate
to ensure the current log file does not grow to an unmanageable
size. Alternatively, you may wish to archive all log files to backup media
such as tape or CD-ROM. This may be scheduled using CRON or undertaken manually.
In either case, it is important to note that the audit daemon should
restarted, so that it opens the new log file for writing the events.
| 7. Setting the Network Configuration |
| 8. About Intersect Alliance |
8.2 The Intersect Alliance business strategy includes demonstrating our committment and expertise in IT security by releasing Open Source products such as SNARE. Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
8.3 Please visit the Intersect Alliance website for more information.
| A. The SNARE Audit Subsystem - Events Audited |
List of System Calls Implemented in SNARE Version 0.8
System Call Description open open and possibly create a file or device creat open and possibly create a file or device execve execute program exit terminate the current process mkdir create a directory unlink delete a name and possibly the file it refers to mknod create a directory or special or ordinary file rmdir delete a directory chown change ownership of a file lchown change ownership of a file chown32 change ownership of a file lchown32 change ownership of a file chmod change permissions of a file symlink make a new name for a file link make a new name for a file rename change the name or location of a file reboot reboot or enable/disable Ctrl-Alt-Del truncate truncate a file to a specified length chroot change root directory setuid set user identity setreuid set real and / or effective user ID setresuid set real, effective and saved user ID setuid32 set user identity setreuid32 set real and / or effective user ID setresuid32 set real, effective and saved user ID setgid set group identity setregid set real and / or effective group ID setresgid set real, effective and saved group ID setgid32 set group identity setregid32 set real and / or effective group ID setresgid32 set real, effective and saved group ID truncate64 truncate a file to a specified length
| B. The SNARE Audit Subsystem - Kernel Module |
The module implements a ring (or 'tail chaser') kernel buffer to cache event information prior to being read by an application that reads data from /proc/audit. The size of the buffer is configurable at module-load time to facilitate installation on low-memory-profile devices if required. The features of the module are:
a. Events with a path of 1024 bytes can be processed. Paths greater than this size are truncated.
b. 128 kilobytes of memory is allocated for the buffer storage as described in the above paragraph. Events will be lost, if the audit daemon cannot keep pace with reading the events. However, selecting the "C2 Style" option in the Audit Configuration will ensure that events are not lost.
c. The module is instructed by the audit daemon to audit only selected system calls. System calls that are not specifically selected will not be audited.Kernel module options can be specified on the insmod command line, or added to an 'options auditmodule' line within /etc/modules.conf if required, however, it is recommended that the module be loaded without any arguments, and the audit daemon be used to enable audit events based on the configuration file. Some level of granularity is available at the audit module load phase. Administrators can turn on a 'class' of events, individual events, or all events. For example, turning on all events can be selected by:
insmod auditmodule.o all=1
Instead of the "all=1" option, the following classes can be added. For example, the command insmod auditmodule.o file_class=1 will ensure the auditmodule records all the events related to file operations related events. The following audit classes are defined.file_class - File-related audit events
a_openfile_control_class - File control related audit events
a_creat
a_mkdir
a_unlink
a_mknod
a_rmdir
a_symlink
a_link
a_rename
a_truncate
a_truncate64
a_chownexecute_class - Execute related audit events
a_lchown
a_chown32
a_lchown32
a_chmod
a_execveadmin_class - Administrative audit events
a_setuid
a_setreuid
a_setresuid
a_setuid32
a_setreuid32
a_setresuid32
a_setgid
a_setregid
a_setresgid
a_setgid32
a_setregid32
a_setresgid32
a_exit
a_rebootNote that when an f* system call (eg: fchmod) is called by a program, the corresponding non-f* call is generally called by Linux. Hence, although fchmod is not available in the list above, calls to fchmod() will create a chmod() event. In addition, there are a number of system calls which are dependant on the kernel version and architecture of the host. These are designated by the numbers "32" or "64" appended to some of the system calls. Which system calls are called in any given situation (eg; setuid versus setuid32) will depend on the system architecture of the host system .
a_chroot
| C. The SNARE Audit Subsystem - Configuration File Description |
SNARE can be configured in several different ways, namely:
a. Via the graphical tool (Recommended), orThe format of the audit configuration file is discussed below.
b. By setting module options at load time, or
c. By manually editing the configuration file
| [AuditType] | This section allows you to specify whether the audit subsystem generates raw event data without any filtering, or utilises the objectives defined within the [Objectives] section below to filter event data. |
| type=Objective | Generate event data with an objective description, and filter events based on objective definitions in later sections. |
| type=Event | Generate raw event data, without any filtering. |
| [File] | By default, if no file section exists within the configuration file, the audit daemon will send audit data out to standard out (STDOUT). |
| file=/fully/qualified/file/name | The audit daemon will send data to the fully qualified filename specified within the [File] section. Note that if the audit daemon is not running as root, the file must be writable by the user under which the audit daemon is running. |
| file=stdout | If stdout is specifically defined within the file section, the audit daemon will send data to standard out. |
| [Delivery] | This section describes the delivery method. Delivery can either be "normal" (where the kernel drops audit events when it does not have enough buffer space left), or "c2", where the kernel blocks further auditable events from occuring until buffer space is available. |
| delivery=normal | Only deliver audit events when there is space available in the kernel buffer. |
| delivery=c2 | Block further auditable events from occuring until the audit daemon has space available in the kernel buffer, thereby guaranteeing delivery of all selected events. |
| [Objectives] |
This section describes the format of the objectives. Objectives are composed
of:
Note that whitespace will be trimmed from the start and end of items, but will be assumed to be valid when bracketed by other characters. |
| criticality=1 event=open return=* user=^(red|george)$ match=^/etc/shadow$ | Report at criticality level 1, whenever the users "red" or "george", open, or attempt to open, the file /etc/shadow. |
| criticality=0 event=* return=* user=^red$ match=.* | Report whenever the user 'red' performs any audited event. Note that 'event' is not a regular expression field, but when the asterisk character is used, events which have been specifically turned on in the [Events] section, or have been turned on by specifying the event name within another objective, will be audited. |
| [Events] | This section describes which raw kernel events are to be audited. This section is used by the audit daemon when the method of auditing is via "raw kernel events". A '1' turns an event on, while a '0' turns the event off. The default setting if not otherwise specified, is off. |
|
open=1 creat=0 execve=1 exit=0 mkdir=0 unlink=0 mknod=0 rmdir=0 chown=1 lchown=0 chown32=0 lchown32=0 chmod=1 symlink=0 link=0 rename=0 reboot=0 truncate=0 chroot=0 setuid=0 setreuid=0 setresuid=0 setuid32=0 setreuid32=0 setresuid32=0 setgid=0 setregid=0 setresgid=0 setgid32=0 setregid32=0 setresgid32=0 truncate64=1 |
| D. The SNARE Audit Subsystem - Event Output Format |
A 'Token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header.
Examples of tokens:
Groups of tab separated tokens make up an audit event, which may look something like this, depending on whether the audit daemon has been set to 'objective' or 'event' reporting mode (see the configuration section for more information):
- process,1628,gcc
- return,0
- path,/etc/audit/audit.conf
- arguments,ls -al
objective,clear,Mon Aug 6 19:43:25 2001,The program /usr/bin/gimp has been executed by the user leigh event,execve(),Mon Aug 6 19:43:25 2001 user,leigh(500),users(500),leigh(500),users(500) process,1651,sh path,/usr/bin/gimp arguments,gimp return,0A simple example PERL script for extracting data from a raw SNARE log is as follows:
#!/usr/bin/perl
#
Usage: cat /var/log/audit/audit.log | ./extract.pl
#
Creates an associative array containing the elements of the event record,
and prints the data.
while($input=<STDIN>) {
chomp($input);
%Record=();
@tokens=split(/\t/,$input); # Split the line into TAB delimited
tokens.
foreach $token (@tokens) {
@elements=split(/,/,$token); # Pick out the elements within
each token.
$header=$elements[0];
if($header eq "objective") {
$Record{$header}{"criticality"} = $elements[1];
$Record{$header}{"datetime"} = $elements[2];
$Record{$header}{"description"} = $elements[3];
} elsif ($header eq "event") {
$Record{$header}{"eventid"} = $elements[1];
$Record{$header}{"datetime"} = $elements[2];
} elsif ($header eq "user") {
$Record{$header}{"uid"} = $elements[1]; # User ID
$Record{$header}{"gid"} = $elements[2]; # Group ID
$Record{$header}{"euid"} = $elements[3]; # Effective User ID
$Record{$header}{"egid"} = $elements[4]; # Effective Group ID
} elsif ($header eq "process") {
$Record{$header}{"pid"} = $elements[1]; # Process ID
$Record{$header}{"name"} = $elements[2]; # Process Name (max
16 chars)
} elsif ($header eq "path") {
$Record{$header}{"path"} = $elements[1];
} elsif ($header eq "destpath") {
$Record{$header}{"destpath"} = $elements[1]; # Destination
path
} elsif ($header eq "arguments") {
$Record{$header}{"args"} = $elements[1];
} elsif ($header eq "attributes") {
$Record{$header}{"attrib"} = $elements[1];
} elsif ($header eq "return") {
$Record{$header}{"code"} = $elements[1];
} elsif ($header eq "target") {
$Record{$header}{"user"} = $elements[1];
} elsif ($header eq "owner") {
$Record{$header}{"user"} = $elements[1];
$Record{$header}{"group"} = $elements[2];
}
}
# We now have the data in an associative array.
# Roll through the array, and print the data in token groups.
foreach $header (keys(%Record)) {
print "Header: $header\n";
foreach $element (keys(%{$Record{$header}})) {
print "$element = " . $Record{$header}{$element} . "\n";
}
}
# In addition, if the event is execve, the effective user
ID
# is 'root', but the real user ID is NOT, then display an alert.
if($Record{"event"}{"eventid"} eq "execve" && $Record{"user"}{"euid"}
eq "root" && $Record{"user"}{"uid"} ne "root") {
print "Danger: SetUID program " . $Record{"arguments"}{"args"} . " has been
run by the user " . $Record{"user"}{"uid"} . " .\n";
}
print "\n";
}
print "----- Done -----\n";
