![[SNARE Logo]](snarelogo.png)
Enhancing the security of the Linux
operating system, by providing a comprehensive event logging facility
Current
Version:
SNARE 0.9 - "Great Expectations"
April 2002
|
|
Enhancing the security of the Linux
operating system, by providing a comprehensive event logging facility
Current
Version: |
| Table of Contents |
1. Introduction
2. SNARE Overview
3. Installing and Removing SNARE
4. Setting the Audit Configuration
5. Audit Event Viewer Functions
6. Audit Management Functions
7. Setting the Network Configuration
8. About Intersect AllianceAnnex A - List of Audited System Calls
Annex B - Kernel Module Description
Annex C - SNARE Configuration File
Annex D - Event Output Format
| 1. Introduction |
1.2 As long time users of the Linux operating system, we believe that one of the key features that is preventing Linux from wider deployment, particularly in organisations with security requirements, is the availability of a host based intrusion detection system, in other words, a native system event auditing or event logging facility. However, we recognise that Linux is many things to many people, and building audit/event logging capabilities directly into the Linux kernel will only contribute to kernel bloat. The facility may simply never be required in some Linux installations.
1.3 As such, in
the spirit of the recent move towards modular security extensions in the
Linux kernel, InterSect Alliance are proud to release a dynamically loadable
kernel module that will form the basis for a host intrusion detection and
"C2-style" auditing/event logging capability for Linux. The dynamic
kernel module precludes the need for a kernel recompile. The overall project
is called 'SNARE' - System iNtrusion Analysis & Reporting Environment
. InterSect Alliance have released the components of SNARE under the terms
of the GNU Public License.
1.4 So why put all this effort into the tools? Two primary reasons:
| 2. SNARE Overview |
2.1 SNARE operates through the actions of three complementary applications :
testsnare.intersectalliance.com LinuxAudit objective,clear,Mon Aug 6 19:43:25 2001,The program /usr/bin/gimp has been executed by the user leigh event,execve(),Mon Aug 6 19:43:25 2001 user,leigh(500),users(500),leigh(500),users(500) process,1651,sh path,/usr/bin/gimp arguments,gimp return,0 sequence,129372.4 Since the above event log contains a great deal of information for the average user, and in a format which doesn't lend itself to direct interpretation, SNARE also incorporates a graphical front end tool. The graphical tool allows for easy configuration of all the event logging parameters, and display of event display. A screenshot of the main window, which includes the main display is shown below in Figure 1:
![[Front Screen]](figure1.png)
Figure 1: Main Window
2.5 The SNARE development platform is Linux kernel version 2.4, and should compile and run on any recent kernel that has modules enabled. A majority of distribution vendors, including RedHat, SuSE, Debian and Mandrake, provide module-enabled kernels by default. SNARE also compiles and installs under SELinux.| 3. Installing, Removing and Running SNARE |
a. snare-core-0.9-1.i386.rpm. This provides the necessary binaries to install the auditmodule and audit kernel components of SNARE. Although the snare-core components may be installed alone, it is recommended that the snare graphical user interface is also installed. NOTE that the binaries available on our web site include modules built for the default Redhat Kernel 7.1 (2.4.2) and 7.2 (2.4.7). If you have a different version of the kernel, then you will need to recompile snare-core from the source RPMs (discussed below).3.2 Installation of the two main components (SNARE core and SNARE front end) is undertaken as follows:b. snare-0.9-1.i386.rpm . This rpm installs the SNARE front end, as shown in Figure 1. However, the graphical user interface will not be of significant use, without the installation of the snare-core RPM above.
c. snare-core-0.9-1.src.rpm. This includes the source code for the snare-core package. This should only be installed if there is a requirement to view or change any of the SNARE components, or you need to rebuild snare for a different kernel version. To recompile, and install for your own system, try the following commands as root:
rpm --rebuild snare-core-0.9-1.src.rpm
The software should compile. Near the end of the build text, a line similar to the following will appear:
Wrote: /usr/src/redhat/RPMS/i386/snare-core-0.9-1.i386.rpm
Use this filename to install the new snare-core package:
rpm -Uvh /usr/src/redhat/RPMS/i386/snare-core-0.9-1.i386.rpm
d. snare-0.9-1.src.rpm . This includes all the source code for the graphical components of SNARE. This should only be installed if there is a requirement to either view or change any of the SNARE GUI components.
- Download the required RPMs, as above.
- Logon as root user, ie; enter the command /bin/su - at the command prompt, and enter the root password when prompted. Issue the commands, as root,
rpm -Uvh snare-core-0.9-1.i386.rpm snare-0.9-1.i386.rpm
- Note that for release 0.9, the audit daemon will not be started automatically. In order to start the audit daemon, the command (as root) /etc/init.d/auditd start may be issued, or the system may be rebooted.
Manual Installation
3.3 If you do not use the Redhat Package Manager to facilitate
installation, then retrieve the snare-core and snare tar files, uncompress
and untar them, and issue the following commands:
For snare-core:
make cleanFor the snare GUI:
make
make install
./autogen.shRunning SNARE
make
make install
cp snare-icon.png /usr/share/pixmaps
cp snare.desktop /usr/share/gnome/apps/System
cp snare.desktop /usr/share/gnome/ximian/Programs/Utilities
cp Snare.kdelnk /usr/share/applnk/System
3.5 If the audit
daemon is run on a system that does not have X-Windows installed, then you
may still configure the audit subsystem, and view logs remotely, using the
SNARE GUI. On your audited system, set your X-Windows DISPLAY variable to
a system that has X-Windows running, and start the SNARE application - eg:
myguisystem$ telnet auditedsystem.mycompany.com
..
auditedsystem$ /bin/su -
[password]
auditedsystem# export DISPLAY=myguisystem.mycompany.com:80
auditedsystem# snare &
| 4. Setting the Audit Configuration |
4.1 The audit configuration is stored as /etc/audit/audit.conf. This file contains all the details required by the audit daemon to successfully execute. Failure to specify a correct configuration file will not "crash" the daemon, but may result in selected events not being able to be read.
Note: Manual editing of the audit.conf configuration file is possible, but care should be taken to ensure that it conforms to the required format for the audit daemon. Also, any use of the graphical SNARE tool to modify security objectives or selected events, may result in manual configuration file changes being overwritten. Details on the configuration file format can be viewed in Annex C - SNARE Configuration File .4.2 The most effective and simplest way to configure the SNARE audit daemon is to use the graphical front end tool. The audit configuration window can be selected from the Setup -> Audit Configuration menu, or directly from the associated toolbar button.
Auditing Control
4.3 The initial audit configuration parameters to consider are:
a. The type of reporting required, and4.4 These three parameters are shown in the first ("Auditing Control") tab of the audit configuration window, shown in Figure 2 below.
b. The destination for audit events. (File or Network)
![[Auditing Control Window]](figure2.png)
Figure 2: Audit Configuration Window - Auditing Control Tab
4.5 Linux uses a mechanism whereby active system tasks all share the system processor(s). Because audit events can potentially be generated by any or all active processors, the audit kernel module must 'cache' audit events until the audit daemon "grabs" it's slice of processor time, and can retrieve the data from the cache. In order to best meet the goals of effective audit delivery, and best use of system resources, version 0.9 of the SNARE module now stores event details in a dynamically allocated linked list. As system memory resources become scarce, the Kernel slows down other tasks, in order to reclaim memory resources. This gives the SNARE auditing subsystem the chance to retrieve audit data, and return more memory to the active pool.
4.6 The type of auditing
may either be by "raw kernel events" or by "objectives" (user defined filters).
Auditing by raw kernel events will result in all selected system calls being
written to the log file (or network), without any form of filtering (other
than selecting which system calls are to be audited). The system calls to
be audited can be selected via the "Kernel" tab in the Audit Configuration
window, as shown in Figure 3 below. This method of
auditing is more suited to the classic "C2" style of auditing, where all calls
are recorded. It should be noted that the "Kernel" and "Objectives" tabs
are mutually exclusive. Turning on events within the "Kernel" tab, does not
mean that they will be turned on if you are in 'audit by objectives' mode.
Similarly, just because you have an objective defined for "open files or
directories" in the objective tab, this does not imply that the open() system
call will be audited if you are auditing by "raw kernel events" (unless you
have specifically checked the "open" event in the "Kernel" tab.
![[Kernel]](figure3.png)
Figure 3: "Kernel" Tab
4.7 A more refined method of auditing is available by selecting events via the advanced auditing "objectives" capability. Any number of objectives may be specified, and are listed in the "Objectives" tab, within the audit configuration window, as shown in Figure 4.
![[Objectives]](figure4.png)
Figure 4: "Objectives" Tab
4.8 Each of the objectives provides a high level of control over which events are selected and reported. Events are selected from a group of high level requirements, and further refined using selected filters. All events detailed in Annex A - List of Audited System Calls are contained within all the following high level groups:
4.10 From each of these groups, a criticality level can be applied. These criticality levels are critical, priority, warning, information and clear. These security levels are provided to enable the SNARE user to map audit events to their most pressing business security objectives, and to quickly identify the criticality of an event, via the coloured "buttons" on the SNARE graphical user interface, as shown in Figure 1.
- Open or create a file or directory.
- Open a file for reading only.
- Write or create a file or directory.
- Remove a file or directory.
- Start or stop program execution.
- Modify system, file or directory attributes.
- Change user or group identity.
- Open a network connection
- Accept a network connection
- Administrative events
4.11 The following filters can be applied to incoming audit events:
a. Filter on the event-specific matchable item.
Each event contains a particular piece of information that represents the core data that needs to be communicated. For the "Open or create a file or directory" group, for example, this would be the name of the file and/or directory opened or created. For the "Start or stop program execution" group, this would be the name of the program in question. The event match allows a "partial", "exact" or "regular expression" match term to check against the event-specific matchable item. A "partial " match will look for the sequence of characters specified somewhere within the event-specific matchable item. For example, if the partial match of "pass" is specified for "Read, write or create a file or directory", then the following example filenames would all match the term:An "exact" match will match the specified term exactly. For example, if the term is /etc/passwd, then the file /etc/passwd would match, but the file /etc/passwd.backup will NOT match.
- /etc/passwd
- /usr/lib/passfilt.so
- /home/red/khyber_pass.txt
A "regular expression " match matches the supplied extended regular expression against the event-specific matchable item. Regular expressions are an advanced form of specifying filters, and should only be used by those with regular expression experienced. For example, the term ".*[Pp]ass(word|wd).*" would match the following:
but would not match:
- /etc/passwd
- /tmp/PasswordFile
- /etc/PASSWD
- /home/red/PaSsWoRd .txt
b. Filter on user.4.12 Once the above settings have been finalised, the configuration may be saved to the configuration file, via the "Save Configuration" button. However, to ensure the audit daemon has received the new configuration, the "Save and Apply " button should be selected.
Any number of users can be selected, and should be entered with commas separating each user. If no users are entered, ALL users are assumed to be audited. Alternatively, specific users may be EXCLUDED from any individual objective, leading to objectives such as "tell me whenever any user except 'root' or 'red' generate an event" . If the user exclusion function is selected, SNARE will only report users that DO NOT match the supplied list of users.c. Filter on return value
An audit event will either return a success or failure return code. SNARE allows a user to filter on the return value.d. Filter on special, event-specific fields
Some events, including open() and socketcall(), allow additional filters to be specified, to provide more flexible search criteria.i. open()
The open event provides the additional capability to filter on open-flags. The flags are specified in regular expression format, and can include (in the following order):O_WRONLY
O_RDWR
O_RDONLY
O_CREAT
O_EXCL
O_NOCTTY
O_TRUNC
O_APPEND
O_NONBLOCK
O_SYNC
O_NOFOLLOW
O_DIRECTORY
O_LARGEFILEFor Example, the following flags can be logically 'or'ed together (in regular expression form) to specify an objective that translates to "Let me know whenever a file is opened in WRITE mode.
open(O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND)
Whereas the following three examples all specify "Read or Write":
open(.*)
open(O_.*)
open( O_WRONLY|O_RDWR|O_RDONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_APPEND|O_NONBLOCK|O_SYNC|O_NOFOLLOW|O_DIRECTORY|O_LARGEFILE)More information on the flags associated with the open() system call are available from the Linux manual pages (see 'man open').
ii. socketcall()
The Linux kernel uses the 'socketcall' system call to serve the requirements of the 'connect', 'accept' and related system calls. In order to monitor 'connect' and 'accept' calls only, the system call 'type' can be included within the objective.For example, socketcall(ACCEPT) only monitors accept() calls. socketcall(CONNECT) only monitors connect() calls.
socketcall(.*) or socketcall(CONNECT|ACCEPT) monitor both accept and connect.
| 5. Audit Event Viewer Functions |
5.1 The main SNARE window also contains the events that have been recorded from the audit log file. Events collected, which meet the filtering requirements as per the Audit Configuration, will be displayed in the main window.
5.2 A summary version of the event is displayed on the main window. For more details on a specific event, the relevant row from the main window can be selected using the mouse. A pop-up window will then display more comprehensive details related to the event. The details are event context dependant; For example, an "execution" event will display the executed program name, whilst a "file open" event will display the path name of the opened file. The event details window is shown in Figure 5. Note that only certain fields are shown, and others are "greyed out". The fields which are displayed depend entirely on the event (system call) that is being displayed. Once an event window is displayed, other events may be displayed by selecting the "prev" and "next" key.
5.3 The fields shown in the event window relate to the parameters of the system call that was audited. The brief interpretation of the individual fields is discussed below:
Figure 5: Event Details Window
5.4 In order to view all previous events contained in the log file, the "Reload" menu item can be selected from Activity->Reload Log File, or from the corresponding button from the toolbar. Note that displaying the entire log file may take some time, depending on the size of the file. Alternatively, the main window event list may be cleared from the menu by selecting the item Activity->Clear all Current Events, or from the corresponding button from the toolbar. Note that clearing the main event viewer, DOES NOT clear the log file.
5.5 The main display
will alert the user as to whether the events being generated by the audit
daemon are being filtered using the defined objectives, or if events are
being passed on without any filtering. This wil be shown to the user via
the graphic display at the bottom of the main window which will show either
"Display Mode: Objective Information" or "Display Mode: Raw Event
Log Data". If events are being passed exclusively to a remote networked
host, then a blue coloured graphic will be displayed stating "No Events Displayed:
Network Transfer Active". The graphic is shown at the bottom of Figure 1 .
| 6. Audit Management Functions |
6.1 The audit daemon is a separate standalone component of the SNARE system, as described in the section on SNARE Overview. However, the SNARE graphical tool can be used to control a number of aspects of its operation. Primarily, the audit configuration can be developed and set using the graphical tool, as described in the previous sections. However, two other functions are available to manage the audit daemon.
6.2 The audit daemon can be restarted directly from the menu item Activity->Apply and Restart Audit. This will instruct the audit daemon to re-read the configuration file, clear the buffers and restart. This function is useful when changes to the audit configuration have simply been saved to the configuration file, without being "applied". The user can therefore select when to activate a new configuration by selecting this menu item, or its corresponding button on the toolbar.
6.3 The audit daemon
status can be viewed by selecting the View->Audit Status menu item,
or its corresponding toolbar button. This will display whether the audit
daemon is active, its process ID, the SNARE version (specifically of the
version of the dynamic kernel module, but will apply to all SNARE components),
and the total number of events processed by the kernel module. Note that the
total events reported are those that have been collected by the kernel, before
filtering (if any) by the audit daemon. The audit status window is shown
in Figure 6 below.
Figure 6: Audit Status Window (under KDE): 28 million events processed
Log Rotation
6.4 Depending on the SNARE configuration, the log file may be
small or large. In any case, it is normal houskeeping practice that logs
either be rotated or archived. Depending on the site requirements, a rotation
scheme that keeps old copies of the last (say) 7 days may be sufficient.
In this case, it may be sufficient to simply include a CRON or ANACRON job,
and use a program such as logrotate to ensure the
current log file does not grow to an unmanageable size. Alternatively, you
may wish to archive all log files to backup media such as tape or CD-ROM.
This may be scheduled using CRON or undertaken manually. In either case,
it is important to note that the audit daemon should restarted, so that it
opens the new log file for writing the events.
| 7. Setting the Network Configuration |
7.1 SNARE provides the facility to send events to a remote host, using UDP. In conjunction with the audit log archive script provided within the SNARE distribution, this will facilitate the remote storage of audit logs for later analysis.
7.2 The settings for these options are available from the Setup menu on the main window, or their corresponding toolbar. Note that if events are being sent exclusively to a remote machine via the network, they will not be displayed within the GUI. In order to display events in the GUI, as well as sending the data to a remote system, set the "Auditing Control" options to "Log events to the networked host and a local file.
7.3 A simple collection and archive script for receiving logs from a remote SNARE node, is available from the SNARE project page. The collection / archive script receives data from one or more SNARE clients, and saves the data off to a file per-date, per-system in /var/log/audit. Files will be given names based on the date, and the audit source, in the format YYYYMMDD-host.name.LinuxAudit (eg: /var/log/audit/20020321-test.intersectalliance.com.LinuxAudit).
| 8. About Intersect Alliance |
8.1 InterSect Alliance is a team of leading information technology security specialists in both the "technical" and "policy" areas. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have been used, and continue to be used in the most sensitive areas of Government and business sectors. Intersect Alliance consult and contract to number of agencies in Australia and in Asia Pacific, for both the business and Government sectors.
8.2 The Intersect Alliance business strategy includes demonstrating our committment and expertise in IT security by releasing Open Source products such as SNARE. Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems.
8.3 The team at InterSect Alliance are happy to assist you with tools and processes to best integrate intrusion detection (including SNARE) into your organisations.
8.4 Please visit
the Intersect Alliance website
for more information.
| A. The SNARE Audit Subsystem - Events Audited |
The Linux Kernel has many system calls available at its disposal. However, SNARE Version 0.9 only implements an auditing facility for those calls that are considered to be the most critical and useful from a security perspective. The list of system calls that can be intercepted by SNARE Version 0.9 is shown in the table below.
List of System Calls Implemented in SNARE Version 0.9
System Call Description open open and possibly create a file or device creat open and possibly create a file or device execve execute program exit terminate the current process mkdir create a directory unlink delete a name and possibly the file it refers to mknod create a directory or special or ordinary file rmdir delete a directory chown change ownership of a file lchown change ownership of a file chown32 change ownership of a file lchown32 change ownership of a file chmod change permissions of a file symlink make a new name for a file link make a new name for a file rename change the name or location of a file reboot reboot or enable/disable Ctrl-Alt-Del truncate truncate a file to a specified length chroot change root directory setuid set user identity setreuid set real and / or effective user ID setresuid set real, effective and saved user ID setuid32 set user identity setreuid32 set real and / or effective user ID setresuid32 set real, effective and saved user ID setgid set group identity setregid set real and / or effective group ID setresgid set real, effective and saved group ID setgid32 set group identity setregid32 set real and / or effective group ID setresgid32 set real, effective and saved group ID truncate64 truncate a file to a specified length socketcall Network functions, including connect and accept. create_module Load a kernel module
| B. The SNARE Audit Subsystem - Kernel Module |
The core of the SNARE audit subsystem is the loadable kernel module. The module is designed to intercept selected linux system calls, save auditable details associated with the event in question, and store the information in a temporary buffer until it can be read by the audit daemon process.
The module implements a dynamically allocated linked list kernel buffer to cache event information prior to being read by an application that reads data from /proc/audit. The features of the module are:
a. Events with a path of 1024 bytes can be processed. Paths greater than this size are truncated as of version 0.9.
b. The module is instructed by the audit daemon to audit only selected system calls. System calls that are not specifically selected will not be audited.Kernel module options can be specified on the insmod command line, or added to an 'options auditmodule' line within /etc/modules.conf if required, however, it is recommended that the module be loaded without any arguments, and the audit daemon be used to enable audit events based on the configuration file. Some level of granularity is available at the audit module load phase. Administrators can turn on a 'class' of events, individual events, or all events. For example, turning on all events can be selected by:
insmod auditmodule.o all=1
Instead of the "all=1" option, the following classes can be added. For example, the command insmod auditmodule.o file_class=1 will ensure the auditmodule records all the events related to file operations related events. The following audit classes are defined.
file_class - File-related audit events
a_openfile_control_class - File control related audit events
a_creat
a_mkdir
a_unlink
a_mknod
a_rmdir
a_symlink
a_link
a_rename
a_truncate
a_truncate64
a_chownexecute_class - Execute related audit events
a_lchown
a_chown32
a_lchown32
a_chmod
a_execveadmin_class - Administrative audit events
a_setuid
a_setreuid
a_setresuid
a_setuid32
a_setreuid32
a_setresuid32
a_setgid
a_setregid
a_setresgid
a_setgid32
a_setregid32
a_setresgid32
a_exit
a_rebootnetwork_class - Network related events
a_chroot
a_create_module
a_socketcall
Note that when an f* system call (eg: fchmod) is called by a program, the
corresponding non-f* call is generally called by Linux. Hence, although
fchmod is not available in the list above, calls to fchmod() will create
a chmod() event. In addition, there are a number of system calls which are
dependant on the kernel version and architecture of the host. These are
designated by the numbers "32" or "64" appended to some of the system calls.
Which system calls are called in any given situation (eg; setuid versus
setuid32) will depend on the system architecture of the host system .
| C. The SNARE Audit Subsystem - Configuration File Description |
Details on the audit configuration are discussed in the Audit Configuration section. The purpose of this section is to discuss the makeup of the configuration file. The SNARE configuration file is located at /etc/audit/audit.conf , and this location may not be changed. If the configuration file does not exist, the audit daemon will execute, but will not actively audit events until a correctly formatted configuration file is present, or unless specific instructions are passed to the audit module at load time.
SNARE can be configured in several different ways, namely:
a. Via the graphical tool (Recommended), orThe format of the audit configuration file is discussed below.
b. By setting module options at load time, or
c. By manually editing the configuration file
| [AuditType] | This section allows you to specify whether the audit subsystem generates raw event data without any filtering, or utilises the objectives defined within the [Objectives] section below to filter event data. |
| type=Objective | Generate event data with an objective description, and filter events based on objective definitions in later sections. |
| type=Event | Generate raw event data, without any filtering. |
| [Output] | By default, if no output section exists within the configuration file, the audit daemon will send audit data out to standard out (STDOUT). Note that audit events will be sent to all valid destinations specified in the Output section. As such, events can be sent to one or all of a file, standard output and to a remote network destination (Only one file, and one network destination is supported however). |
| file=/fully/qualified/file/name | The audit daemon will send data to the fully qualified filename specified within the [Output] section. Note that if the audit daemon is not running as root, the file must be writable by the user under which the audit daemon is running. |
| file=stdout | If stdout is specifically defined within the Output section, the audit daemon will send data to standard out. |
| network=hostname:port | Audit data can be sent to a remote system using the UDP protocol. Data will be sent to the remote host, and network port specified here. |
| network=stdout | If stdout is specifically defined within the Output section, the audit daemon will send data to standard out. |
| [Objectives] | This section describes the format
of the objectives. Objectives are composed of:
Note that whitespace will be trimmed from the start and end of items, but will be assumed to be valid when bracketed by other characters. |
| criticality=1 event=open(O_RDONLY) return=* user=^(red|george)$ match=^/etc/shadow$ | Report at criticality level 1, whenever the users "red" or "george", openthe file /etc/shadow in READ ONLY mode. |
| criticality=0 event=* return=* user=^red$ match=.* | Report whenever the user 'red' performs any audited event. Note that 'event' is not a regular expression field, but when the asterisk character is used, events which have been specifically turned on in the [Events] section, or have been turned on by specifying the event name within another objective, will be audited. |
| [Events] | This section describes which raw kernel events are to be audited. This section is used by the audit daemon when the method of auditing is via "raw kernel events". A '1' turns an event on, while a '0' turns the event off. The default setting if not otherwise specified, is off. |
| open=1 creat=0 execve=1 exit=0 mkdir=0 unlink=0 mknod=0 rmdir=0 chown=1 lchown=0 chown32=0 lchown32=0 chmod=1 symlink=0 link=0 rename=0 reboot=0 create_module=0 socketcall=0 connect=0 truncate=0 chroot=0 setuid=0 setreuid=0 setresuid=0 setuid32=0 setreuid32=0 setresuid32=0 setgid=0 setregid=0 setresgid=0 setgid32=0 setregid32=0 setresgid32=0 truncate64=1 |
| D. The SNARE Audit Subsystem - Event Output Format |
The user-space audit daemon reads data from the dynamic kernel audit module via the device "/proc/audit". It converts the binary audit data into text format , and separates information out into a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS separate 'tokens', COMMAS separate data within each token, and SPACES separate elements within data.
A 'Token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header.
Examples of tokens:
Groups of tab separated tokens make up an audit event, which may look something like this, depending on whether the audit daemon has been set to 'objective' or 'event' reporting mode (see the configuration section for more information):
- process,1628,gcc
- return,0
- path,/etc/audit/audit.conf
- arguments,ls -al
testsnare.intersectalliance.com LinuxAudit objective,clear,Mon Aug 6 19:43:25 2001,The program /usr/bin/gimp has been executed by the user leigh event,execve(),Mon Aug 6 19:43:25 2001 user,leigh(500),users(500),leigh(500),users(500) process,1651,sh path,/usr/bin/gimp arguments,gimp return,0 sequence,12937A simple example PERL script for extracting data from a raw SNARE log is as follows:
#!/usr/bin/perl
# Usage: cat /var/log/audit/audit.log | ./extract.pl
# Creates an associative array containing the elements of the event record,
and prints the data.
while($input=<STDIN>) {
chomp($input);
%Record=();
@tokens=split(/\t/,$input); # Split
the line into TAB delimited tokens.
foreach $token (@tokens) {
@elements=split(/,/,$token);
# Pick out the elements within each token.
$header=$elements[0];
if($header eq "objective") {
$Record{$header}{"criticality"}
= $elements[1];
$Record{$header}{"datetime"}
= $elements[2];
$Record{$header}{"description"}
= $elements[3];
} elsif ($header eq "event")
{
$Record{$header}{"eventid"}
= $elements[1];
$Record{$header}{"datetime"}
= $elements[2];
} elsif ($header eq "user")
{
$Record{$header}{"uid"}
= $elements[1]; # User ID
$Record{$header}{"gid"}
= $elements[2]; # Group ID
$Record{$header}{"euid"}
= $elements[3]; # Effective User ID
$Record{$header}{"egid"}
= $elements[4]; # Effective Group ID
} elsif ($header eq "process")
{
$Record{$header}{"pid"}
= $elements[1]; # Process ID
$Record{$header}{"name"}
= $elements[2]; # Process Name (max 16 chars)
} elsif ($header eq "path")
{
$Record{$header}{"path"}
= $elements[1];
} elsif ($header eq "destpath")
{
$Record{$header}{"destpath"}
= $elements[1]; # Destination path
} elsif ($header eq "arguments")
{
$Record{$header}{"args"}
= $elements[1];
} elsif ($header eq "attributes")
{
$Record{$header}{"attrib"}
= $elements[1];
} elsif ($header eq "return")
{
$Record{$header}{"code"}
= $elements[1];
} elsif ($header eq "target")
{
$Record{$header}{"user"}
= $elements[1];
} elsif ($header eq "owner")
{
$Record{$header}{"user"}
= $elements[1];
$Record{$header}{"group"}
= $elements[2];
} elsif ($header eq "socket") {
$Record{$header}{"sourceip"}
= $elements[1];
$Record{$header}{"destip"}
= $elements[2];
$Record{$header}{"sourceport"}
= $elements[3];
$Record{$header}{"destport"}
= $elements[4];
} elsif ($header eq "sequence")
{
$Record{$header}{"number"}
= $elements[1];
}
}
# We now have the data in an associative array.
# Roll through the array, and print the data in token
groups.
foreach $header (keys(%Record)) {
print "Header: $header\n";
foreach $element (keys(%{$Record{$header}}))
{
print
"$element = " . $Record{$header}{$element} . "\n";
}
}
# In addition,
if the event is execve, the effective user ID
# is 'root', but the real user ID is NOT, then display
an alert.
if($Record{"event"}{"eventid"} eq "execve" &&
$Record{"user"}{"euid"} eq "root" && $Record{"user"}{"uid"} ne "root")
{
print "Danger: SetUID program
" . $Record{"arguments"}{"args"} . " has been run by the user " . $Record{"user"}{"uid"}
. " .\n";
}
print "\n";
}
print "----- Done -----\n";