The following configuration contributed to systems passing a PL-1 Multiuser Defence Security Service (DSS) evaluation on Red Hat Enterprise 4.0, in 2005. The Snare agent version was 0.9.8. Snare for Linux 1.0+ requires a slightly different ruleset due to changes in the underlying kernel.
Further details are available from the "Snare, Linux and NISPOM" thread discussed above.
Thanks to Cliff Partlow for the configuration.
[Remote]
allow=1
listen_port=6161
[Output]
file=/var/log/audit/audit.log
[Objectives]
criticality=4 event=Process_Events return=.* user=.* match=.*
criticality=4 event=open(.*),mkdir,mknod,link,symlink return=Success user!=root match=^/etc/shadow$
criticality=2 event=open(.*),mkdir,mknod,link,symlink return=Failure user!=root match=^/etc/shadow$
criticality=4 event=open(O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND),mkdir,mknod,link,symlink return=Success user!=root match=^/etc/passwd$
criticality=2 event=open(O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND),mkdir,mknod,link,symlink return=Failure user!=root match=^/etc/passwd$
criticality=2 event=open(.*),mkdir,mknod,link,symlink return=Failure user=.* match=^(/var/log|/etc)/audit.*
criticality=3 event=open(.*),mkdir,mknod,link,symlink return=Success user=.* match=^(/var/log|/etc)/audit.*
criticality=4 event=open(O_WRONLY|O_RDWR|O_CREAT|O_TRUNC|O_APPEND),mkdir,mknod,link,symlink return=Success user!=root match=^/(sbin|usr/sbin|bin|usr/bin|usr/X11R6/bin|usr/bin/X11)/.*
criticality=1 event=execve,exit return=Success user=.* match=^/bin/su$
criticality=2 event=execve,exit return=Failure user=.* match=^/bin/su$
criticality=3 event=open(O_TRUNC|O_APPEND),chmod,rename,truncate,chown,lchown return=Failure user!=root match=^/etc/.*
criticality=2 event=open(.*),mkdir,mknod,link,symlink,rename,unlink return=Failure user!=root match=^/var/log/.*
criticality=1 event=mount,umount return=Failure user!=root match=.*
criticality=0 event=chroot return=* user=.* match=.*
criticality=0 event=reboot return=* user=.* match=.*
criticality=1 event=accept return=* user!=root match=.*
criticality=1 event=mount,umount return=* user=.* match=.*
criticality=1 event=mkdir,mknod,link,symlink,rename,unlink return=Failure user=.* match=.*
##### DSS Known Requirerd Objectives for PL-1 #####
criticality=4 event=rmdir,unlink return=Failure user=.* match=^/(sbin|usr/sbin|bin|usr/bin|usr/X11R6/bin|usr/bin/X11|lib|usr/lib|etc|boot|var/log)/.*
criticality=4 event=open(.*),creat,mkdir,mknod,link,symlink,truncate,ftruncate return=Failure user=.* match=^/(sbin|usr/sbin|bin|usr/bin|usr/X11R6/bin|usr/bin/X11|lib|usr/lib|etc|boot|var/log)/.*
criticality=4 event=chmod,rename,chown return=Failure user=.* match=^/(sbin|usr/sbin|bin|usr/bin|usr/X11R6/bin|usr/bin/X11|lib|usr/lib|etc|boot|var/log)/.*
criticality=4 event=setuid,setreuid,setresuid,setgid,setregid,setresgid return=Failure user=.* match=.*
criticality=4 event=reboot,create_module,delete_module,chroot,mount,umount return=Failure user=.* match=.*
##### DSS Known Requirerd Objectives for PL-2 machines, you must have the above objectives listed in audit.conf, in addition to the following: #####
criticality=4 event=rmdir,unlink return=Failure,Success user=.* match=^/(home)/.*
criticality=4 event=open(.*),creat,mkdir,mknod,link,symlink,truncate,ftruncate return=Failure user=.* match=^/(home)/.*
criticality=4 event=chmod,rename,chown return=Failure user=.* match=^/(home)/.*
|
![[InterSect Swish]](/images/Right-Swish.jpg)
