 SNAREing Intruders
in Linux
Kristy Westphal
The Solaris operating system has the BSM (Basic Security Module) to enable
granular-level kernel logging, and now there’s a tool for Linux, too. SNARE
is a new host-based Intrusion Detection System (IDS) made especially for Linux.
When I first heard about SNARE, I decided to install it and try it out. Through
my tests, I found it to be a pretty good plug-in for auditing kernel events
on Linux. Besides that, it’s free, easy to set up, and easy to deploy.
This article will show how to install SNARE, how to test it, and suggest some
uses for the tool on your Linux boxes.
SNARE, which stands for System iNtrusion Analysis and Reporting Environment, is made by InterSect Alliance, an Australian IT security-consulting firm. According to the Web site (http://www.intersectalliance.com/projects/Snare), the company began the SNARE project to "enhance the security of the Linux operating system by providing a comprehensive event logging facility". They explained that one reason Linux is not typically being deployed across more IT enterprises is the lack of comprehensive logging tools. Thus, they created auditd, a tool that works as a dynamically loadable kernel module that runs as a daemon.
More specifically, the "comprehensive event logging facility" that they refer to includes logging of:
- Opening and accepting network connections
- Reading or writing to files and directories
- Modifications to a user’s identity or group
- Modifications to program usage
Depending upon how you configure SNARE, you can detect when a user or attacker has stopped a key program, switched to the root account, or even installed files in a key system directory. Furthermore, SNARE can audit system calls themselves, such as when files are opened or renamed, when a chroot or reboot is executed, or when mkdir or mknod is used.
|
