-
Here is the offending snare.conf
# Configuration file written by Snare for Linux on Tue Oct 6 11:34:24 2009
[Remote]
allow=1
listen_port=6161
[Output]
network=127.0.0.1:6161
file=/var/log/audit/snarelog.out
[Config]
use_criticality=0
set_audit=1
use_regex=0
use_watch=1
syslog_facility=local0...
2009-10-13 20:17:37 UTC in SNARE - Auditing and EventLog Management
-
I'm running this off a LiveCD so portions of the filesystem are read-only (like /opt). That's why I installed it under a different directory that was writeable.
I did finally put in a workaround.
2009-10-09 19:39:05 UTC in Inprotect
-
Hi Dave,
I saw a note from the audit package maintainer that the audit package needed to be upgraded to at least 1.2.1.
So I tried that but still no joy. But I stumbled into something interesting on another box (this one a RHEL5 one) which was working fine until I replaced the objectives section with a custom one we had received from our DSS auditor. This new section caused the RHEL5 snare.
2009-10-09 16:54:17 UTC in SNARE - Auditing and EventLog Management
-
Sorry for the ugliness in last post (I didn't see anyway to upload a file so cut and paste didn't work so well).
The area of interest tho is the short paragraph just above.
Any ideas?
Dave.
2009-10-06 15:29:48 UTC in SNARE - Auditing and EventLog Management
-
Hi Dave,
Output for auditctl -v is
auditctl version is 1.0.16
The debug output follows (the only thing I see disturbing is an error about /tmp/snarewatch.txt)
Config file /etc/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
flush_parser called with: INCREMENTAL...
2009-10-01 12:56:35 UTC in SNARE - Auditing and EventLog Management
-
Hi Dave,
One other thing... I did not install a modified kernel for snare because I read that this version didn't require such things. I hope that is correct... A buddy of mine here is swearing that I need to install one.
Dave.
2009-09-28 17:17:29 UTC in SNARE - Auditing and EventLog Management
-
Hi Dave,
Admittedly I'm a noob at using snare so thanks for taking the time to look into this.
Nothing is shown in recent events window. The files are still zero length.
The [Output] is configured for
file=/var/log/audit/snarelog.out
Dave.
2009-09-28 12:20:23 UTC in SNARE - Auditing and EventLog Management
-
Many of the scripts use hard coded paths for the additional perl libraries at /opt/Inprotect instead of using $CONFIG{'ROOTDIR') syntax.
2009-09-27 13:55:52 UTC in Inprotect
-
Submitted 2 bug reports on doing a migration from 0.80.2 to 1.00f.
2009-09-27 01:55:33 UTC in Inprotect
-
If user is selecting to do a migration (upgrade), then tool requires perl module Data::Dumper::Simple to be installed.
2009-09-27 01:52:58 UTC in Inprotect
