Release Notes for Snare Linux Agent

Release Notes for Snare for Linux

© InterSect Alliance International Pty Ltd

Page 1 of 16

Release Notes for Snare Linux Agent About this document This document provides release notes for the Snare Enterprise Agent for Linux.

© InterSect Alliance International Pty Ltd

Page 2 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.10 Snare Enterprise Agent for Linux v4.1.10 was released on 9th November 2016. ➤ New Feature •

Linux build to work on Oracle Linux v7 The agent will now work on an Oracle Linux v7 environment. To allow it to run, perform the following:  Run the following commands as root on the Linux host to enable the agent to run.  # setenforce 0 -- This will disable selinux environment, or you can modify /etc/selinux/config file param SELINUX=enforcing to SELINUX=permissive then reboot the system. The agent will only work with an enforced selinux environment if the user sets up the relevant selinux policy rules.  The Linux firewall may need to be updated to allow the syslog messages to be sent to the destination as well as allow access to the web management port on the host being TCP 6161.

➤ Bug Fixes •

Linux agent is sending unwanted auditd events Added support for filtering out audit information messages (generated when new rules are loaded into the kernel, the audit daemon is started/stopped/restarted, or there is an non system audit based event). These have been grouped together under the event name 'audit'. They can be filtered out using an exclude match. Additionally the following audit events can now be selectively filtered on: cred_disp, audit, audit_start cred_refr

•

Linux agent crashing Fixed a periodic crash when remote servers disconnected in certain situations.

© InterSect Alliance International Pty Ltd

Page 3 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.9 Snare Enterprise Agent for Linux v4.1.9 was released on 1st July 2016. ➤ New Feature •

A user should be able to create their own audit.rules file and the Linux Agent should be able to monitor any events it generates. Added the ability to specify a single rule objective with an 'Any Event' objective type and use a wildcard ('*') which indicates the agent will process all events coming from the audit subsystem. This is useful if the user wishes to use the agent but use a custom audit.rules file.

•

New release for Snare Enterprise Agent for Linux RHEL7 [released 15th August 2016] There was an issue with the Linux Snare agent running on RHEL version 7 systems with not starting or restarting correctly after an install, preventing the release of Snare Enterprise Agent for Linux RHEL7. The fix relates to the Snare restart process on Linux RHEL 7 platform and an installation issue with RPM conflicts with other rpm packages that could cause the agent to not start correctly. The issues were a result of some changes in the RHEL service subsystem that RedHat made in version 7 and how the auditd service was restarted, which is not very robust. Some changes were made with the Linux agent to compensate for the issues in the services subsystem. Other Unix platforms such as SUSE and Ubuntu that use the new service management were implemented differently and are not affected by the same issues as RHEL seems to have.

© InterSect Alliance International Pty Ltd

Page 4 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.8 Snare Enterprise Agent for Linux v4.1.8 was released on 19th February 2016 ➤ Bug Fixes •

The web interface may hang after long periods of time Some Operating System socket error disconnect events could cause the agent's web UI to stop responding, however the rest of the agent continued as expected. This can also be manifested on systems with lots of network interfaces. This is now fixed.

© InterSect Alliance International Pty Ltd

Page 5 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.7 Snare Enterprise Agent for Linux v4.1.7 was released on 23rd October 2015 ➤ Bug Fixes •

Issue with CPU load when the receiving server is slow or unavailable Fixed a potential problem with CPU load (>90%) when the receiving server is slow or non responsive at processing events. This may manifest if there is a firewall or an unreliable network between the Snare Agent and the receiving server which drops connections leaving them in the established TCP state rather than sending TCP resets to the host operating system, which would result in the session exiting cleanly. The symptom can result in excessive CPU usage with the Snare Agent while it attempts to reconnect to the destination server. The fix to this issue results in the Snare Agent to only use a small amount of CPU (10-15%) while it's attempting to reconnect to the destination server.

© InterSect Alliance International Pty Ltd

Page 6 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.6 Snare Enterprise Agent for Linux v4.1.6 was released on 4th September 2015 ➤ Bug Fixes •

•

Agent website crashes in certain cases when a connection is severed Fixed a potential crash of the agent when the web server component of the agent received many disconnect requests. This issue would not affect most customers as it would require a system to have hundreds or more network interfaces to manifest. Linux agent does not allow deleting of options in filters field Fix a bug where filters were not removed correctly from the rules setting when editing the objective configuration in the web interface.

© InterSect Alliance International Pty Ltd

Page 7 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.5 Snare Enterprise Agent for Linux v4.1.5 was released on 31st July 2015 ➤ Bug Fixes •

Snare Server getting strange fragments of logs from Linux agent Fixed issue where multi-part audit events were being improperly parsed causing the tail of the event to be sent to the Generic Log queue.

•

Fix handling of subj_sen audit keyword Fix issue where it was not possible to use the keyword subj_sen as a match condition in a objective rule. This keyword is now working correctly.

© InterSect Alliance International Pty Ltd

Page 8 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.4 Snare Enterprise Agent for Linux v4.1.4 was released on 30th June 2015 ➤ Bug Fixes •

Dropping leading zeroes in date and time formats in the logs Fixed the log output where date/month/year was not being handled correctly. This could be in the file output or the syslog destination.

© InterSect Alliance International Pty Ltd

Page 9 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.3 Snare Enterprise Agent for Linux v4.1.3 was released on 26th February 2015 ➤ Bug Fixes •

Linux Agent does not work with DNS name in config file Fixed the issue where a DNS name would not be resolved upon reload of the agent. The fix now both allows DNS names to be used but also validates that they resolve. Hence since the auditing process starts pre-network being brought up on some distributions, an entry in the /etc/hosts or equivalent should be added.

•

Clientname not honoured A bug was identified where the clientname hostname override set in the network configuration page, was not always sent when events were generated. This bug has now been fixed.

•

Linux Agent Outputs the wrong date in Snare Format Fix a bug where the date format of an event transmitted in SNARE format could potentially be wrong.

© InterSect Alliance International Pty Ltd

Page 10 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.2 Snare Enterprise Agent for Linux v4.1.2 was released on 4th February 2015 ➤ Change Log •

Issue with filtering login/logout events Event processing has been updated so login/logout* events are correctly excluded if an exclude rule is active on the events.

•

Event processing to allow additional event names Event processing has been updated allow the additional fields event names to be filtered: acct_change - A change in account has occurred (audit event id 1101) cred_acq - Additional credentials have been acquired, ie privilege upgrade via sudo (audit event id 1103) cred_disp - Obtained credentials have been disposed (ie drop sudo privileged) These event names can be used in either the Remote Control Interface or into the configuration file.

© InterSect Alliance International Pty Ltd

Page 11 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.1.1 Snare Enterprise Agent for Linux v4.1.1 was released on 10th December 2014 ➤ Change Log •

Syslog format difference between OpenSource and Enterprise version for Linux A potential bug where a null character could appear in log output when SYSLOG format was selected has been fixed. Updating the agent will apply the change automatically.

•

Bug in regex Audit filter terms A bug has been fixed in the parsing of audit filter terms. This bug was caused by incorrect parsing of the comma delimiter. As a results audit expressions such as auid=100,guid=100 would be be treated as a single term (ie auid = "100,guid=100"). This would in turn cause the audit.rules file to be written incorrectly. The fix corrects the parsing of the term. Updating the agent then reapplying the settings will fix and problems in the audit.rules file.

•

Gui session handling issue When using the Snare Agent Remove Console with Internet Explorer 10, changes were not always possible, This would be reported as 'Your session has become invalid, please try again' when trying to change a setting. This session handling issue has been resolved for IE.

© InterSect Alliance International Pty Ltd

Page 12 of 16

Release Notes for Snare Linux Agent Snare Enterprise Agent for Linux v4.1.0 Snare Enterprise Agent for Linux v4.1.0 was released on 16th September 2014 ➤ Enhancements •

Implement Exclude Rules in Linux agent* Audit Event Processing has been changed to support exclude matching. As a result of this change it is now possible to add rules which exclude specific events. Exclude changes are represented in the configuration file on an objective line as: match!="searchstring" and can be configured in the GUI. Existing event processing/configuration files are unaffected.

•

Last Logins Details The webui has been updated to re-add the Last Logins screen which was present in the 2.x series agents but missing from the 3.x and 4.x agents prior to this release.

•

Various UI pages are formatted incorrectly Remote UI has been changed to display the output with the mimetype text/plain for the User, Group, UserGroup and new LastLogin pages, . As a result of this change, this change should only be noticable if these pages are viewed in a web browser.

•

Config file permissions need modification The agent has been changed to write out all files it touches (snare.conf, auditd.conf, audit.rules) with permissions of 0400. As a result of this change, programs that access these files as non root will no longer be able to access the files after applying changes in the GUI.

➤ Change Log •

.deb Installer doesn't rely on auditd correctly The Snare for Linux installer has been changed to address a problem where it was possible to attempt an install without the auditd package installed on systems that use dpkg. As a result of this change, dpkg will now indicate the required dependancy of auditd is not yet installed before attempting the install of the Snare for Linux Agent.

© InterSect Alliance International Pty Ltd

Page 13 of 16

Release Notes for Snare Linux Agent

Snare Enterprise Agent for Linux v4.0.1 Snare Enterprise Agent for Linux v4.0.1 was released on 7th July 2014 ➤ New Features •

PCRE Regular Expression support for filtering objectives When creating an objective, the ability to match a string search via regex is available. For example entering in the new Regex String Match field .*root.* would cause the objective to match the word 'root' in the whole string.

•

SSL support Protocol can be selected in the Network Configuration settings of the Remote Control Interface. Using SSL will use an encrypted connection to the server.

•

Multi-threading Improved multi-threading and general performance improvements.

➤ Change Log •

•

Remote Control Interface improved The user interface layer includes subtle changes to the pages to include notices, warning and any errors. For example, when applying the latest audit configuration, a notice that Snare is restarting is displayed. Event Destination Status Indicator The Latest Events page now displays the status for each destination that was configured for logging as well as additional status information for each destination including the protocol, port and connection status.

•

Ability to adjust auditd buffer size Available only via the configuration file for version 4.0, audit_buffersize may be adjusted if causing if there is a large number of events being generated by the system and the kernel audit load has difficultly in keeping up.

•

Improved caching capability when a destination server is down The Cache Size parameter on the Network Configuration page, allows the agent to cache messages if there is a network failure or the destination server is unavailable. Any cached message is kept until it is sent or the size of the cache exceeds the specified allotment, in which case the oldest message is removed. If the agent is restarted, any cached messages are lost.

•

UTC time support Coordinated Universal Time timestamp format is available for events instead of local machine time zone format.

© InterSect Alliance International Pty Ltd

Page 14 of 16

Release Notes for Snare Linux Agent Snare Enterprise Agent for Linux v3.1.4 Snare Enterprise Agent for Linux v3.1.4 was released on 6th March 2014 ➤ Bug Fixes •

There was an issue where execve events may not always report the executable causing events.

➤ Change Log Restored Feature Please note that the following features are now re-available for Snare Enterprise Agent for Linux only. ●

Login/Logout & Authentication Events Filtering

In Snare For Linux 2.x, the ability to create objectives that monitored login/logout and Authentication events was available. This feature was removed in the 3.0.0 Agent. Due to multiple requests this feature has been restored in the 3.1.4 Linux Agent. However, the following caveat should be noted: Under Linux login/logout/login_start events are generated by user-space applications (ie sshd). These events are sent to the kernel which then sends them to the audit subsystem. Snare is only capable of monitoring these events if the user-space applications actually sends them. Some distributions (such as Debian 7.3) have configured these user-space applications NOT to send events to the kernel, hence Snare is not able to monitor login/logout/login_start events for these distributions.

Login/Logout & Authentication event monitoring can be enabled using the remote configuration console (below):

© InterSect Alliance International Pty Ltd

Page 15 of 16

Release Notes for Snare Linux Agent Snare for Linux Agent v3.1.4

Alternatively, Login/Logout & Authentication event monitoring can be enabled in the configuration file by defining an objective with one or more of the desired events: • login_auth ◦ This event is generated when an authentication event is attempted. It indicates success or failure of the authentication. • login_start ◦ This event is generated when a user successfully logs in to a session • logout ◦ This event is generated when the user logs out of a session An example configuration file using these events is: [Config] version=2 use_criticality=0 set_audit=1 syslog_facility=local0 syslog_priority=information [Remote] allow=1 listen_port=6161 [Output] network=127.0.0.1:6161 [Objectives] criticality=2 criticality=3 criticality=1

event=execve event=login_auth,login_start,logout event=login_auth

© InterSect Alliance International Pty Ltd

Page 16 of 16