Snare Resources for Debian

Current binary versions of SNARE were not available for debian or were too old to be worth using when I looked into using SNARE on debian sarge boxes that need to meet NISPOM requirements. Therefore I have done some work getting SNARE to function on recent Debian sarge installations and the results of that work will be posted here for general consumption.

NISPOM also requires that all login AND logout events be audited and on my debian sarge boxes, logout events aren't logged in syslog but wtmp entries are made correctly. This inspired me to write a daemon to monitor logins and logouts and report them to syslog. See below for my wtmpmond program you can use if you have a need for similar functionality.

Kernel Patches

Deb Packages for Snare 0.9.7

Debian Sarge Kernels 2.4.27-2-386 (pkg rev 2.4.27-8)
2.4.27-2-586tsc (pkg rev 2.4.27-8)
2.4.27-2-686 (pkg rev 2.4.27-8)
2.4.27-2-686-smp (pkg rev 2.4.27-8)
2.4.27-2-k6 (pkg rev 2.4.27-8)
2.4.27-2-k7 (pkg rev 2.4.27-8)
2.4.27-2-k7-smp (pkg rev 2.4.27-8)
Audit Daemon snare-core_0.9.7-1_i386.deb
Audit GUI Not available - use web interface
provided with core package

Install Tips:

The above core package was built on a bleeding edge Sarge box as of January 24th, 2005. If the core package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare-core-0.9.7-1_i386.deb

Deb Packages for Snare 0.9.6

Debian Sarge Kernels 2.4.26-1-386
2.4.26-1-586tsc
2.4.26-1-686
2.4.26-1-686-smp
2.4.26-1-k6
2.4.26-1-k7
2.4.26-1-k7-smp
Audit Daemon snare-core_0.9.6-2_i386.deb
Audit GUI snare-gui_0.9.6-2_i386.deb

Install Tips:

The above core and GUI packages were built on a bleeding edge Sarge box as of July 20th, 2004. If the core or GUI package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare-gui-0.9.6-2_i386.deb

The GUI should work fine as long as your gnome packages are reasonably recent. For example it works fine on a sarge box installed around April 15th, 2004.


Deb Packages for Snare 0.9.2

Debian Sarge Audit Daemon + Kernel Modules snare-core_0.9.2-1_i386.deb
Audit GUI snare_0.9.2-1_i386.deb

Notes:

Snare 0.9.2 for linux builds as a kernel module. It's old now and you should use something newer, but I'm keeping binaries for 0.9.2 available here for reference.

The above packages have the following patches installed from the patch section on the sourceforge site:

The snare-core 0.9.2 package above comes with kernel modules pre-built for the the stock 2.4.26-2 kernels that came with debian sarge at module build time. The package post installation script will detect the proper kernel module for your installation and install it. The following kernels are supported:

If you install the core package and you are running a custom kernel or a revision of one of the above kernel-image packages with symbols that doesn't match revision 2.4.26-2, then the core package will simply let you know you need to build your own auditmodule for snare to work.

Install Tips:

The above core and GUI packages were built on a bleeding edge Sarge box as of July 20th, 2004. If the core or GUI package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare_0.9.2-1_i386.deb

The GUI should work fine as long as your gnome packages are reasonably recent. For example it works fine on a sarge box installed around April 15th, 2004.


Sources (make your own debs)

wtmpmond -- a daemon to record login AND logout events

wtmpmond monitors login and logout events on a system and report the events to syslog. This includes anything that logs a wtmp entry including telnet, ftp, OpenSSH, gdm/xdm graphical logins, regular logins on virtual consoles etc. This is accomplished by polling the /var/log/wtmp file and matching login and logout records as they occur. This daemon is intended to be used along with a SNARE and syslog configuration to meet the NISPOM requirements for Debian/Redhat linux computers in a closed (classified) lab area.

The following is known to work on debian sarge and Redhat 9.0. Simply download the source, extract, and make install to build and install it. The INSTALL file that comes with the source has a few more details and notes.

Links


Need Help With This Stuff?



Maintainer: Eric Malkowski
Last Modified: Sunday, 15-May-2005 23:02:47 EDT
Page Hits: Hit count failure