Step Agent

1. Check sestatus, make sure it is enforcing (setenforce 1)

2. Install SnareLinux Agent

3. Stop auditd service

systemctl stop auditd

or

service auditd stop

4. Configure /etc/snare.conf (refer below or default conf)

5. Enable port selinux for Snare

semanage port -a -t audit_port_t -p tcp 6161

6. Enable auditd service

7. Check auditd status

8. Check service ps afxZ (Z is to make sure selinux for Snare have no problem – auditd_t daemon running)

9. Done

Template for /etc/snare.conf

[Remote]
# Uncomment the following line to turn the configuration web server on
allow=1
listen_port=6161

[Output]
# network=127.0.0.1:6161
networkOutput0=172.16.254.50:514:UDP:SYSLOG
networkOutput1=172.16.254.50:6161:TCP:SNARE
[Config]
use_criticality=0
set_audit=1
syslog_facility=local0
syslog_priority=information
use_watch=1
use_regex=0

[Objectives]
criticality=0 event=execve exe=/sbin/auditctl
criticality=1 event=execve exe=*passwd*
criticality=2 event=execve uid=*,root
criticality=2 event=(login_auth,login_start,logout)
criticality=3 event=(mount,umount,umount2,settimeofday,clock_settime,swapon,swapoff,reboot,setdomainname,create_module,delete_module,quotactl)