Snare Resources for Debian

Current binary versions of SNARE were not available for debian or were too old to be worth using when I looked into using SNARE on debian sarge boxes that need to meet NISPOM requirements. Therefore I have done some work getting SNARE to function on recent Debian sarge installations and the results of that work will be posted here for general consumption.

NISPOM also requires that all login AND logout events be audited and on my debian sarge boxes, logout events aren't logged in syslog but wtmp entries are made correctly. This inspired me to write a daemon to monitor logins and logouts and report them to syslog. See below for my wtmpmond program you can use if you have a need for similar functionality.

Kernel Patches

• linux-debian-2.4.27-2.patch for SNARE 0.9.7
  
  • Created: Sat May 14 02:32:00 UTC 2005
  • MD-5 Sum: 89e0e066ec224cd10a8dde6804217da9
  • Applies clean to kernel-source-2.4.27 and probably any recent 2.4 debian kernel source
  • Also known to apply clean to vanilla kernel 2.4.30 from kernel.org and probably to any recent vanilla kernel
  
  Notes: The above patch is based on the RedHat linux-2.4.20-31.9.patch over at Intersect Alliance. The RedHat patch was applied to debian kernel-source-2.4.27 and areas that failed to patch were repaired by hand. Non-obvious hand changes to make the patch work w/ debian kernels include:
  • audit related calls in do_fork() repaired by hand in init/fork.c
  • set_user_nice() compatibility macro added to audit/auditapi.c and other porting from RH stuff


• linux-debian-2.4.25-3.patch for SNARE 0.9.6
  
  • Created: Tue Jul 20 21:06:31 UTC 2004
  • MD-5 Sum: c05b6ba2ffa452213e5e6f0359f3f60e
  • Applies clean to kernel-source-2.4.25 and kernel-source-2.4.26
  • Also known to apply clean to vanilla kernel 2.4.24 from kernel.org
  
  Notes: The above patch is based on the RedHat linux-2.4.20-24.9.patch over at Intersect Alliance. The RedHat patch was applied to debian kernel-source-2.4.25 and areas that failed to patch were repaired by hand. Non-obvious hand changes to make the patch work w/ debian kernels include:
  • audit related calls in do_fork() repaired by hand in init/fork.c
  • set_user_nice() compatibility macro added to audit/auditapi.c and other porting from RH stuff

Deb Packages for Snare 0.9.7

Debian Sarge	Kernels	2.4.27-2-386 (pkg rev 2.4.27-8) 2.4.27-2-586tsc (pkg rev 2.4.27-8) 2.4.27-2-686 (pkg rev 2.4.27-8) 2.4.27-2-686-smp (pkg rev 2.4.27-8) 2.4.27-2-k6 (pkg rev 2.4.27-8) 2.4.27-2-k7 (pkg rev 2.4.27-8) 2.4.27-2-k7-smp (pkg rev 2.4.27-8)
	Audit Daemon	snare-core_0.9.7-1_i386.deb
	Audit GUI	Not available - use web interface provided with core package

Install Tips:

The above core package was built on a bleeding edge Sarge box as of January 24th, 2005. If the core package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare-core-0.9.7-1_i386.deb

Deb Packages for Snare 0.9.6

Debian Sarge	Kernels	2.4.26-1-386 2.4.26-1-586tsc 2.4.26-1-686 2.4.26-1-686-smp 2.4.26-1-k6 2.4.26-1-k7 2.4.26-1-k7-smp
	Audit Daemon	snare-core_0.9.6-2_i386.deb
	Audit GUI	snare-gui_0.9.6-2_i386.deb

Install Tips:

The above core and GUI packages were built on a bleeding edge Sarge box as of July 20th, 2004. If the core or GUI package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare-gui-0.9.6-2_i386.deb

The GUI should work fine as long as your gnome packages are reasonably recent. For example it works fine on a sarge box installed around April 15th, 2004.

Deb Packages for Snare 0.9.2

Debian Sarge	Audit Daemon + Kernel Modules	snare-core_0.9.2-1_i386.deb
	Audit GUI	snare_0.9.2-1_i386.deb

Notes:

Snare 0.9.2 for linux builds as a kernel module. It's old now and you should use something newer, but I'm keeping binaries for 0.9.2 available here for reference.

The above packages have the following patches installed from the patch section on the sourceforge site:

• Snare PPID Parent Process ID patch
• Memory leak and OOPs patch

The snare-core 0.9.2 package above comes with kernel modules pre-built for the the stock 2.4.26-2 kernels that came with debian sarge at module build time. The package post installation script will detect the proper kernel module for your installation and install it. The following kernels are supported:

• kernel-image-2.4.26-1-386_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-586tsc_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-686_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-686-smp_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-k6_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-k7_2.4.26-2_i386.deb
• kernel-image-2.4.26-1-k7-smp_2.4.26-2_i386.deb

If you install the core package and you are running a custom kernel or a revision of one of the above kernel-image packages with symbols that doesn't match revision 2.4.26-2, then the core package will simply let you know you need to build your own auditmodule for snare to work.

Install Tips:

The above core and GUI packages were built on a bleeding edge Sarge box as of July 20th, 2004. If the core or GUI package won't install due to dependency problems, you can either apt-get upgrade the related packages or it seems pretty safe to override the dependencies with:

   dpkg -i --force-depends snare_0.9.2-1_i386.deb

The GUI should work fine as long as your gnome packages are reasonably recent. For example it works fine on a sarge box installed around April 15th, 2004.

Sources (make your own debs)

• snare_deb_master.tar.gz
  

  The above tarball has a suite of automated scripts that produce the kernels and debs for snare 0.9.7, 0.9.6 and the debs for snare 0.9.2. The following steps can be used to build your own debs in case you have issues with anything above:

  0.9.7, and 0.9.6

  1. Download the above tarball and extract it with the following command:
     

     tar zxf snare_deb_master.tar.gz

  2. 0.9.6 only: Make sure you have the gnome-devel package installed so you have the header files required to build the GUI. You'll also need automake1.7. Check with

     dpkg -l | grep gnome-devel

     dpkg -l | grep automake

     If you don't have these, you can install them with

     apt-get install gnome-devel automake1.7

  3. To build the 0.9.7 or 0.9.6 kernel deb packages, edit the variables at the top of the build_kernels.sh script in the kernel directory. The DEBIAN_URL variable should be set to the debian mirror you use and the SNARE_DEB_KERNEL_VERSION should be set to the kernel version you want to build the kernel deb packages for. Make sure the package kernel-source-$SNARE_DEB_KERNEL_VERSION is installed i.e. kernel-source-2.4.27. The script will error out if the kernel sources aren't installed
  4. Edit /etc/kernel-pkg.conf if you want the packages to have your info listed as the maintainer and e-mail contact for the packages
  5. Now run the following to build all the kernel debs and log the output to the screen and a file in case you need to analyze any problems:

     ./build_kernels.sh 2>&1 | tee build.log

  6. Now you can build the 0.9.6 core and GUI packages (note the kernels have to be built first for these to be able to include proper kernel header files) or the 0.9.7 core package. You might want to edit the files core/debian/changelog and gui/debian/changelog before running make_deb.sh in the core and gui directories to set the package version to what you would like and make a note in the changelogs that these are your own custom built packages. Then run the scripts to build them:

     cd core
     ./make_deb.sh
     cd ../gui
     ./make_deb.sh

  7. Your .deb packages will be left in the directory staging_dir under the kernel, core, and gui areas.
  
  

  0.9.2

  1. Obviously do step 1 for 0.9.6 above
  2. Make sure you have the libgnome-dev package installed so you have the header files required to build the GUI. You'll also need automake1.7. Check with

     dpkg -l | grep libgnome-dev

     dpkg -l | grep automake

     If you don't have these, you can install them with

     apt-get install libgnome-dev automake1.7

  3. Build the core package first: edit make_modules_and_deb.sh and set DEBIAN_URL and SNARE_DEB_KERNEL_VERSION the same as described in step 3 for 0.9.6 above.
  4. Optionally edit core/debian/changelog and gui/debian/changelog to change the package version to what you want and make a note in the changelogs that these are your own custom built packages.
  5. Build the core package and log the output to screen and a file so you can analyze any problems:

     ./make_modules_and_deb.sh 2>&1 | tee build.log

  6. Now build the GUI:

     cd ../gui
     ./make_deb.sh
     

  7. Your .deb packages will be left in the directory staging_dir under the core and gui areas.

wtmpmond -- a daemon to record login AND logout events

wtmpmond monitors login and logout events on a system and report the events to syslog. This includes anything that logs a wtmp entry including telnet, ftp, OpenSSH, gdm/xdm graphical logins, regular logins on virtual consoles etc. This is accomplished by polling the /var/log/wtmp file and matching login and logout records as they occur. This daemon is intended to be used along with a SNARE and syslog configuration to meet the NISPOM requirements for Debian/Redhat linux computers in a closed (classified) lab area.

The following is known to work on debian sarge and Redhat 9.0. Simply download the source, extract, and make install to build and install it. The INSTALL file that comes with the source has a few more details and notes.

• wtmpmond_0.0.2.tar.gz

Links

• SNARE Sourceforge page
• SNARE Project page at Intersect Alliance

Need Help With This Stuff?

• If you happen to be in Southern New England in the USA, then contact us:
  Linux of Massachusetts