Snare is an audit subsystem for Linux.
Version: 1.5.0SNARE (System iNtrusion Analysis and Reporting Environment) is a kernel patch, daemon, and Gnome2 GUI, that together provide a host intrusion detection facility and C2-style auditing/event logging capability for Linux similar to the Basic Security Module
Operating System: Linux
SNARE is divided into three key components:
The Kernel changes
In order to collect event log data, Snare needs to add auditing support into the operating system. You can choose to either install a binary version of the kernel, with Snare already integrated, or you can apply a 'patch' to your kernel source.
Although we try hard to make Snare as easy to install as possible, there are hundreds of different distributions and kernel versions, and it would be an immense task to build Snare for each variant. We are hoping that recent efforts towards creating a native auditing subsystem for linux will soon mean that the kernel component of the Snare for Linux agent, will no longer be required.
The Snare Audit Daemon
The Snare audit daemon acts as an interface between the Linux kernel, and the security administrator. It allow you to turn on events, filter the output, and potentially push audit log information back to a central location for collection, analysis and archival.
The Snare Micro-Web Server, and Audit GUI
The Snare audit GUI provides a graphical user interface to the Snare audit daemon. It allows you to add, remove or modify audit objectives, and change reporting options.
The Micro-Web Server, is embedded in the audit daemon, and provides a very simple configuration capability that can be managed from your web browser.