Release Notes for Snare Linux Agent Release Notes for Snare for Linux

Similar documents
Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Release Notes for Snare Enterprise Agent for MSSQL Release Notes for Snare Enterprise Agent for MSSQL v1.2/1.3

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Guide to Snare for Linux v4.1

Release Notes for Snare Server v6 Release Notes for Snare Server v6

Release Notes for Snare Windows Agent Release Notes for Snare Enterprise Agent Windows v4.2/4.3

Purpose. Target Audience. Install SNMP On The Remote Linux Machine. Nagios XI. Monitoring Linux Using SNMP

Red Hat Enterprise Linux 7 Getting Started with Cockpit

December 2011 vsp-patch noarch.rpm Avaya Aura System Platform R6.0 June 2010 vsp iso

Guide to Snare for OSX v1.1

NetIQ Privileged Account Manager 3.2 Patch Update 2 Release Notes

This Readme describes the NetIQ Access Manager 3.1 SP5 release.

This material is based on work supported by the National Science Foundation under Grant No

Integrated for Océ Setup Guide

NetIQ Privileged Account Manager 3.5 includes new features, improves usability and resolves several previous issues.

IBM Storage Configuration Manager Planning, Installation, and Configuration Guide

Pulse Connect Secure. Network Connect and Windows Secure Access Manager (WSAM) Error Messages. Product Release 8.1

AVAYA Avaya Aura System Platform Service Pack R6.2.1 Release Notes Issue 1.3

Perceptive Content Agent

Release Notes ( ) Digi TransPort LR Product Family

Guide to Snare Epilog for UNIX

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

Perceptive Nolij Web. Release Notes. Version: 6.8.x

Cisco Stealthwatch Cloud. Private Network Monitoring Advanced Configuration Guide

Redhat OpenStack 5.0 and PLUMgrid OpenStack Networking Suite 2.0 Installation Hands-on lab guide

Perceptive Content. Release Notes. Version: 7.0.x

AppGate 11.0 RELEASE NOTES

NetIQ Privileged Account Manager 3.2 Patch Update 4 Release Notes

Equitrac Office and Express 5.5 SUSE Linux iprint Server Guide

Firmware Revision History and Upgrade Instructions

Red Hat Enterprise Linux Atomic Host 7 Getting Started with Cockpit

Installing SmartSense on HDP

Genesys Quality Management /05/2015

Avigilon Control Center 5.0 Release Notes

OpenVPN Access Server v1.3 System Administrator Guide. Rev 1.0

Link Gateway Initial Configuration Manual

Perceptive Content. Release Notes. Version: 7.0.x

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Pulse Secure Desktop Client

How to Back Up Linux/UNIX Data Using SSHFS

RSA NetWitness Logs. Cisco IronPort Security Appliance. Event Source Log Configuration Guide. Last Modified: Thursday, January 19, 2017

Cluster creation and maintenance

Series 1000 / G Cellular Modem / Router. Firmware Release Notes

The Novell Client for SUSE Linux Enterprise 11 Service Pack1(SLE 11 SP1) requires workstations / servers running one of the following:

Nasuni Desktop Client User Guide

DCV Release Notes. Version:

Zend Server Cluster Manager 5.x Installation Guide

PASSPORTAL PLUGIN DOCUMENTATION

Barracuda Terminal Server Agent Debug Log Messages

AVAYA Avaya Aura System Platform R6.2.2 Release Notes Issue 1.3

Realms and Identity Policies

LogLogic 5.3 Release Notes

Clearswift SECURE Gateway Installation & Getting Started Guide. Version Document Revision 1.0

Configuring System Message Logs

Pulse Secure Desktop Client

Pulse Secure Desktop Client

Release Notes Version 7.8

RSA NetWitness Logs. Microsoft Windows. Event Source Log Configuration Guide. Last Modified: Thursday, October 5, 2017

Crestron RL Release Notes

Perceptive Content Agent

Configuring General Settings for the EN-4000

Integrated for Konica Minolta Setup Guide

Configuring System Message Logs

Zend Server Cluster Manager 5.5 Beta. Installation Guide. By Zend Technologies.

1 What s New in This Release?

Aventail README ASAP Platform version 8.0

Release Date File Name Avaya Aura System Platform R1.0 August 2009 vsp iso Avaya Aura System Platform R1.1 November vsp

Contains the Linux Identity Server, the Linux Administration Console, the ESP-enabled SSL VPN Server, and the Traditional SSL VPN Server.

Intrusion Detection and Prevention Release Notes

Dominion SX Release Notes

Basic Device Management

Assigning the Switch IP Address and Default Gateway

Configuring the Cisco NAM 2220 Appliance

Amazon Redshift JDBC Driver

SonicWALL strongly recommends you follow these steps before installing Global VPN Client (GVC) 4.1.0:

Colligo Briefcase for Mac. Release Notes

Crestron RL Release Notes

SMART CELL RELEASE NOTE

050-v71x-CSESECURID RSA. RSA SecurID Certified Systems Engineer 7.1x

AT&T Global Network Client for Android

Colligo Manager for Outlook Release Notes. Release Notes

Digitizer operating system support

Xcalenets Console Setup Guide. Xcalenets Console Setup Guide (Standalone version)

AppSense DataNow. Release Notes (Version 4.0) Components in this Release. These release notes include:

Equitrac Integrated for Konica Minolta

Release Notes Release (December 4, 2017)... 4 Release (November 27, 2017)... 5 Release

Equitrac Office/Express. SUSE Linux OES2 iprint Server Guide Equitrac Corporation

Sophos Connect. help

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

REDCENTRIC AGENT FOR LINUX (64-BIT) VERSION

Using the SSM Administration Console

Juniper Secure Analytics Patch Release Notes

Bacula BackUp Server Einrichten eines Bacula BackUp Servers. Version: 1.2

- 1 - Dominion PX Overview: Dominion PX refers to Raritan s family of intelligent power distribution units.

Configuring System Message Logging

Agent vs Agentless Log Collection

Gateway Guide. Leostream Gateway. Advanced Capacity and Connection Management for Hybrid Clouds

EQ/OS Release Notes

Transcription:

Release Notes for Snare for Linux InterSect Alliance International Pty Ltd Page 1 of 17

About this document This document provides release notes for the Snare Enterprise Agent for Linux. InterSect Alliance International Pty Ltd Page 2 of 17

Snare Enterprise Agent for Linux v4.1.11 Snare Enterprise Agent for Linux v4.1.11 was released on 6 th March 2017. Snare Agent fails to start in RHEL 7.3 This change is made to support audit version 2.6.5, which included changes with respect to service start and restart management. As a result of this change restart of agent will no longer fail when systemd manages the service. Other Snare Enterprise Agent for SLED 10 32-bit is no longer available on future releases. InterSect Alliance International Pty Ltd Page 3 of 17

Snare Enterprise Agent for Linux v4.1.10 Snare Enterprise Agent for Linux v4.1.10 was released on 9 th November 2016. New Feature Linux build to work on Oracle Linux v7 The agent will now work on an Oracle Linux v7 environment. To allow it to run, perform the following: Run the following commands as root on the Linux host to enable the agent to run. # setenforce 0 -- This will disable selinux environment, or you can modify /etc/selinux/config file param SELINUX=enforcing to SELINUX=permissive then reboot the system. The agent will only work with an enforced selinux environment if the user sets up the relevant selinux policy rules. The Linux firewall may need to be updated to allow the syslog messages to be sent to the destination as well as allow access to the web management port on the host being TCP 6161. Linux agent is sending unwanted auditd events Added support for filtering out audit information messages (generated when new rules are loaded into the kernel, the audit daemon is started/stopped/restarted, or there is an non system audit based event). These have been grouped together under the event name 'audit'. They can be filtered out using an exclude match. Additionally the following audit events can now be selectively filtered on: cred_disp, audit, audit_start cred_refr Linux agent crashing Fixed a periodic crash when remote servers disconnected in certain situations. InterSect Alliance International Pty Ltd Page 4 of 17

Snare Enterprise Agent for Linux v4.1.9 Snare Enterprise Agent for Linux v4.1.9 was released on 1 st July 2016. New Feature A user should be able to create their own audit.rules file and the Linux Agent should be able to monitor any events it generates. Added the ability to specify a single rule objective with an 'Any Event' objective type and use a wildcard ('*') which indicates the agent will process all events coming from the audit subsystem. This is useful if the user wishes to use the agent but use a custom audit.rules file. New release for Snare Enterprise Agent for Linux RHEL7 [released 15 th August 2016] There was an issue with the Linux Snare agent running on RHEL version 7 systems with not starting or restarting correctly after an install, preventing the release of Snare Enterprise Agent for Linux RHEL7. The fix relates to the Snare restart process on Linux RHEL 7 platform and an installation issue with RPM conflicts with other rpm packages that could cause the agent to not start correctly. The issues were a result of some changes in the RHEL service subsystem that RedHat made in version 7 and how the auditd service was restarted, which is not very robust. Some changes were made with the Linux agent to compensate for the issues in the services subsystem. Other Unix platforms such as SUSE and Ubuntu that use the new service management were implemented differently and are not affected by the same issues as RHEL seems to have. InterSect Alliance International Pty Ltd Page 5 of 17

Snare Enterprise Agent for Linux v4.1.8 Snare Enterprise Agent for Linux v4.1.8 was released on 19 th February 2016 The web interface may hang after long periods of time Some Operating System socket error disconnect events could cause the agent's web UI to stop responding, however the rest of the agent continued as expected. This can also be manifested on systems with lots of network interfaces. This is now fixed. InterSect Alliance International Pty Ltd Page 6 of 17

Snare Enterprise Agent for Linux v4.1.7 Snare Enterprise Agent for Linux v4.1.7 was released on 23 rd October 2015 Issue with CPU load when the receiving server is slow or unavailable Fixed a potential problem with CPU load (>90%) when the receiving server is slow or non responsive at processing events. This may manifest if there is a firewall or an unreliable network between the Snare Agent and the receiving server which drops connections leaving them in the established TCP state rather than sending TCP resets to the host operating system, which would result in the session exiting cleanly. The symptom can result in excessive CPU usage with the Snare Agent while it attempts to reconnect to the destination server. The fix to this issue results in the Snare Agent to only use a small amount of CPU (10-15%) while it's attempting to reconnect to the destination server. InterSect Alliance International Pty Ltd Page 7 of 17

Snare Enterprise Agent for Linux v4.1.6 Snare Enterprise Agent for Linux v4.1.6 was released on 4 th September 2015 Agent website crashes in certain cases when a connection is severed Fixed a potential crash of the agent when the web server component of the agent received many disconnect requests. This issue would not affect most customers as it would require a system to have hundreds or more network interfaces to manifest. Linux agent does not allow deleting of options in filters field Fix a bug where filters were not removed correctly from the rules setting when editing the objective configuration in the web interface. InterSect Alliance International Pty Ltd Page 8 of 17

Snare Enterprise Agent for Linux v4.1.5 Snare Enterprise Agent for Linux v4.1.5 was released on 31 st July 2015 Snare Server getting strange fragments of logs from Linux agent Fixed issue where multi-part audit events were being improperly parsed causing the tail of the event to be sent to the Generic Log queue. Fix handling of subj_sen audit keyword Fix issue where it was not possible to use the keyword subj_sen as a match condition in a objective rule. This keyword is now working correctly. InterSect Alliance International Pty Ltd Page 9 of 17

Snare Enterprise Agent for Linux v4.1.4 Snare Enterprise Agent for Linux v4.1.4 was released on 30 th June 2015 Dropping leading zeroes in date and time formats in the logs Fixed the log output where date/month/year was not being handled correctly. This could be in the file output or the syslog destination. InterSect Alliance International Pty Ltd Page 10 of 17

Snare Enterprise Agent for Linux v4.1.3 Snare Enterprise Agent for Linux v4.1.3 was released on 26 th February 2015 Linux Agent does not work with DNS name in config file Fixed the issue where a DNS name would not be resolved upon reload of the agent. The fix now both allows DNS names to be used but also validates that they resolve. Hence since the auditing process starts pre-network being brought up on some distributions, an entry in the /etc/hosts or equivalent should be added. Clientname not honoured A bug was identified where the clientname hostname override set in the network configuration page, was not always sent when events were generated. This bug has now been fixed. Linux Agent Outputs the wrong date in Snare Format Fix a bug where the date format of an event transmitted in SNARE format could potentially be wrong. InterSect Alliance International Pty Ltd Page 11 of 17

Snare Enterprise Agent for Linux v4.1.2 Snare Enterprise Agent for Linux v4.1.2 was released on 4 th February 2015 Change Log Issue with filtering login/logout events Event processing has been updated so login/logout* events are correctly excluded if an exclude rule is active on the events. Event processing to allow additional event names Event processing has been updated allow the additional fields event names to be filtered: acct_change - A change in account has occurred (audit event id 1101) cred_acq - Additional credentials have been acquired, ie privilege upgrade via sudo (audit event id 1103) cred_disp - Obtained credentials have been disposed (ie drop sudo privileged) These event names can be used in either the Remote Control Interface or into the configuration file. InterSect Alliance International Pty Ltd Page 12 of 17

Snare Enterprise Agent for Linux v4.1.1 Snare Enterprise Agent for Linux v4.1.1 was released on 10 th December 2014 Change Log Syslog format difference between OpenSource and Enterprise version for Linux A potential bug where a null character could appear in log output when SYSLOG format was selected has been fixed. Updating the agent will apply the change automatically. Bug in regex Audit filter terms A bug has been fixed in the parsing of audit filter terms. This bug was caused by incorrect parsing of the comma delimiter. As a results audit expressions such as auid=100,guid=100 would be be treated as a single term (ie auid = "100,guid=100"). This would in turn cause the audit.rules file to be written incorrectly. The fix corrects the parsing of the term. Updating the agent then reapplying the settings will fix and problems in the audit.rules file. Gui session handling issue When using the Snare Agent Remove Console with Internet Explorer 10, changes were not always possible, This would be reported as 'Your session has become invalid, please try again' when trying to change a setting. This session handling issue has been resolved for IE. InterSect Alliance International Pty Ltd Page 13 of 17

Snare Enterprise Agent for Linux v4.1.0 Snare Enterprise Agent for Linux v4.1.0 was released on 16 th September 2014 Enhancements Implement Exclude Rules in Linux agent* Audit Event Processing has been changed to support exclude matching. As a result of this change it is now possible to add rules which exclude specific events. Exclude changes are represented in the configuration file on an objective line as: match!="searchstring" and can be configured in the GUI. Existing event processing/configuration files are unaffected. Last Logins Details The webui has been updated to re-add the Last Logins screen which was present in the 2.x series agents but missing from the 3.x and 4.x agents prior to this release. Various UI pages are formatted incorrectly Remote UI has been changed to display the output with the mimetype text/plain for the User, Group, UserGroup and new LastLogin pages,. As a result of this change, this change should only be noticable if these pages are viewed in a web browser. Config file permissions need modification The agent has been changed to write out all files it touches (snare.conf, auditd.conf, audit.rules) with permissions of 0400. As a result of this change, programs that access these files as non root will no longer be able to access the files after applying changes in the GUI. Change Log.deb Installer doesn't rely on auditd correctly The Snare for Linux installer has been changed to address a problem where it was possible to attempt an install without the auditd package installed on systems that use dpkg. As a result of this change, dpkg will now indicate the required dependancy of auditd is not yet installed before attempting the install of the Snare for Linux Agent. InterSect Alliance International Pty Ltd Page 14 of 17

Snare Enterprise Agent for Linux v4.0.1 Snare Enterprise Agent for Linux v4.0.1 was released on 7 th July 2014 New Features PCRE Regular Expression support for filtering objectives When creating an objective, the ability to match a string search via regex is available. For example entering in the new Regex String Match field.*root.* would cause the objective to match the word 'root' in the whole string. SSL support Protocol can be selected in the Network Configuration settings of the Remote Control Interface. Using SSL will use an encrypted connection to the server. Multi-threading Improved multi-threading and general performance improvements. Change Log Remote Control Interface improved The user interface layer includes subtle changes to the pages to include notices, warning and any errors. For example, when applying the latest audit configuration, a notice that Snare is restarting is displayed. Event Destination Status Indicator The Latest Events page now displays the status for each destination that was configured for logging as well as additional status information for each destination including the protocol, port and connection status. Ability to adjust auditd buffer size Available only via the configuration file for version 4.0, audit_buffersize may be adjusted if causing if there is a large number of events being generated by the system and the kernel audit load has difficultly in keeping up. Improved caching capability when a destination server is down The Cache Size parameter on the Network Configuration page, allows the agent to cache messages if there is a network failure or the destination server is unavailable. Any cached message is kept until it is sent or the size of the cache exceeds the specified allotment, in which case the oldest message is removed. If the agent is restarted, any cached messages are lost. UTC time support Coordinated Universal Time timestamp format is available for events instead of local machine time zone format. InterSect Alliance International Pty Ltd Page 15 of 17

Snare Enterprise Agent for Linux v3.1.4 Snare Enterprise Agent for Linux v3.1.4 was released on 6 th March 2014 There was an issue where execve events may not always report the executable causing events. Change Log Restored Feature Please note that the following features are now re-available for Snare Enterprise Agent for Linux only. Login/Logout & Authentication Events Filtering In Snare For Linux 2.x, the ability to create objectives that monitored login/logout and Authentication events was available. This feature was removed in the 3.0.0 Agent. Due to multiple requests this feature has been restored in the 3.1.4 Linux Agent. However, the following caveat should be noted: Under Linux login/logout/login_start events are generated by user-space applications (ie sshd). These events are sent to the kernel which then sends them to the audit subsystem. Snare is only capable of monitoring these events if the user-space applications actually sends them. Some distributions (such as Debian 7.3) have configured these user-space applications NOT to send events to the kernel, hence Snare is not able to monitor login/logout/login_start events for these distributions. Login/Logout & Authentication event monitoring can be enabled using the remote configuration console (below): InterSect Alliance International Pty Ltd Page 16 of 17

Snare for Linux Agent v3.1.4 Alternatively, Login/Logout & Authentication event monitoring can be enabled in the configuration file by defining an objective with one or more of the desired events: login_auth This event is generated when an authentication event is attempted. It indicates success or failure of the authentication. login_start This event is generated when a user successfully logs in to a session logout This event is generated when the user logs out of a session An example configuration file using these events is: [Config] version=2 use_criticality=0 set_audit=1 syslog_facility=local0 syslog_priority=information [Remote] allow=1 listen_port=6161 [Output] network=127.0.0.1:6161 [Objectives] criticality=2 criticality=3 criticality=1 event=execve event=login_auth,login_start,logout event=login_auth InterSect Alliance International Pty Ltd Page 17 of 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback