Versions Compared

Version Old Version 15 New Version Current
Changes made by

Leigh Purdie (Unlicensed)

Leigh Purdie (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Welcome to the Snare Wizard

...

  • This control allows you to install, update or remove trusted Root Certificates system wide. If you are required to Authenticate users with LDAP/TLS or SASL/LDAP, you need to provide Snare Central with the CA root certificate of the authority that issued the LDAP-server certificate.

    If you are setting up a certificate authority for your organisation, in order to build and use PEM certificates in-house, you need to make sure that Snare Central is configured to recognise and trust your CA.

    Note

    Snare Wizard only supports PEM certificates.

    Please make sure that the file you want to upload is a Base-64 encoded, X-509 certificate with one of the following file extensions: (.crt, .cer, .pem, .cert, .key).


  • Stronger cipher encryption and more secure HTTPS connections is supported. All versions of SSL are disabled by default. The option is available to disable weak ciphers for Apache and Snare Central which will disable TLS1.0, and TLS1.1 in the Apache configuration and only allow TLS1.2 with strong ciphers.  Checking this setting will change the web server's configuration, therefore you must restart Apache for the changes to take effect.  Please note that old browsers will not support the newer Transport Layer Protocols and may not connect to Snare web interface at all. The minimum compatible clients are: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.

  • Enable or disable the enhanced password security functionality for the operating-system-level accounts that are installed by default by Snare Central.
    • By default, Snare Central enables password complexity controls, account lockout (30 minutes after 5 failed password attempts), and password history checks. Normally, though Snare Central system accounts are exempted from the more stringent requirements of an organisational security policy; particularly the requirement for password rotation. The accounts are generally used for either system administration or automated log transfers, and may not fit in with password rotation policies. Enhanced security and forced rotation can be enabled, or disabled via this setting, if required.
  • Snare is capable of delegating authentication to an external LDAP Directory or Active Directory server.
    • Note that the user must still have an account on Snare Central with the same name as the LDAP/AD user, to log in.
    • Enter the IP address (or DNS name, as long as Snare Central has been configured to use your local DNS) of your target LDAP or Active Directory server.
    • When LDAP Groups option is disabled, the user must still have an account on the Snare Server with the same name as the LDAP/AD user, in order to log in. However this requirement is overridden when LDAP Groups option is enabled.
    • If specified, the Domain will be added to the end of the username for authentication purposes (eg: A username of 'auser' and a domain of 'test.local' will imply an LDAP/AD authentication of auser@test.local. Only 'auser' will be used locally on Snare Central to determine access control settings).  A Test button is available to verify the LDAP setup values.
    • There is a known issue when trying to bind Snare Server to an MS Active Directory using LDAPS on a Windows Server 2012 R2. OpenLDAP’s GnuTLS and Microsoft’s SChannel implementations are not compatible for TLS 1.2 negotiation during AD/LDAPS binding, so it’s necessary to disable TLS1.2 before attempting binding. The “Enable compatibility mode for Win Server 2012 R2” control allows to couple with this situation and force to a lower TLS version.
    • LDAP Groups control enable the authorisation of groups defined in the AD server for Snare. Please note that when LDAP Groups option is enabled, all local accounts are temporarily disabled with the exception of the ADMINISTRATOR account. As per Snare Server 7.2, support for both kinds of users simultaneously is not supported.
    • When LDAP Groups option is enabled the first time, Snare Server needs to retrieve groups information from the LDAP or AD server. This can be done specifying a valid user and password with enough access rights to retrieve this information. Please note that both user name and password won’t be stored by Snare. IMPORTANT: Before retrieval, super group Snare_Central and all defined groups should exists in the LDAP or AD server and all groups must be members of Snare_Central group.
    • Once Snare Central is aware of existing groups, it is possible to manage Objectives access rights from the System | Administrative Tools | Manage Access Control configuration objective.
  • Enable or disable enhanced password expiry in Snare Central.
    • PCI, and related regulatory compliance compatible password controls can be enforced by turning on this setting.
  • Enable or Disable Auto Logout time for Snare sessions.  By default http sessions will expire approximately two hours depending on the volume of activity a user is performing. If the organisation also requires a mandatory idle timeout, this control allows you to specify the default (system wide) setting in minutes. A maximum of 120 minutes (2 hours) can be entered. A value of 0 disables Auto Logout.  Per user Auto Logout settings are also available in the User Administration objective.
  • Some security vulnerability scanners identify links to 'external sites' as reportable vulnerabilities. The Block external links from being clickable, when displayed by Snare setting turns off clickable links in the external link redirect page.
  • Enable Security Technical Implementation Guide (STIG) compliance, to comply with recommendations for the Unix operating system (https://www.stigviewer.com/stig/unix_srg/).  The Snare Linux Agent is automatically installed when the Enable STIG Compliance for Snare Central checkbox is selected. When active, the Snare Linux Agent web user interface (UI) can be accessed by allowing port 6112 on Snare Central. Navigate to Configuration Wizard | Firewall Setup and add the port to the Active Rules if you wish to access the Agent's UI directly. Note that once the Agent's UI has been made accessible, it is recommended you enable the remote control password on the Linux Agent Access Configuration page and supply a new password.
    The Agent audits the following criteria as recommended by STIG (Unix):
    • V-819 all discretionary access control permission modifications.
    • V-818 login, logout, and session initiation.
    • V-816 all administrative, privileged, and security actions.
    • V-815 file deletions.
    • V-814 failed attempts to access files and programs.
    • V-22383 the loading and unloading of dynamic kernel modules.
    • V-22376 account creation.
    • V-22377 account modification.
    • V-22378 account disabling.
    • V-22382 account termination.
      Events are sent via TCP to port 6161 of the local Snare Server with the Log Type "LinuxAudit". The configuration file for the Linux agent is located at /etc/audit/snare.conf.
      If the Enable STIG Compliance for Snare Central checkbox is subsequently unchecked, then the Snare Linux Agent is also uninstalled from the system.
  • Click on the Next button.

Firewall Setup

...

    • Enable or disable the Basic Snare Firewall, which uses the UFW firewall to configure IPTables. For normal operation of Snare Central, the firewall should be left enabled; it will only block those ports that do not have an associated snare-related service active.

      • When the Snare Firewall checkbox is enabled, the currently active firewall rules will be shown in the Active Rules section, and the Backup & Restore section is available. It is possible to make a backup of the current rules and restore them if required.

      • Clicking on any active rule will bring the edit rule form where you can delete the selected rule or change some parameters like destination port number, transport protocol, policy and origin.
      • It is important to note that when adding a new rule, by default ufw will create the same rule for both TCPv4 and TCPv6. However when deleting a rule you need to delete the TCPv4 and the TCPv6 separately.
    • More information on UFW can be found at:  https://help.ubuntu.com/community/UFW
    • Click on the Next button.

...