...
...
...
...
...
...
...
...
Snare installation
 Image Modified
| - An appropriate Solaris Distribution
- Enterprise customers may download the SnareSolaris package from the Snare Secure Area at https://www.intersectalliance.com.
- Solaris version 10 only: A Solaris installation does not normally activate the utilities necessary to activate the auditing subsystem. As such, it must be separately activated on the Solaris host, before the Snare agent will work in collecting and filtering events. The auditing subsystem may be activated using the '/etc/security/bsmconv' script.
|
 Image Modified
| Install Snare for Solaris package. - Logon as root user, i.e. at the command prompt enter the command /bin/su and enter the root password when prompted. Issue the command, as root as per your distribution: >pkgadd -d SnareSolaris-supp-4.0.0-i386-S11.pkg
- This will install Snare for Solaris and restart the audit daemon (auditd).
|
Image Modified | Remove Snare for Solaris package (if required). - Query the database to ensure Snare is installed
>pkginfo -l SnareSolaris - Remove the Snare for Solaris package
>pkgrm SnareSolaris
|
Running Snare
To view the Snare Remote Control Interface enter the URL http://localhost:6161 or http://hostname:6161 where "hostname" is the DNS name or IP address of the target machine.
After installation the auditd daemon will be running. This daemon must be running if the events are to be passed to a remote host.
Image Modified | Restart the auditd daemon either: - By issuing the command: > svcadm restart system/auditd
- Via the Remote Control Interface:
From the menu on the right hand side select Apply the Latest Audit Configuration to restart the daemon.
|
Audit configuration
The Snare configuration is stored as /etc/security/snare.conf. This file contains all the details required by Snare to configure the audit subsystem to successfully execute.
The configuration of /etc/security/snare.conf can be changed either:
...
The Remote Control Interface is the most effective and simplest way to configure snare.conf and operates completely in memory, with no reliance on any external files. The Remote Control Interface can be access locally via the URL http://localhost:6161 or remotely via http://hostname:6161 where "hostname" is the DNS name or IP address of the target machine.
Image Modified | Remote Audit Monitoring
The Remote Control Interface can be turned off by editing the default /etc/security/snare.conf file. You can either edit the snare.conf file directly, commenting (using #) the allow=1 line under the [Remote] section, or by setting this value to 0. Save the file.
To ensure any changes to the snare.conf are applied, the agent must be restarted to active the new configuration. This restart process is shown as follows (execute as the root user): >ps -ef | grep auditd
It should return something like:
root 17608 17595 0 13:50:56 pts/1 0:00 grep auditd
root 17606 1 33 13:47:52 ? 2:48 /usr/sbin/auditd
To restart:
>svcadm restart system/auditd
To check that the processes have restarted ensure the processes have new Ids:
>ps -ef | grep auditd
root 17633 1 32 14:12:40 ? 3:14 /usr/sbin/auditd
root 17637 17595 0 14:16:23 pts/1 0:00 grep auditd |
Note: For administrators, the system log files will be updated whenever settings are applied to the snare.conf, for example, /var/log/messages. This information may assist you when you require it. Any errors in the configuration file will also be logged.