Versions Compared

Version Old Version 1 New Version 2
Changes made by

maria ieropoulos

maria ieropoulos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The steps below recommend initial settings for Snare Agents. As dedicated tables exist for all of the agents mentioned below, the standard syslog systems must not be used (this will ensure the correct handling of data by the Snare Central). The use of the Snare remote control feature is recommended (the user friendly interface will maintain the appropriate syntax and formatting) and instructions to enable this service will be detailed where applicable.

Windows-Based Agents

During installation, if the machine is not part of a Windows' domain, allow Snare to take control of the audit subsystem. If the machine is part of a Windows' domain, Local and Group Policies will need to be manually edited to provide the required level of auditing.
Through the remote control interface, click Network Configuration.

...

  1. Win Application (Application events)
  2. WinSecurity (Security events)
  3. WinSystem (System events)
  4. MSWinEventLog (DNS, File Replication and Directory Service events).

UNIX-Based agents

Remote Control

For all UNIX-based agents, the following section should be included in the configuration file to enable remote control capabilities. The user friendly interface will maintain the appropriate syntax and formatting of the Snare configuration files, while also allowing the Snare Central to contact its agents to check their individual configuration settings.

...


Once access is granted, please configure the enterprise remote access password through the "Remote Control Configuration" page on the agent web interface.

Linux

The latest Linux Agent no longer requires kernel modifications to activate and gather audit information, making installation and upgrade management much easier. The Linux Agent is packaged with a comprehensive set of objectives for NISPOM, SOX and PCI compliance. Once installed, make the following changes via the Snare Remote Control Interface or the configuration file:

  1. Change the remote access password to the enterprise password.
  2. Remove the log file (this will avoid the risk of local storage partitions filling up).
  3. Set the destination server to the Snare Central IP address or hostname.
  4. Restart the 'auditd' service.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Events will be stored in the Snare Central LinuxAudit table.
  7. If resource usage becomes a problem, remove all references to the "open" syscall from /etc/snare.conf and restart the agent.

Solaris

Ensure that BSM is properly installed and configured (/etc/security/bsmconv) before installing Snare. The Solaris agent should be installed using the "Advanced" objectives and then tuned accordingly. Once installed, make the following changes via the Snare Remote Control Interface or the configuration file:

  1. Change the remote access password to the enterprise password.
  2. Remove the log file (this will avoid the risk of local storage partitions filling up).
  3. Set the destination server to the Snare Central IP address or hostname.
  4. Restart the Snare Agent.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Events will be stored in the Snare Central SolarisBSM table.

Epilog for UNIX

After installing Epilog for the first time, there are two main changes that are required:

  1. Specify the log files that Epilog should monitor.
  2. Set the destination server to the Snare Central IP address or hostname.
  3. Syslog option must not be used when sending logs to a Snare Central so that all events are processed correctly by the Snare Central.
  4. Send event to TCP or UDP port 6161.
  5. UDP is recommended for faster and more efficient use of host and network resources.
  6. Generally, events will be stored in the Snare Central GenericLog table.

Tru64

Not released outside of InterSect Alliance at this time.