SUMMARY
Aug 1821, 2015
With the installation of the Snare Enterprise Agent for Solaris, the auditing subsystem is enabled. This may enable plugins that require configuring to suit your organization.
Solaris 10
With Solaris 10, when we install the audit_control file we indicate to use the Snare plugin by default:
| Code Block |
|---|
#
#ident @(#)audit_control.txt 1.4 2005/11/24 LJP
#
# audit_control file for snare
#
dir:/var/audit
flags:ia
minfree:20
naflags:ia
plugin:name=/usr/lib/security/audit_snare.so |
If logging to local disk is also required either Snare can be used to log to file in Syslog or Snare format, or the standard Solaris audit logs can be logged by using the binfile plugin, like so:
| Code Block |
|---|
#
#ident @(#)audit_control.txt 1.4 2005/11/24 LJP
#
# audit_control file for snare
#
dir:/var/audit
flags:ia
minfree:20
naflags:ia
plugin:name=/usr/lib/security/audit_snare.so
plugin: name=audit_binfile.so;\
p_minfree=20;\
pdir=/var/audit/ |
This particular setup will put the standard Solaris audit logs into the /var/audit directory, limiting to 20mb free.
Solaris 11
Solaris 11 uses the service manager to handle the plugins rather than the audit_control file.
The auditconfig command can be used to configure this:
| Code Block |
|---|
#auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_snare (active)
Attributes:
Queue size: 1 |
Further details for configuring Solaris 11 plugins can be found in the Solaris 11 documentation.
Disable audit_binfile
The bin format plugin is responsible for writing log files, and it is enabled by default, when installing Snare Enterprise Agent for Solaris. This log file (e.g. 20160731135700.20160810191133.hostname) can rapidly fill disk space.
To disable the audit_binfile plugin which creates the binary files in /var/audit execute:
| Code Block |
|---|
auditconfig -setplugin audit_binfile inactive |
The audit_binfile plugin will then be deactivated.
To check your active/inactive plugins execute:
| Code Block |
|---|
auditconfig -getplugin
|
Your result may be similar to the following:
| Code Block |
|---|
Plugin: audit_binfile (inactive)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_snare (active)
Attributes:
Queue size: 1
|
Large snare.log file
The default install for the Solaris agent does not have a destination so it just logs to a log file, in Network Configuration screen | File Output | FileName.
After you have set a destination IP address or hostname you can delete the snare.log file option. Just delete the text in the FileName field then save the configuration, so it does not log locally anymore, and therefore your disk will not fill.
If you do want to keep a local log file then you will need to implement your own cron job to cycle the log file and restart the agent each day or at a frequency to suit. (** The version 5 agent will rotate the log file based on a size value each day as another way to manage the log file option.)To export the configuration file
Start a command prompt as administrator and navigate to the Epilog installation directory:
>cd \Program Files\Epilog
>epilog –x template.inf
*Where template.inf can be set to a suitable file name e.g testagent01.inf