General Configuration
General configuration parameters to consider are as follows:
- Allow SNARE to automatically set audit configuration? For effective auditing it is recommended that the audit configuration parameter is enabled (recommended). Snare has the ability to 'turn on' event auditing in response to the audit policies you set within the Web UI. If enabled, Snare will modify audit.rules to enable event collection according to configured audit policies.
Allow SNARE to automatically set auditd configuration. Relates to Snare's ability to modify the auditd configuration file (/etc/audit/auditd.conf). If set to false, Snare will use its backup file to recreate the original auditd configuration. Default set to true.
Snare will still modify the auditd configuration to set Dispatcher setting to the agent executable to allow auditd to still launch itself.
- Max number of outstanding audit buffers allowed. Relates to the audit kernel buffers allowed. If all buffers are full, the failure flag is consulted by the kernel for action. Adjustment of audit buffers is required to avoid causing a too heavy audit load on your system. Default set to 360.
To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:
- Click on Change Configuration to save any changes to the registry.
- Click on the Apply Configuration & Restart Service menu item.