Release Notes for Snare Linux Agent v5.8.0

Security Updates

• Added configurable maximum failed logins limit. If this limit is exceeded, the user will be locked out for a period of time. The maximum number of failed login attempts and the lock timeout are configurable via Access Configuration
• 3rd party libraries upgraded: 
  • OpenSSL upgraded to version 3.1.1
  • Boost upgraded to version 1.81.0
  • SQLite upgraded to version 3.40.1
• Improved failback certificate lookup logic to consider expiry and issuer, and reduce the need to re-create self-signed certificate
• Added support of big key size token for TLS_AUTH connection
• Replaced usage of MD5 with stronger hashing algorithm in License Manager

• In order to reinforce Agent security, removed dependency on MD5 hashing during Snare Agent upgrade
  

  After this change, upgrading Snare Agent from versions earlier than 5.4.0 for Agents that had password enabled is not supported.
  
  Customers who need to upgrade the Agent from pre-5.4.0 version, are advised to perform a two-step upgrade:

  • Step 1 - Upgrade from pre-5.4.0 version to v5.7.0 or 5.7.1
  • Step 2 - Upgrade from v5.7.* to the latest version

New Features and Enhancements

• Snare Enterprise Agent for Debian 12 is now available

• Starting from version 5.8.0 Snare Agent has the ability to pull configuration and policy updates from Snare Agent Manager (SAM).
  This functionality replaces previous method of pushing configuration from AMC (Snare Central component) to Snare Agents. 
  

  Recommendation

  Customers who use AMC to push configuration to the Agents, are encouraged to migrate to this new mechanism where Agent policies are defined in SAM, and Agents pull policy updates from SAM.
  This new mechanism is more secure and provides ability to manage Agents configuration without having web access enabled on every managed endpoint.
  Please see AMC to SAM Migration Guide for details.

  The existing AMC in Snare Central will be deprecated at a future date still yet to be announced. 

  Starting from SAM v2.0.0 and Snare Agent 5.8.0, Agent's configuration and policies can be fully managed in Snare Agent Manager (SAM).
  SAM allows to define Agent groups, load and update master configuration, and provide it to the relevant Agents. Please see Release Notes of SAM v2.0.0 and the User Guide for more details.

• Added ability to export Agent Setting in JSON format from command line, using -j flag. This JSON file can optionally be used as master configuration in SAM Agent Policies management
• Added a new General Configuration setting to disable auditd events collection on Linux. This is useful for the users that require Snare Agent for Linux to collect events from text files only, and do not wish the Agent to modify auditd configuration.

Bug Fixes

• Snare Enterprise Agent for Linux now properly installs with preconfigured configuration file where audit collection is set to disabled
• Corrected issue where auditd would not be started after installation of Snare Enterprise Agent for Linux
• Fixed form validation of custom Agent Heartbeat Frequency field
• Fix for possible corner case when determining certificate name
• Fixed possible error when accessing Access Configuration page
• Added missing EventLogCounter field to SnareV2 format