Audit configuration
The Snare configuration is stored as /etc/audit/snare.conf. This file contains all the details required by Snare to configure the audit subsystem to successfully execute. The configuration of /etc/audit/snare.conf can be changed either:
- directly
Care should be taken if manually editing the snare.conf configuration file to ensure that it conforms to the required format for the audit daemon. Also, any use of the Web User Interface to modify security objectives or selected events, may result in manual configuration file changes being overwritten. Details on the configuration file format can be viewed in Appendix A. Failure to specify a correct configuration file will prevent Snare from running.
- or by modifying the objectives via the Web User Interface
The web UI (localhost:6161) is the most effective and simplest way to configure /etc/audit/snare.conf and operates completely in memory, with no reliance on any external files.
Disable the Web UI
If required, the web UI can be turned off by editing the default /etc/audit/snare.conf file. You can edit the /etc/audit/snare.conf file directly, by setting [ Allow
] to 0.  The agent is required to be restarted for the change to take effect by running at command line /etc/init.d/auditd restart
.
Logs
Administrators may review logs at /var/log/messages, for system log files whenever settings are applied to the snare.conf.