The purpose of this section is to detail the checklist items recommended to facilitate correct operation of Snare Central. This section details those items which are common to all Snare Central installations, regardless of the objectives which have been set.

The next few paragraphs discuss the major components that should be checked on a regular basis. Clearly, different sites will have their own specific requirements, based on their site, architecture, risk profile, system(s) in use, and so on. For these reasons the following discussion on checklists should be taken as a list of recommendations, which may or may not be adopted. Ultimately, it is up to the user(s) of Snare Central to be guided on the best strategy for the following Snare Central system checklist items.

Service (Event Collection) Status

The Health Checker objective checks whether the main services are running. These services are crucial in that they ensure the proper collection of events and without them being active, Snare Central is unable to collect events. It is strongly recommended that the services be checked on a daily basis, preferably via email notification. Failure of any of the key services will disable the collection of event logs.

Agent Status

It is not uncommon that agents stop reporting. This may be due to the host being disconnected from the network, the host being re-imaged, the Snare Service being stopped, some third party product terminating the Snare Agent service unexpectedly, and so on. It is therefore important that these instances be investigated, with a view to correcting the situation. One way to check the Agent status is to use the Manage Agent objective. Simply clone the default objective for each type of Snare Agent running in your network, set the Configuration, and regenerate. It will quickly tell you which Agents cannot be contacted and what versions they are all running. An alternative is to utilise the Snare Agent Manager (SAM) - particularly in situations where Snare version 5+ agents are installed. Each agent will send heartbeat notifications to the Snare Agent Manager (if enabled), which can be

Configuration Retrieval

The accurate reporting abilities of a number of objectives relies on the successful retrieval of configuration information, namely the users and group related information for Solaris and Windows (and Cognos to a much lesser extent). It is therefore important to check that this task has been scheduled, and will collect all the necessary data. The objectives related to User and Group retrieval, inside the Retrieve Data container within 'Snare Agents' under the System category, should be configured to collect the required user and group information by specifying the server to collect the information (should be a domain controller, but may be a member server in the case of Windows). The password is the password set for the Snare Agent remote control. In order to check that this objective is running correctly, the objective may be 'regenerated' on the fly, and the results checked to verify correct operation.

Date-Time Completion of Objectives

The date-time completion of objectives provides, at a glance, quick information on whether the objective has been scheduled to regenerate at regular intervals. For those objectives that have been scheduled to regenerate at midnight as part of a scheduled run, the time noted in the objective may indicate if a run is taking too long. For instance, objectives scheduled to run at midnight (which includes all objectives scheduled to run on a 'daily' basis) will usually have a time of 00:20:00, meaning it has completed at 20 minutes past midnight. If a time states something like 03:30:00, then the load on Snare Central may be becoming onerous, which could indicate the data store is becoming too big or the query is too general.

Alternatively, it may indicate other problems which may require troubleshooting.

Receipt of Emails

In some instances, scheduled emails may not have been received. This may be due to a number of reasons, such as:

• The objective was not scheduled.
• The objective was scheduled, but no one was listed to receive the email.
• The email was sent out, but the email server rejected it.
• The email was treated as SPAM by an anti-SPAM device.
• The email was sent to the incorrect email address.
• An error with Snare Central scheduling system.

It is important to check that emails have been received on a regular basis, as determined and required by the agency. The objective 'Modify Objective Schedules' within the Administrative Tools area of the System section, provides a single place from which to view those staff who are receiving scheduled reports, and allows changes to be made directly from this objective.

This objective may also be used to scan the list every so often to remove users that no longer have access, and should not be receiving Snare Central reports.

Statistics

The objectives within the Status section provide a powerful data management tool. Some objectives in this category are refreshed each time they are accessed, but it is recommended that checks be made to ensure that the following objective(s), as a minimum, are set to 'daily' automatic regeneration:

• General Statistics
• System Status

It is not required that the client receive a daily email report on the above objectives, so long as the objective is scheduled to run and/or viewed on a regular basis. In this way, the report will be available to those who require it, and will not require regeneration. This is important if the data store is of considerable size, and requires a significant amount of time to regenerate.

Windows Agents

There have been notable problems with the Microsoft Active Directory product changing the audit settings through the use of Group Policy Objects. This means that whilst the Snare Agents are expecting to set and collect audit events based on established and agreed policy, the Active Directory will reset the audit values to those determined by the Domain Administrator. It is therefore important to check that the Snare Agent objective configuration has not changed and if Group Policy is used to configure the audit settings, check that these settings are in line with the information required by the Snare Agent.

Data Archival

It is strongly recommended that the data archival process be manually checked on an irregular basis to ensure that any media used has not been corrupted. There are two aspects to the archival process, namely the archiving of Snare settings, and the archiving of actual audit event data. Both of these specific objectives are available in the Data Backup section of the System category. Since the CD or DVD write process relies on a number of hardware and Linux related applications, there is always the possibility that the process may not work correctly, and/or may corrupt the write process. Since this process is out of control of Snare Central, it is strongly recommended that a manual check be undertaken every so often to independently and manually verify the correct archival of information and data.

User Checklist

The previous discussions on the System Checklist can also be applied to the User Checklist. The purpose of Snare Central is to report on system events, and provide summaries of specific security objectives. These objectives are realised through the use of the various parameters available to Snare Central, including the list of objectives described in this document. In any given agency, the list of objectives, their frequency of reporting and the requirements of reporting will vary greatly.

A generic 'User Checklist' therefore cannot be developed that covers the requirements of all agencies. The purpose of this checklist is to remind users of those items that should be checked every so often, based on the organisational risk profile and infrastructure requirements. It is strongly recommended that a checklist be developed for each agency that has a requirement for Snare Central.