Snare Operational Checklists
The purpose of this section is to detail the checklist items recommended to facilitate correct operation of Snare Central. This section details those items which are common to all Snare Central installations, regardless of the objectives which have been set.
The next few paragraphs discuss the major components that should be checked on a regular basis. Clearly, different sites will have their own specific requirements, based on their site, architecture, risk profile, system(s) in use, and so on. For these reasons the following discussion on checklists should be taken as a list of recommendations, which may or may not be adopted. Ultimately, it is up to the user(s) of Snare Central to be guided on the best strategy for the following Snare Central system checklist items.
Service (Event Collection) Status
The Health Checker objective checks whether the main services are running. These services are crucial in that they ensure the proper collection of events and without them being active, Snare Central is unable to collect events. It is strongly recommended that the services be checked on a daily basis, preferably via email notification. Failure of any of the key services will disable the collection of event logs.
Agent Status
It is not uncommon that agents stop reporting. This may be due to the host being disconnected from the network, the host being re-imaged, the Snare Service being stopped, some third party product terminating the Snare Agent service unexpectedly, and so on. It is therefore important that these instances be investigated, with a view to correcting the situation. One way to check the Agent status is to use the Manage Agent objective. Simply clone the default objective for each type of Snare Agent running in your network, set the Configuration, and regenerate. It will quickly tell you which Agents cannot be contacted and what versions they are all running. An alternative is to utilise the Snare Agent Manager (SAM) - particularly in situations where Snare version 5+ agents are installed. Each agent will send heartbeat notifications to the Snare Agent Manager (if enabled), which can be
Configuration Retrieval
The accurate reporting abilities of a number of objectives relies on the successful retrieval of configuration information, namely the users and group related information for Solaris and Windows (and Cognos to a much lesser extent). It is therefore important to check that this task has been scheduled, and will collect all the necessary data. The objectives related to User and Group retrieval, inside the Retrieve Data container within 'Snare Agents' under the System category, should be configured to collect the required user and group information by specifying the server to collect the information (should be a domain controller, but may be a member server in the case of Windows). The password is the password set for the Snare Agent remote control. In order to check that this objective is running correctly, the objective may be 'regenerated' on the fly, and the results checked to verify correct operation.
Date-Time Completion of Objectives
The date-time completion of objectives provides, at a glance, quick information on whether the objective has been scheduled to regenerate at regular intervals. For those objectives that have been scheduled to regenerate at midnight as part of a scheduled run, the time noted in the objective may indicate if a run is taking too long. For instance, objectives scheduled to run at midnight (which includes all objectives scheduled to run on a 'daily' basis) will usually have a time of 00:20:00, meaning it has completed at 20 minutes past midnight. If a time states something like 03:30:00, then the load on Snare Central may be becoming onerous, which could indicate the data store is becoming too big or the query is too general.
Alternatively, it may indicate other problems which may require troubleshooting.
Receipt of Emails
In some instances, scheduled emails may not have been received. This may be due to a number of reasons, such as:
- The objective was not scheduled.
- The objective was scheduled, but no one was listed to receive the email.
- The email was sent out, but the email server rejected it.
- The email was treated as SPAM by an anti-SPAM device.
- The email was sent to the incorrect email address.
- An error with Snare Central scheduling system.
It is important to check that emails have been received on a regular basis, as determined and required by the agency. The objective 'Modify Objective Schedules' within the Administrative Tools area of the System section, provides a single place from which to view those staff who are receiving scheduled reports, and allows changes to be made directly from this objective.
This objective may also be used to scan the list every so often to remove users that no longer have access, and should not be receiving Snare Central reports.
Statistics
The objectives within the Status section provide a powerful data management tool. Some objectives in this category are refreshed each time they are accessed, but it is recommended that checks be made to ensure that the following objective(s), as a minimum, are set to 'daily' automatic regeneration:
- General Statistics
- System Status
It is not required that the client receive a daily email report on the above objectives, so long as the objective is scheduled to run and/or viewed on a regular basis. In this way, the report will be available to those who require it, and will not require regeneration. This is important if the data store is of considerable size, and requires a significant amount of time to regenerate.
Windows Agents
There have been notable problems with the Microsoft Active Directory product changing the audit settings through the use of Group Policy Objects. This means that whilst the Snare Agents are expecting to set and collect audit events based on established and agreed policy, the Active Directory will reset the audit values to those determined by the Domain Administrator. It is therefore important to check that the Snare Agent objective configuration has not changed and if Group Policy is used to configure the audit settings, check that these settings are in line with the information required by the Snare Agent.
Data Archival
It is strongly recommended that the data archival process be manually checked on an irregular basis to ensure that any media used has not been corrupted. There are two aspects to the archival process, namely the archiving of Snare settings, and the archiving of actual audit event data. Both of these specific objectives are available in the Data Backup section of the System category. Since the CD or DVD write process relies on a number of hardware and Linux related applications, there is always the possibility that the process may not work correctly, and/or may corrupt the write process. Since this process is out of control of Snare Central, it is strongly recommended that a manual check be undertaken every so often to independently and manually verify the correct archival of information and data.
Sample System Checklist
Priority | System Checklist Item | Description |
HIGH | Snare Services | It is strongly recommended that the services crucial to the running of Snare Central be checked on a daily basis. |
HIGH | Configuration Retrieval | It is strongly recommended that Snare Central be configured to collect system configurations (through the 'Data Retrieval' objectives) on a daily basis, and that this be checked to ensure its accuracy. |
HIGH | Email Transmission | It is strongly recommended that user(s) of Snare Central check the health checker objective is received on a daily basis, and that the other objective-based emails are received on a regular basis. |
MEDIUM | Agent Status | It is recommended that the servers running Snare Services (such as 'Snare for Windows') be monitored to determine whether they are still reporting events. It is recommended that this be done on a regular basis, depending on the risk profile of the agency using Snare Central. |
MEDIUM | Removal of Old Data | It is recommended that data be removed on a regular basis, as required. |
MEDIUM | Objective Completion | It is recommended that the completion times of some objectives Times be checked to ensure that Snare Central is operating within reasonable limits. |
MEDIUM | Statistics | It is recommended that the 'General Statistics' objective be set to regenerate on a weekly basis. |
MEDIUM | Windows Agents | A Windows network, especially one using Active Directory, may propagate group policies down to hosts which contain the Snare Service. This may disrupt the audit event collection process, and compromise some of the objectives. It is recommended that periodic correction of group policy audit settings and Snare Agent settings be undertaken. |
User Checklist
The previous discussions on the System Checklist can also be applied to the User Checklist. The purpose of Snare Central is to report on system events, and provide summaries of specific security objectives. These objectives are realised through the use of the various parameters available to Snare Central, including the list of objectives described in this document. In any given agency, the list of objectives, their frequency of reporting and the requirements of reporting will vary greatly.
A generic 'User Checklist' therefore cannot be developed that covers the requirements of all agencies. The purpose of this checklist is to remind users of those items that should be checked every so often, based on the organisational risk profile and infrastructure requirements. It is strongly recommended that a checklist be developed for each agency that has a requirement for Snare Central.
Sample User Checklist
Security Objective | Task Description | Checklist |
---|---|---|
Health Checker | If any 'Problems' or 'Warnings' are shown on the Health Checker objective, they should be investigated immediately. | Daily |
Check Domain Administrators Group | This configuration item shows the authorized and unauthorized members of the Domain Administrators group. Notify <position/person> to report those members who are not authorized. | Weekly |
Accounts recently | This objective reports on all accounts that have been created or deleted. Check that unauthorized users are not creating or deleting accounts, or that newly created, suspicious accounts are reported immediately. Report any incidents to <position/person>. | Weekly |
Groups recently | Same as above, except for Group accounts. Report any incidents to <position/person>. | Weekly |
Modifications to the account of sensitive users | This objective reports on selected, sensitive accounts that have been changed. If any changes to the specified users have been changed, then this must be reported. Use Email Template 2 to report an incident. | Weekly |
Firewall Failed Connections by Destination Addr | This objective looks at the failed connections on the 'Company X' firewall. Any failed connections that appear via a yellow or other colored 'square' should be immediately reported. Use Email Template 3 to report an incident. | Weekly |
Archival | It is recommended that data be archived on a weekly or monthly basis as required. | Monthly |
General Snare Central Check | Check that all agents are reporting back to Snare Central. Check that retrieval of Windows, Cognos and/or Solaris information is taking place. Note the growth in the size of the data store and, if necessary, trim the data store by removing data. | Monthly |