The Snare configuration is stored as /etc/security/snare.conf. This file contains the details required by Snare Agent for macOS to successfully execute and to configure the audit subsystem.
The configuration of /etc/security/snare.conf can be changed either:
- by modifying the audit policies via the Web User Interface
The web UI (localhost:6161) is the most effective and simplest way to configure Snare Agent for macOS.
or
- by editing /etc/security/snare.conf file
Care should be taken if manually editing the snare.conf configuration file to ensure that it conforms to the required format. Also, any use of the Web User Interface to modify security audit policies or selected events, may result in manual configuration file changes being overwritten. Details on the configuration file format can be viewed in Appendix A. Failure to specify a correct configuration file will prevent Snare from running.
Disable the Web UI
If required, the Web UI can be turned off by editing the default /etc/security/snare.conf file.
To turn off the Web UI perform the following steps:
Stop the Snare service:
sudo launchctl unload -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist
enter your machine's root password if prompted.
Edit the /etc/security/snare.conf file, under "Remote" section, set:
"Allow": "0",
Start the Snare service:
sudo launchctl load -w /Library/LaunchDaemons/com.intersectalliance.snare.agent.plist