Specifications

Guide to Snare for Linux

3.2 Audit configuration

The Snare configuration is stored as /etc/audit/snare.conf (SuSE 10 and 11 users the location is

/etc/snare.conf). This file contains all the details required by Snare to configure the audit

subsystem to successfully execute.

The configuration of /etc/audit/snare.conf can be changed either:

• directly

Care should be taken if manually editing the snare.conf configuration file to ensure

that it conforms to the required format for the audit daemon. Also, any use of the

Remote Control Interface to modify security objectives or selected events, may result

in manual configuration file changes being overwritten. Details on the configuration

file format can be viewed in Appendix A - Configuration File Description. Failure to

specify a correct configuration file will prevent Snare from running.

• or by modifying the objectives via the Remote Control Interface

The Remote Control Interface is the most effective and simplest way to configure

/etc/audit/snare.conf and operates completely in memory, with no reliance on any external

files.

Remote Audit Monitoring

The Remote Control Interface can be turned off by editing the default

/etc/audit/snare.conf file. You can either edit the /etc/audit/snare.conf file

directly, commenting the allow=1 line under the [Remote] section, or by

setting this value to 0.

Be sure to restart the agent for the change to take effect. The agent can be

restarted by:

>/etc/init.d/auditd restart

Note: For administrators, the system log files will be updated whenever settings are applied to

the snare.conf, for example, /var/log/messages. This information may assist you when

required.