|
|
SNARE Agent for Solaris
Snare for Solaris provides front end filtering, remote control, and remote distribution for Solaris audit data, interfacing with the underlying Sun "Basic Security Module".
Snare for Solaris can be used as a standalone auditing tool, or can send data to the Snare Server for analysis and storage.
Snare replaces the normal Solaris C2 Audit collection and reporting subsystem, minimising client resource utilisation, and administrative overhead.The Solaris BSM C2 Audit Subsystem allows users to record operating system events to a local or NFS mounted filesystem. Details on this functionality can be found from the Snare for Solaris documentation, available from our 'Resources' page.
The Solaris C2 audit daemon writes binary event data to the local file system, utilising local workstation/server disk resources for temporary storage, and administrator resources to facilitate the conversion of binary audit data to a usable text format suitable for incident analysis. In cases where events have been selected that produce a large volume of audit information (for example file "open" events), hundreds of megabytes, or even gigabytes, need to be allocated for storage on the client machine. This process utilises significant system and administrator resources that are often more appropriately allocated to the normal operational tasks that the workstation or server performs.
On a large network of Solaris servers and workstations, the management overhead can quickly become onerous, particularly when audit log data needs to be transferred to a central server for consolidation, analysis and archive.
InterSect Alliance have developed software that interfaces with the Solaris auditsvc() system call to convert audit events to text format, then send the converted data back to a central location over the network (via UDP) in real-time, allowing security administrators to implement a centralised audit collection, analysis and archive facility with minimal audit client resource utilisation.
