In 2001, the developers of the Snare Product Suite, developed a system to capture the event data as required by Trusted Computer Systems Evaluation Criteria or C2. While the C2 is considered one of the lowest acceptable levels of security, the C2 System must be able to:
- provide system level audit trail
- audit the use of identification and authentication mechanisms
- audit file access (open, close, read, write, create) and program initiation
- audit file/object deletion
- audit administrative actions
The Snare Product Suite started with the Linux agent, specifically for use within the defense industry, and later the suite was expanded to the Windows and Solaris agent. The agents, which were originally provided through the Open Source community became hugely popular for organizations that were attempting to meet C2 Audit Levels.
Of course back in 2001, logging event data was much more simplistic than it has evolved to today, and now there are multiple regulatory reasons to implement an SIEM, SIM, SEM or Event log management solution. The debate seems to rest with should an organization use agents or not to forward the event log data to a collector.
See complete post on our snare.solutions website