1AUDISP-PRELUDE.CONF:(5) System Administration UtilitiesAUDISP-PRELUDE.CONF:(5)
2
3
4

NAME

6       audisp-prelude.conf - the audisp-prelude configuration file
7

DESCRIPTION

9       audisp-prelude.conf  is the file that controls the configuration of the
10       audit based intrusion detection system. There are 2  general  kinds  of
11       configuration  option  types, enablers and actions. The enablers simply
12       have yes/no as the only valid choices.
13
14       The action options currently allow ignore, and idmef  as  its  choices.
15       The  ignore  option  means  that the IDS still detects events, but only
16       logs the detection in response. The idmef option  means  that  the  IDS
17       will send an IDMEF alert to the prelude manager upon detection.
18
19       The configuration options that are available are as follows:
20
21
22       profile
23              This is a one word character string that is used to identify the
24              profile name in the prelude  reporting  tools.  The  default  is
25              auditd.
26
27       detect_avc
28              This  an  enabler that determines if the IDS should be examining
29              SE Linux AVC events. The default is yes.
30
31       avc_action
32              This is an action that determines what response should be  taken
33              whenever a SE Linux AVC is detected. The default is idmef.
34
35       detect_login
36              This  is an enabler that determines if the IDS should be examin‐
37              ing login events. The default is yes.
38
39       login_action
40              This is an action that determines what response should be  taken
41              whenever a login event is detected. The default is idmef.
42
43       detect_login_fail_max
44              This  is an enabler that determines if the IDS should be looking
45              for maximum number of failed logins for an account. The  default
46              is yes.
47
48       login_fail_max_action
49              This  is an action that determines what response should be taken
50              whenever the maximum number of failed logins for an  account  is
51              detected. The default is idmef.
52
53       detect_login_session_max
54              This  is an enabler that determines if the IDS should be looking
55              for maximum  concurrent  sessions  limit  for  an  account.  The
56              default is yes.
57
58       login_session_max_action
59              This  is an action that determines what response should be taken
60              whenever the maximum concurrent sessions limit for an account is
61              detected. The default is idmef.
62
63       detect_login_location
64              This  is an enabler that determines if the IDS should be looking
65              for logins  being  attempted  from  a  forbidden  location.  The
66              default is yes.
67
68       login_location_action
69              This  is an action that determines what response should be taken
70              whenever logins are attempted from  a  forbidden  location.  The
71              default is idmef.
72
73       detect_login_time_alerts
74              This  is an enabler that determines if the IDS should be looking
75              for logins attempted during a forbidden  time.  The  default  is
76              yes.
77
78       login_time_action
79              This  is an action that determines what response should be taken
80              whenever logins are  attempted  during  a  forbidden  time.  The
81              default is idmef.
82
83       detect_abend
84              This  is an enabler that determines if the IDS should be looking
85              for programs terminating for an abnormal reason. The default  is
86              yes.
87
88       abend_action
89              This  is an action that determines what response should be taken
90              whenever programs terminate for an abnormal reason. The  default
91              is idmef.
92
93       detect_promiscuous
94              This  is an enabler that determines if the IDS should be looking
95              for promiscuous sockets being opened. The default is yes.
96
97       promiscuous_action
98              This is an action that determines what response should be  taken
99              whenever  promiscuous  sockets are detected open. The default is
100              idmef.
101
102       detect_mac_status
103              This is an enabler that determines if the IDS should be  detect‐
104              ing changes made to the SE Linux MAC enforcement. The default is
105              yes.
106
107       mac_status_action
108              This is an action that determines what response should be  taken
109              whenever  changes  are made to the SE Linux MAC enforcement. The
110              default is idmef.
111
112       detect_group_auth
113              This is an enabler that determines if the IDS should be  detect‐
114              ing  whenever  a user fails in changing their default group. The
115              default is yes.
116
117       group_auth_act
118              This is an action that determines what response should be  taken
119              whenever  a  user  fails  in  changing  their default group. The
120              default is idmef.
121
122       detect_watched_acct
123              This is an enabler that determines if the IDS should be  detect‐
124              ing  a  user  attempting  to  login  on an account that is being
125              watched. The accounts to watch is set  by  the  watched_accounts
126              option. The default is yes.
127
128       watched_acct_act
129              This  is an action that determines what response should be taken
130              whenever a user attempts to login on an account  that  is  being
131              watched. The default is idmef.
132
133       watched_accounts
134              This option is a whitespace and comma separated list of accounts
135              to watch. The accounts may be numeric or  alphanumeric.  If  you
136              want  to  include a range of accounts, separate them with a dash
137              but no spaces. For example, to watch logins from bin to lp,  use
138              "bin-lp". Only succesful logins logins are recorded.
139
140       detect_watched_syscall
141              This  is an enabler that determines if the IDS should be detect‐
142              ing whenever a user runs a command that issues a syscall that is
143              being watched. The default is yes.
144
145       watched_syscall_act
146              This  is an action that determines what response should be taken
147              whenever a user runs a command that issues  a  syscall  that  is
148              being watched. The default is idmef.
149
150       detect_watched_file
151              This  is an enabler that determines if the IDS should be detect‐
152              ing whenever a user accesses a file that is being  watched.  The
153              default is yes.
154
155       watched_file_act
156              This  is an action that determines what response should be taken
157              whenever a user accesses a  file  that  is  being  watched.  The
158              default is idmef.
159
160       detect_watched_exec
161              This  is an enabler that determines if the IDS should be detect‐
162              ing whenever a user executes a program that  is  being  watched.
163              The default is yes.
164
165       watched_exec_act
166              This  is an action that determines what response should be taken
167              whenever a user executes a program that is  being  watched.  The
168              default is idmef.
169
170       detect_watched_mk_exe
171              This  is an enabler that determines if the IDS should be detect‐
172              ing whenever a user creates  a  file  that  is  executable.  The
173              default is yes.
174
175       watched_mk_exe_act
176              This  is an action that determines what response should be taken
177              whenever a user creates a file that is executable.  The  default
178              is idmef.
179

SEE ALSO

181       audispd(8),audisp-prelude(8),prelude-manager(1)
182

AUTHOR

184       Steve Grubb
185
186
187
188
189Red Hat                            Mar 2008            AUDISP-PRELUDE.CONF:(5)
Impressum