1AUDISP-PRELUDE.CONF:(5) System Administration UtilitiesAUDISP-PRELUDE.CONF:(5)
2
3
4
6 audisp-prelude.conf - the audisp-prelude configuration file
7
9 audisp-prelude.conf is the file that controls the configuration of the
10 audit based intrusion detection system. There are 2 general kinds of
11 configuration option types, enablers and actions. The enablers simply
12 have yes/no as the only valid choices.
13
14 The action options currently allow ignore, and idmef as its choices.
15 The ignore option means that the IDS still detects events, but only
16 logs the detection in response. The idmef option means that the IDS
17 will send an IDMEF alert to the prelude manager upon detection.
18
19 The configuration options that are available are as follows:
20
21
22 profile
23 This is a one word character string that is used to identify the
24 profile name in the prelude reporting tools. The default is
25 auditd.
26
27 detect_avc
28 This an enabler that determines if the IDS should be examining
29 SE Linux AVC events. The default is yes.
30
31 avc_action
32 This is an action that determines what response should be taken
33 whenever a SE Linux AVC is detected. The default is idmef.
34
35 detect_login
36 This is an enabler that determines if the IDS should be examin‐
37 ing login events. The default is yes.
38
39 login_action
40 This is an action that determines what response should be taken
41 whenever a login event is detected. The default is idmef.
42
43 detect_login_fail_max
44 This is an enabler that determines if the IDS should be looking
45 for maximum number of failed logins for an account. The default
46 is yes.
47
48 login_fail_max_action
49 This is an action that determines what response should be taken
50 whenever the maximum number of failed logins for an account is
51 detected. The default is idmef.
52
53 detect_login_session_max
54 This is an enabler that determines if the IDS should be looking
55 for maximum concurrent sessions limit for an account. The
56 default is yes.
57
58 login_session_max_action
59 This is an action that determines what response should be taken
60 whenever the maximum concurrent sessions limit for an account is
61 detected. The default is idmef.
62
63 detect_login_location
64 This is an enabler that determines if the IDS should be looking
65 for logins being attempted from a forbidden location. The
66 default is yes.
67
68 login_location_action
69 This is an action that determines what response should be taken
70 whenever logins are attempted from a forbidden location. The
71 default is idmef.
72
73 detect_login_time_alerts
74 This is an enabler that determines if the IDS should be looking
75 for logins attempted during a forbidden time. The default is
76 yes.
77
78 login_time_action
79 This is an action that determines what response should be taken
80 whenever logins are attempted during a forbidden time. The
81 default is idmef.
82
83 detect_abend
84 This is an enabler that determines if the IDS should be looking
85 for programs terminating for an abnormal reason. The default is
86 yes.
87
88 abend_action
89 This is an action that determines what response should be taken
90 whenever programs terminate for an abnormal reason. The default
91 is idmef.
92
93 detect_promiscuous
94 This is an enabler that determines if the IDS should be looking
95 for promiscuous sockets being opened. The default is yes.
96
97 promiscuous_action
98 This is an action that determines what response should be taken
99 whenever promiscuous sockets are detected open. The default is
100 idmef.
101
102 detect_mac_status
103 This is an enabler that determines if the IDS should be detect‐
104 ing changes made to the SE Linux MAC enforcement. The default is
105 yes.
106
107 mac_status_action
108 This is an action that determines what response should be taken
109 whenever changes are made to the SE Linux MAC enforcement. The
110 default is idmef.
111
112 detect_group_auth
113 This is an enabler that determines if the IDS should be detect‐
114 ing whenever a user fails in changing their default group. The
115 default is yes.
116
117 group_auth_act
118 This is an action that determines what response should be taken
119 whenever a user fails in changing their default group. The
120 default is idmef.
121
122 detect_watched_acct
123 This is an enabler that determines if the IDS should be detect‐
124 ing a user attempting to login on an account that is being
125 watched. The accounts to watch is set by the watched_accounts
126 option. The default is yes.
127
128 watched_acct_act
129 This is an action that determines what response should be taken
130 whenever a user attempts to login on an account that is being
131 watched. The default is idmef.
132
133 watched_accounts
134 This option is a whitespace and comma separated list of accounts
135 to watch. The accounts may be numeric or alphanumeric. If you
136 want to include a range of accounts, separate them with a dash
137 but no spaces. For example, to watch logins from bin to lp, use
138 "bin-lp". Only succesful logins logins are recorded.
139
140 detect_watched_syscall
141 This is an enabler that determines if the IDS should be detect‐
142 ing whenever a user runs a command that issues a syscall that is
143 being watched. The default is yes.
144
145 watched_syscall_act
146 This is an action that determines what response should be taken
147 whenever a user runs a command that issues a syscall that is
148 being watched. The default is idmef.
149
150 detect_watched_file
151 This is an enabler that determines if the IDS should be detect‐
152 ing whenever a user accesses a file that is being watched. The
153 default is yes.
154
155 watched_file_act
156 This is an action that determines what response should be taken
157 whenever a user accesses a file that is being watched. The
158 default is idmef.
159
160 detect_watched_exec
161 This is an enabler that determines if the IDS should be detect‐
162 ing whenever a user executes a program that is being watched.
163 The default is yes.
164
165 watched_exec_act
166 This is an action that determines what response should be taken
167 whenever a user executes a program that is being watched. The
168 default is idmef.
169
170 detect_watched_mk_exe
171 This is an enabler that determines if the IDS should be detect‐
172 ing whenever a user creates a file that is executable. The
173 default is yes.
174
175 watched_mk_exe_act
176 This is an action that determines what response should be taken
177 whenever a user creates a file that is executable. The default
178 is idmef.
179
181 audispd(8),audisp-prelude(8),prelude-manager[1m(1)
182
184 Steve Grubb
185
186
187
188
189Red Hat Mar 2008 AUDISP-PRELUDE.CONF:(5)