1AUDISP-PRELUDE:(8)      System Administration Utilities     AUDISP-PRELUDE:(8)
2
3
4

NAME

6       audisp-prelude - plugin for IDMEF alerts
7

SYNOPSIS

9       audisp-prelude [ --test ]
10

DESCRIPTION

12       audisp-prelude  is a plugin for the audit event dispatcher daemon, aud‐
13       ispd, that uses libprelude to send IDMEF alerts for possible  Intrusion
14       Detection  events. This plugin requires connecting to a prelude-manager
15       to record the events it sends. This plugin will analyze audit events in
16       realtime  and  send detected events to the prelude-manager for correla‐
17       tion, recording, and display.
18
19       Events that are currently supported are: Logins, Forbidden Login  Loca‐
20       tion,  Max  Concurrent  Sessions,  Max  Login Failures, Forbidden Login
21       Time, SE Linux AVCs, SE Linux  Enforcement  Changes,  Abnormal  Program
22       Termination, Promiscuous Socket Changes, and watched account logins.
23
24

OPTIONS

26       --test Take  input  from  stdin  and write prelude events to stdout but
27              does not send them to the prelude-manager. This can be used  for
28              debugging  or  testing the system with suspicious log files when
29              you do not want it to alert or react.
30
31

INSTALLATION

33       This sensor has to be registered with  the  prelude-manager  before  it
34       will  work  properly. If the prelude-manager is on the same host as the
35       sensor, you will need to open two windows to register. If not, you will
36       have to adjust this example to fit your environment.
37
38       In one window, type:
39
40       prelude-admin register auditd "idmef:w" localhost --uid 0 --gid 0
41
42       In another, type:
43
44       prelude-admin registration-server prelude-manager
45
46       Follow the on-screen instructions to complete the registration.
47
48

TIPS

50       If you are aggregating multiple machines, you should enable node infor‐
51       mation in the audit event stream. You can do this in one of two places.
52       If  you want computer node names written to disk as well as sent in the
53       realtime   event   stream,   edit    the    name_format    option    in
54       /etc/audit/auditd.conf. If you only want the node names in the realtime
55       event stream, then edit  the  name_format  option  in  /etc/audisp/aud‐
56       ispd.conf. Do not enable both as it will put 2 node fields in the event
57       stream.
58
59       At this point, if you want have audit: forbidden  login  location,  max
60       concurrent sessions, max login failures, and forbidden login time anom‐
61       alies being reported, you have to setup pam modules correctly. The  pam
62       modules  are  respectively:  pam_access,  pam_limits,  pam_tally2,  and
63       pam_time. Please see the  respective  pam  module  man  pages  for  any
64       instructions.
65
66       For  performance  reasons,  some  audit events will not produce syscall
67       records which contain additional information about events unless  there
68       is  at  least  one audit rule loaded. If you do not have any additional
69       audit rules, edit /etc/audit/audit.rules and add something simple  that
70       won't impact performace like this: -w /etc/shadow -p wa. This rule will
71       watch the shadow file for writes or  changes  to  its  attributes.  The
72       additional  audit information provided by having at least one rule will
73       allow the plugin to give a more complete view of the alert it is  send‐
74       ing.
75
76       If  you  are  wanting to get alerts on watched syscalls, watched files,
77       watched execution, or something becoming executable, you  need  to  add
78       some  keys  to your audit rules. For example, if you have the following
79       audit watch in /etc/audit/audit.rules:
80
81       -w /etc/shadow -p wa
82
83       and you want idmef alerts on this, you need to add -k ids-file-med   or
84       something  appropriate to signal to the plugin that this message is for
85       it. The format of the key has a fixed format of keywords separated by a
86       dash.  It follows the form of ids-type-severity. The type can be either
87       sys, file, exec, or mkexe depending on whether you want the event to be
88       considered    a   watched_syscall,   watched_file,   watched_exec,   or
89       watched_mk_exe respectively. The severity can be either info, low, med,
90       or hi depending on how urgent you would like it to be.
91
92

EXAMPLE RULES

94       To  alert on any use of the personality syscall: -a exit,always -S per‐
95       sonality -k ids-sys-med
96
97       To alert on a user failing to access the shadow file: -a always,exit -F
98       path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med
99
100       To  alert  on the execution of a program: -w /bin/ping -p x -k ids-exe-
101       info
102
103       To alert on users making exe's in their home dir (takes  2  rules):  -a
104       exit,always  -S  fchmodat  -F  dir=/home -F a2&0111 -F filetype=file -k
105       ids-mkexe-hi -a exit,always -S fchmod,chmod -F dir=/home -F a1&0111  -F
106       filetype=file -k ids-mkexe-hi
107
108

FILES

110       /etc/audisp/plugins.d/au-prelude.conf,          /etc/audit/auditd.conf,
111       /etc/audisp/audispd.conf, /etc/audisp/audisp-prelude.conf
112

SEE ALSO

114       audispd(8), prelude-manager(1), auditd.conf(8),  audispd.conf(8),  aud‐
115       isp-prelude.conf(5).
116

AUTHOR

118       Steve Grubb
119
120
121
122Red Hat                            Dec 2008                 AUDISP-PRELUDE:(8)
Impressum