Man Linux: Main Page and Category List

NAME

       audisp-prelude.conf - the audisp-prelude configuration file

DESCRIPTION

       audisp-prelude.conf  is the file that controls the configuration of the
       audit based intrusion detection system. There are 2  general  kinds  of
       configuration  option  types, enablers and actions. The enablers simply
       have yes/no as the only valid choices.

       The action options currently allow ignore, and idmef  as  its  choices.
       The  ignore  option  means  that the IDS still detects events, but only
       logs the detection in response. The idmef option  means  that  the  IDS
       will send an IDMEF alert to the prelude manager upon detection.

       The configuration options that are available are as follows:

       profile
              This is a one word character string that is used to identify the
              profile name in the prelude  reporting  tools.  The  default  is
              auditd.

       detect_avc
              This  an  enabler that determines if the IDS should be examining
              SE Linux AVC events. The default is yes.

       avc_action
              This is an action that determines what response should be  taken
              whenever a SE Linux AVC is detected. The default is idmef.

       detect_login
              This  is  an  enabler  that  determines  if  the  IDS  should be
              examining login events. The default is yes.

       login_action
              This is an action that determines what response should be  taken
              whenever a login event is detected. The default is idmef.

       detect_login_fail_max
              This  is an enabler that determines if the IDS should be looking
              for maximum number of failed logins for an account. The  default
              is yes.

       login_fail_max_action
              This  is an action that determines what response should be taken
              whenever the maximum number of failed logins for an  account  is
              detected. The default is idmef.

       detect_login_session_max
              This  is an enabler that determines if the IDS should be looking
              for maximum  concurrent  sessions  limit  for  an  account.  The
              default is yes.

       login_session_max_action
              This  is an action that determines what response should be taken
              whenever the maximum concurrent sessions limit for an account is
              detected. The default is idmef.

       detect_login_location
              This  is an enabler that determines if the IDS should be looking
              for logins  being  attempted  from  a  forbidden  location.  The
              default is yes.

       login_location_action
              This  is an action that determines what response should be taken
              whenever logins are attempted from  a  forbidden  location.  The
              default is idmef.

       detect_login_time_alerts
              This  is an enabler that determines if the IDS should be looking
              for logins attempted during a forbidden  time.  The  default  is
              yes.

       login_time_action
              This  is an action that determines what response should be taken
              whenever logins are  attempted  during  a  forbidden  time.  The
              default is idmef.

       detect_abend
              This  is an enabler that determines if the IDS should be looking
              for programs terminating for an abnormal reason. The default  is
              yes.

       abend_action
              This  is an action that determines what response should be taken
              whenever programs terminate for an abnormal reason. The  default
              is idmef.

       detect_promiscuous
              This  is an enabler that determines if the IDS should be looking
              for promiscuous sockets being opened. The default is yes.

       promiscuous_action
              This is an action that determines what response should be  taken
              whenever  promiscuous  sockets are detected open. The default is
              idmef.

       detect_mac_status
              This is  an  enabler  that  determines  if  the  IDS  should  be
              detecting  changes  made  to  the  SE Linux MAC enforcement. The
              default is yes.

       mac_status_action
              This is an action that determines what response should be  taken
              whenever  changes  are made to the SE Linux MAC enforcement. The
              default is idmef.

       detect_group_auth
              This is  an  enabler  that  determines  if  the  IDS  should  be
              detecting whenever a user fails in changing their default group.
              The default is yes.

       group_auth_act
              This is an action that determines what response should be  taken
              whenever  a  user  fails  in  changing  their default group. The
              default is idmef.

       detect_watched_acct
              This is  an  enabler  that  determines  if  the  IDS  should  be
              detecting a user attempting to login on an account that is being
              watched. The accounts to watch is set  by  the  watched_accounts
              option. The default is yes.

       watched_acct_act
              This  is an action that determines what response should be taken
              whenever a user attempts to login on an account  that  is  being
              watched. The default is idmef.

       watched_accounts
              This option is a whitespace and comma separated list of accounts
              to watch. The accounts may be numeric or  alphanumeric.  If  you
              want  to  include a range of accounts, separate them with a dash
              but no spaces. For example, to watch logins from bin to lp,  use
              "bin-lp". Only succesful logins logins are recorded.

       detect_watched_syscall
              This  is  an  enabler  that  determines  if  the  IDS  should be
              detecting whenever a user runs a command that issues  a  syscall
              that is being watched. The default is yes.

       watched_syscall_act
              This  is an action that determines what response should be taken
              whenever a user runs a command that issues  a  syscall  that  is
              being watched. The default is idmef.

       detect_watched_file
              This  is  an  enabler  that  determines  if  the  IDS  should be
              detecting whenever a user accesses a file that is being watched.
              The default is yes.

       watched_file_act
              This  is an action that determines what response should be taken
              whenever a user accesses a  file  that  is  being  watched.  The
              default is idmef.

       detect_watched_exec
              This  is  an  enabler  that  determines  if  the  IDS  should be
              detecting whenever a user  executes  a  program  that  is  being
              watched. The default is yes.

       watched_exec_act
              This  is an action that determines what response should be taken
              whenever a user executes a program that is  being  watched.  The
              default is idmef.

       detect_watched_mk_exe
              This  is  an  enabler  that  determines  if  the  IDS  should be
              detecting whenever a user creates a file that is executable. The
              default is yes.

       watched_mk_exe_act
              This  is an action that determines what response should be taken
              whenever a user creates a file that is executable.  The  default
              is idmef.

SEE ALSO

       audispd(8),audisp-prelude(8),prelude-manager(1)

AUTHOR

       Steve Grubb