NAME
audisp-prelude.conf - the audisp-prelude configuration file
DESCRIPTION
audisp-prelude.conf is the file that controls the configuration of the
audit based intrusion detection system. There are 2 general kinds of
configuration option types, enablers and actions. The enablers simply
have yes/no as the only valid choices.
The action options currently allow ignore, and idmef as its choices.
The ignore option means that the IDS still detects events, but only
logs the detection in response. The idmef option means that the IDS
will send an IDMEF alert to the prelude manager upon detection.
The configuration options that are available are as follows:
profile
This is a one word character string that is used to identify the
profile name in the prelude reporting tools. The default is
auditd.
detect_avc
This an enabler that determines if the IDS should be examining
SE Linux AVC events. The default is yes.
avc_action
This is an action that determines what response should be taken
whenever a SE Linux AVC is detected. The default is idmef.
detect_login
This is an enabler that determines if the IDS should be
examining login events. The default is yes.
login_action
This is an action that determines what response should be taken
whenever a login event is detected. The default is idmef.
detect_login_fail_max
This is an enabler that determines if the IDS should be looking
for maximum number of failed logins for an account. The default
is yes.
login_fail_max_action
This is an action that determines what response should be taken
whenever the maximum number of failed logins for an account is
detected. The default is idmef.
detect_login_session_max
This is an enabler that determines if the IDS should be looking
for maximum concurrent sessions limit for an account. The
default is yes.
login_session_max_action
This is an action that determines what response should be taken
whenever the maximum concurrent sessions limit for an account is
detected. The default is idmef.
detect_login_location
This is an enabler that determines if the IDS should be looking
for logins being attempted from a forbidden location. The
default is yes.
login_location_action
This is an action that determines what response should be taken
whenever logins are attempted from a forbidden location. The
default is idmef.
detect_login_time_alerts
This is an enabler that determines if the IDS should be looking
for logins attempted during a forbidden time. The default is
yes.
login_time_action
This is an action that determines what response should be taken
whenever logins are attempted during a forbidden time. The
default is idmef.
detect_abend
This is an enabler that determines if the IDS should be looking
for programs terminating for an abnormal reason. The default is
yes.
abend_action
This is an action that determines what response should be taken
whenever programs terminate for an abnormal reason. The default
is idmef.
detect_promiscuous
This is an enabler that determines if the IDS should be looking
for promiscuous sockets being opened. The default is yes.
promiscuous_action
This is an action that determines what response should be taken
whenever promiscuous sockets are detected open. The default is
idmef.
detect_mac_status
This is an enabler that determines if the IDS should be
detecting changes made to the SE Linux MAC enforcement. The
default is yes.
mac_status_action
This is an action that determines what response should be taken
whenever changes are made to the SE Linux MAC enforcement. The
default is idmef.
detect_group_auth
This is an enabler that determines if the IDS should be
detecting whenever a user fails in changing their default group.
The default is yes.
group_auth_act
This is an action that determines what response should be taken
whenever a user fails in changing their default group. The
default is idmef.
detect_watched_acct
This is an enabler that determines if the IDS should be
detecting a user attempting to login on an account that is being
watched. The accounts to watch is set by the watched_accounts
option. The default is yes.
watched_acct_act
This is an action that determines what response should be taken
whenever a user attempts to login on an account that is being
watched. The default is idmef.
watched_accounts
This option is a whitespace and comma separated list of accounts
to watch. The accounts may be numeric or alphanumeric. If you
want to include a range of accounts, separate them with a dash
but no spaces. For example, to watch logins from bin to lp, use
"bin-lp". Only succesful logins logins are recorded.
detect_watched_syscall
This is an enabler that determines if the IDS should be
detecting whenever a user runs a command that issues a syscall
that is being watched. The default is yes.
watched_syscall_act
This is an action that determines what response should be taken
whenever a user runs a command that issues a syscall that is
being watched. The default is idmef.
detect_watched_file
This is an enabler that determines if the IDS should be
detecting whenever a user accesses a file that is being watched.
The default is yes.
watched_file_act
This is an action that determines what response should be taken
whenever a user accesses a file that is being watched. The
default is idmef.
detect_watched_exec
This is an enabler that determines if the IDS should be
detecting whenever a user executes a program that is being
watched. The default is yes.
watched_exec_act
This is an action that determines what response should be taken
whenever a user executes a program that is being watched. The
default is idmef.
detect_watched_mk_exe
This is an enabler that determines if the IDS should be
detecting whenever a user creates a file that is executable. The
default is yes.
watched_mk_exe_act
This is an action that determines what response should be taken
whenever a user creates a file that is executable. The default
is idmef.
SEE ALSO
audispd(8),audisp-prelude(8),prelude-manager(1)
AUTHOR
Steve Grubb