Man Linux: Main Page and Category List

NAME

       audisp-prelude - plugin for IDMEF alerts

SYNOPSIS

       audisp-prelude [ --test ]

DESCRIPTION

       audisp-prelude  is  a  plugin  for  the  audit event dispatcher daemon,
       audispd, that  uses  libprelude  to  send  IDMEF  alerts  for  possible
       Intrusion  Detection  events.  This  plugin  requires  connecting  to a
       prelude-manager to record the events it sends. This plugin will analyze
       audit  events  in  realtime  and  send  detected events to the prelude-
       manager for correlation, recording, and display.

       Events that  are  currently  supported  are:  Logins,  Forbidden  Login
       Location,  Max Concurrent Sessions, Max Login Failures, Forbidden Login
       Time, SE Linux AVCs, SE Linux  Enforcement  Changes,  Abnormal  Program
       Termination, Promiscuous Socket Changes, and watched account logins.

OPTIONS

       --test Take  input  from  stdin  and write prelude events to stdout but
              does not send them to the prelude-manager. This can be used  for
              debugging  or  testing the system with suspicious log files when
              you do not want it to alert or react.

INSTALLATION

       This sensor has to be registered with  the  prelude-manager  before  it
       will  work  properly. If the prelude-manager is on the same host as the
       sensor, you will need to open two windows to register. If not, you will
       have to adjust this example to fit your environment.

       In one window, type:

       prelude-admin register auditd "idmef:w" localhost --uid 0 --gid 0

       In another, type:

       prelude-admin registration-server prelude-manager

       Follow the on-screen instructions to complete the registration.

TIPS

       If  you  are  aggregating  multiple  machines,  you  should enable node
       information in the audit event stream. You can do this in  one  of  two
       places. If you want computer node names written to disk as well as sent
       in  the  realtime  event  stream,  edit  the  name_format   option   in
       /etc/audit/auditd.conf. If you only want the node names in the realtime
       event    stream,    then    edit    the    name_format    option     in
       /etc/audisp/audispd.conf.  Do  not  enable  both  as it will put 2 node
       fields in the event stream.

       At this point, if you want have audit: forbidden  login  location,  max
       concurrent  sessions,  max  login  failures,  and  forbidden login time
       anomalies being reported, you have to setup pam modules correctly.  The
       pam  modules  are respectively: pam_access, pam_limits, pam_tally2, and
       pam_time. Please see the  respective  pam  module  man  pages  for  any
       instructions.

       For  performance  reasons,  some  audit events will not produce syscall
       records which contain additional information about events unless  there
       is  at  least  one audit rule loaded. If you do not have any additional
       audit rules, edit /etc/audit/audit.rules and add something simple  that
       won’t impact performace like this: -w /etc/shadow -p wa. This rule will
       watch the shadow file for writes or  changes  to  its  attributes.  The
       additional  audit information provided by having at least one rule will
       allow the plugin to give a more  complete  view  of  the  alert  it  is
       sending.

       If  you  are  wanting to get alerts on watched syscalls, watched files,
       watched execution, or something becoming executable, you  need  to  add
       some  keys  to your audit rules. For example, if you have the following
       audit watch in /etc/audit/audit.rules:

       -w /etc/shadow -p wa

       and you want idmef alerts on this, you need to add -k ids-file-med   or
       something  appropriate to signal to the plugin that this message is for
       it. The format of the key has a fixed format of keywords separated by a
       dash.  It follows the form of ids-type-severity. The type can be either
       sys, file, exec, or mkexe depending on whether you want the event to be
       considered    a   watched_syscall,   watched_file,   watched_exec,   or
       watched_mk_exe respectively. The severity can be either info, low, med,
       or hi depending on how urgent you would like it to be.

EXAMPLE RULES

       To  alert  on  any  use  of  the personality syscall: -a exit,always -S
       personality -k ids-sys-med

       To alert on a user failing to access the shadow file: -a always,exit -F
       path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med

       To  alert  on the execution of a program: -w /bin/ping -p x -k ids-exe-
       info

       To alert on users making exe’s in their home dir (takes  2  rules):  -a
       exit,always  -S  fchmodat  -F  dir=/home -F a2&0111 -F filetype=file -k
       ids-mkexe-hi -a exit,always -S fchmod,chmod -F dir=/home -F a1&0111  -F
       filetype=file -k ids-mkexe-hi

FILES

       /etc/audisp/plugins.d/au-prelude.conf,          /etc/audit/auditd.conf,
       /etc/audisp/audispd.conf, /etc/audisp/audisp-prelude.conf

SEE ALSO

       audispd(8),   prelude-manager(1),   auditd.conf(8),    audispd.conf(8),
       audisp-prelude.conf(5).

AUTHOR

       Steve Grubb