Provided by: audispd-plugins_2.4.5-1ubuntu2_amd64 bug

NAME

       audisp-prelude.conf - the audisp-prelude configuration file

DESCRIPTION

       audisp-prelude.conf  is  the  file  that  controls  the  configuration  of the audit based
       intrusion detection system. There are 2  general  kinds  of  configuration  option  types,
       enablers and actions. The enablers simply have yes/no as the only valid choices.

       The  action  options  currently  allow ignore, and idmef as its choices. The ignore option
       means that the IDS still detects events, but only logs  the  detection  in  response.  The
       idmef  option  means  that  the  IDS  will send an IDMEF alert to the prelude manager upon
       detection.

       The configuration options that are available are as follows:

       profile
              This is a one word character string that is used to identify the  profile  name  in
              the prelude reporting tools. The default is auditd.

       detect_avc
              This an enabler that determines if the IDS should be examining SE Linux AVC events.
              The default is yes.

       avc_action
              This is an action that determines what response should be taken whenever a SE Linux
              AVC is detected. The default is idmef.

       detect_login
              This is an enabler that determines if the IDS should be examining login events. The
              default is yes.

       login_action
              This is an action that determines what response should be taken  whenever  a  login
              event is detected. The default is idmef.

       detect_login_fail_max
              This  is an enabler that determines if the IDS should be looking for maximum number
              of failed logins for an account. The default is yes.

       login_fail_max_action
              This is an action that determines  what  response  should  be  taken  whenever  the
              maximum number of failed logins for an account is detected. The default is idmef.

       detect_login_session_max
              This  is  an  enabler  that  determines  if  the  IDS should be looking for maximum
              concurrent sessions limit for an account. The default is yes.

       login_session_max_action
              This is an action that determines  what  response  should  be  taken  whenever  the
              maximum concurrent sessions limit for an account is detected. The default is idmef.

       detect_login_location
              This  is  an  enabler that determines if the IDS should be looking for logins being
              attempted from a forbidden location. The default is yes.

       login_location_action
              This is an action that determines what response should be taken whenever logins are
              attempted from a forbidden location. The default is idmef.

       detect_login_time_alerts
              This  is  an  enabler  that  determines  if  the  IDS  should be looking for logins
              attempted during a forbidden time. The default is yes.

       login_time_action
              This is an action that determines what response should be taken whenever logins are
              attempted during a forbidden time. The default is idmef.

       detect_abend
              This  is  an  enabler  that  determines  if  the IDS should be looking for programs
              terminating for an abnormal reason. The default is yes.

       abend_action
              This is an action that determines what response should be taken  whenever  programs
              terminate for an abnormal reason. The default is idmef.

       detect_promiscuous
              This  is  an  enabler  that determines if the IDS should be looking for promiscuous
              sockets being opened. The default is yes.

       promiscuous_action
              This  is  an  action  that  determines  what  response  should  be  taken  whenever
              promiscuous sockets are detected open. The default is idmef.

       detect_mac_status
              This  is  an enabler that determines if the IDS should be detecting changes made to
              the SE Linux MAC enforcement. The default is yes.

       mac_status_action
              This is an action that determines what response should be  taken  whenever  changes
              are made to the SE Linux MAC enforcement. The default is idmef.

       detect_group_auth
              This  is  an enabler that determines if the IDS should be detecting whenever a user
              fails in changing their default group. The default is yes.

       group_auth_act
              This is an action that determines what response should be  taken  whenever  a  user
              fails in changing their default group. The default is idmef.

       detect_watched_acct
              This is an enabler that determines if the IDS should be detecting a user attempting
              to login on an account that is being watched. The accounts to watch is set  by  the
              watched_accounts option. The default is yes.

       watched_acct_act
              This  is  an  action  that determines what response should be taken whenever a user
              attempts to login on an account that is being watched. The default is idmef.

       watched_accounts
              This option is a whitespace and comma separated list  of  accounts  to  watch.  The
              accounts  may  be  numeric  or  alphanumeric.  If  you  want  to include a range of
              accounts, separate them with a dash but no spaces. For  example,  to  watch  logins
              from bin to lp, use "bin-lp". Only successful logins are recorded.

       detect_watched_syscall
              This  is  an enabler that determines if the IDS should be detecting whenever a user
              runs a command that issues a syscall that is being watched. The default is yes.

       watched_syscall_act
              This is an action that determines what response should be  taken  whenever  a  user
              runs a command that issues a syscall that is being watched. The default is idmef.

       detect_watched_file
              This  is  an enabler that determines if the IDS should be detecting whenever a user
              accesses a file that is being watched. The default is yes.

       watched_file_act
              This is an action that determines what response should be  taken  whenever  a  user
              accesses a file that is being watched. The default is idmef.

       detect_watched_exec
              This  is  an enabler that determines if the IDS should be detecting whenever a user
              executes a program that is being watched. The default is yes.

       watched_exec_act
              This is an action that determines what response should be  taken  whenever  a  user
              executes a program that is being watched. The default is idmef.

       detect_watched_mk_exe
              This  is  an enabler that determines if the IDS should be detecting whenever a user
              creates a file that is executable. The default is yes.

       watched_mk_exe_act
              This is an action that determines what response should be  taken  whenever  a  user
              creates a file that is executable. The default is idmef.

SEE ALSO

       audispd(8), audisp-prelude(8), prelude-manager(1).

AUTHOR

       Steve Grubb