bionic (5) audisp-prelude.conf.5.gz

Provided by: audispd-plugins_2.8.2-1ubuntu1.1_amd64 bug

NAME

       audisp-prelude.conf - the audisp-prelude configuration file

DESCRIPTION

       audisp-prelude.conf  is  the  file that controls the configuration of the audit based intrusion detection
       system. There are 2 general kinds of configuration option  types,  enablers  and  actions.  The  enablers
       simply have yes/no as the only valid choices.

       The action options currently allow ignore, and idmef as its choices. The ignore option means that the IDS
       still detects events, but only logs the detection in response. The idmef option means that the  IDS  will
       send an IDMEF alert to the prelude manager upon detection.

       The configuration options that are available are as follows:

       profile
              This  is  a  one  word  character  string that is used to identify the profile name in the prelude
              reporting tools. The default is auditd.

       detect_avc
              This an enabler that determines if the IDS should be examining SE Linux AVC events. The default is
              yes.

       avc_action
              This  is  an  action  that  determines  what  response  should be taken whenever a SE Linux AVC is
              detected. The default is idmef.

       detect_login
              This is an enabler that determines if the IDS should be examining login  events.  The  default  is
              yes.

       login_action
              This  is  an  action  that  determines  what  response  should  be taken whenever a login event is
              detected. The default is idmef.

       detect_login_fail_max
              This is an enabler that determines if the IDS should be  looking  for  maximum  number  of  failed
              logins for an account. The default is yes.

       login_fail_max_action
              This  is  an  action  that determines what response should be taken whenever the maximum number of
              failed logins for an account is detected. The default is idmef.

       detect_login_session_max
              This is an enabler that determines if the IDS should be looking for  maximum  concurrent  sessions
              limit for an account. The default is yes.

       login_session_max_action
              This  is  an  action that determines what response should be taken whenever the maximum concurrent
              sessions limit for an account is detected. The default is idmef.

       detect_login_location
              This is an enabler that determines if the IDS should be looking for logins being attempted from  a
              forbidden location. The default is yes.

       login_location_action
              This is an action that determines what response should be taken whenever logins are attempted from
              a forbidden location. The default is idmef.

       detect_login_time_alerts
              This is an enabler that determines if the IDS should be looking  for  logins  attempted  during  a
              forbidden time. The default is yes.

       login_time_action
              This  is  an  action  that  determines what response should be taken whenever logins are attempted
              during a forbidden time. The default is idmef.

       detect_abend
              This is an enabler that determines if the IDS should be looking for programs  terminating  for  an
              abnormal reason. The default is yes.

       abend_action
              This is an action that determines what response should be taken whenever programs terminate for an
              abnormal reason. The default is idmef.

       detect_promiscuous
              This is an enabler that determines if the IDS should be  looking  for  promiscuous  sockets  being
              opened. The default is yes.

       promiscuous_action
              This  is  an action that determines what response should be taken whenever promiscuous sockets are
              detected open. The default is idmef.

       detect_mac_status
              This is an enabler that determines if the IDS should be detecting changes made to the SE Linux MAC
              enforcement. The default is yes.

       mac_status_action
              This  is  an action that determines what response should be taken whenever changes are made to the
              SE Linux MAC enforcement. The default is idmef.

       detect_group_auth
              This is an enabler that determines if the IDS  should  be  detecting  whenever  a  user  fails  in
              changing their default group. The default is yes.

       group_auth_act
              This  is an action that determines what response should be taken whenever a user fails in changing
              their default group. The default is idmef.

       detect_watched_acct
              This is an enabler that determines if the IDS should be detecting a user attempting to login on an
              account  that  is  being watched. The accounts to watch is set by the watched_accounts option. The
              default is yes.

       watched_acct_act
              This is an action that determines what response should be taken whenever a user attempts to  login
              on an account that is being watched. The default is idmef.

       watched_accounts
              This  option  is  a  whitespace and comma separated list of accounts to watch. The accounts may be
              numeric or alphanumeric. If you want to include a range of accounts, separate them with a dash but
              no  spaces.  For example, to watch logins from bin to lp, use "bin-lp". Only successful logins are
              recorded.

       detect_watched_syscall
              This is an enabler that determines if the IDS should be detecting whenever a user runs  a  command
              that issues a syscall that is being watched. The default is yes.

       watched_syscall_act
              This  is  an  action  that determines what response should be taken whenever a user runs a command
              that issues a syscall that is being watched. The default is idmef.

       detect_watched_file
              This is an enabler that determines if the IDS should be detecting whenever a user accesses a  file
              that is being watched. The default is yes.

       watched_file_act
              This  is  an  action that determines what response should be taken whenever a user accesses a file
              that is being watched. The default is idmef.

       detect_watched_exec
              This is an enabler that determines if the IDS should be  detecting  whenever  a  user  executes  a
              program that is being watched. The default is yes.

       watched_exec_act
              This is an action that determines what response should be taken whenever a user executes a program
              that is being watched. The default is idmef.

       detect_watched_mk_exe
              This is an enabler that determines if the IDS should be detecting whenever a user creates  a  file
              that is executable. The default is yes.

       watched_mk_exe_act
              This  is  an  action  that determines what response should be taken whenever a user creates a file
              that is executable. The default is idmef.

SEE ALSO

       audispd(8), audisp-prelude(8), prelude-manager(1).

AUTHOR

       Steve Grubb