Provided by: audispd-plugins_2.8.2-1ubuntu1.1_amd64 
NAME
audisp-prelude.conf - the audisp-prelude configuration file
DESCRIPTION
audisp-prelude.conf is the file that controls the configuration of the audit based intrusion detection
system. There are 2 general kinds of configuration option types, enablers and actions. The enablers
simply have yes/no as the only valid choices.
The action options currently allow ignore, and idmef as its choices. The ignore option means that the IDS
still detects events, but only logs the detection in response. The idmef option means that the IDS will
send an IDMEF alert to the prelude manager upon detection.
The configuration options that are available are as follows:
profile
This is a one word character string that is used to identify the profile name in the prelude
reporting tools. The default is auditd.
detect_avc
This an enabler that determines if the IDS should be examining SE Linux AVC events. The default is
yes.
avc_action
This is an action that determines what response should be taken whenever a SE Linux AVC is
detected. The default is idmef.
detect_login
This is an enabler that determines if the IDS should be examining login events. The default is
yes.
login_action
This is an action that determines what response should be taken whenever a login event is
detected. The default is idmef.
detect_login_fail_max
This is an enabler that determines if the IDS should be looking for maximum number of failed
logins for an account. The default is yes.
login_fail_max_action
This is an action that determines what response should be taken whenever the maximum number of
failed logins for an account is detected. The default is idmef.
detect_login_session_max
This is an enabler that determines if the IDS should be looking for maximum concurrent sessions
limit for an account. The default is yes.
login_session_max_action
This is an action that determines what response should be taken whenever the maximum concurrent
sessions limit for an account is detected. The default is idmef.
detect_login_location
This is an enabler that determines if the IDS should be looking for logins being attempted from a
forbidden location. The default is yes.
login_location_action
This is an action that determines what response should be taken whenever logins are attempted from
a forbidden location. The default is idmef.
detect_login_time_alerts
This is an enabler that determines if the IDS should be looking for logins attempted during a
forbidden time. The default is yes.
login_time_action
This is an action that determines what response should be taken whenever logins are attempted
during a forbidden time. The default is idmef.
detect_abend
This is an enabler that determines if the IDS should be looking for programs terminating for an
abnormal reason. The default is yes.
abend_action
This is an action that determines what response should be taken whenever programs terminate for an
abnormal reason. The default is idmef.
detect_promiscuous
This is an enabler that determines if the IDS should be looking for promiscuous sockets being
opened. The default is yes.
promiscuous_action
This is an action that determines what response should be taken whenever promiscuous sockets are
detected open. The default is idmef.
detect_mac_status
This is an enabler that determines if the IDS should be detecting changes made to the SE Linux MAC
enforcement. The default is yes.
mac_status_action
This is an action that determines what response should be taken whenever changes are made to the
SE Linux MAC enforcement. The default is idmef.
detect_group_auth
This is an enabler that determines if the IDS should be detecting whenever a user fails in
changing their default group. The default is yes.
group_auth_act
This is an action that determines what response should be taken whenever a user fails in changing
their default group. The default is idmef.
detect_watched_acct
This is an enabler that determines if the IDS should be detecting a user attempting to login on an
account that is being watched. The accounts to watch is set by the watched_accounts option. The
default is yes.
watched_acct_act
This is an action that determines what response should be taken whenever a user attempts to login
on an account that is being watched. The default is idmef.
watched_accounts
This option is a whitespace and comma separated list of accounts to watch. The accounts may be
numeric or alphanumeric. If you want to include a range of accounts, separate them with a dash but
no spaces. For example, to watch logins from bin to lp, use "bin-lp". Only successful logins are
recorded.
detect_watched_syscall
This is an enabler that determines if the IDS should be detecting whenever a user runs a command
that issues a syscall that is being watched. The default is yes.
watched_syscall_act
This is an action that determines what response should be taken whenever a user runs a command
that issues a syscall that is being watched. The default is idmef.
detect_watched_file
This is an enabler that determines if the IDS should be detecting whenever a user accesses a file
that is being watched. The default is yes.
watched_file_act
This is an action that determines what response should be taken whenever a user accesses a file
that is being watched. The default is idmef.
detect_watched_exec
This is an enabler that determines if the IDS should be detecting whenever a user executes a
program that is being watched. The default is yes.
watched_exec_act
This is an action that determines what response should be taken whenever a user executes a program
that is being watched. The default is idmef.
detect_watched_mk_exe
This is an enabler that determines if the IDS should be detecting whenever a user creates a file
that is executable. The default is yes.
watched_mk_exe_act
This is an action that determines what response should be taken whenever a user creates a file
that is executable. The default is idmef.
SEE ALSO
audispd(8), audisp-prelude(8), prelude-manager(1).
AUTHOR
Steve Grubb
Red Hat Mar 2008 AUDISP-PRELUDE.CONF:(5)