NAME

       audisp-prelude - plugin for IDMEF alerts

SYNOPSIS

       audisp-prelude [ --test ]

DESCRIPTION

       audisp-prelude  is  a  plugin  for  the  audit event dispatcher daemon, audispd, that uses
       libprelude to send IDMEF alerts for  possible  Intrusion  Detection  events.  This  plugin
       requires  connecting  to a prelude-manager to record the events it sends. This plugin will
       analyze audit events in realtime and send  detected  events  to  the  prelude-manager  for
       correlation, recording, and display.

       Events  that are currently supported are: Logins, Forbidden Login Location, Max Concurrent
       Sessions, Max Login Failures, Forbidden Login Time, SE Linux AVCs,  SE  Linux  Enforcement
       Changes,  Abnormal  Program  Termination,  Promiscuous Socket Changes, and watched account
       logins.

OPTIONS

       --test Take input from stdin and write prelude events to stdout but does not send them  to
              the  prelude-manager.  This  can  be  used for debugging or testing the system with
              suspicious log files when you do not want it to alert or react.

INSTALLATION

       This sensor has to be registered with the prelude-manager before it will work properly. If
       the  prelude-manager  is on the same host as the sensor, you will need to open two windows
       to register. If not, you will have to adjust this example to fit your environment.

       In one window, type:

       prelude-admin register auditd idmef:w localhost --uid 0 --gid 0

       In another, type:

       prelude-admin registration-server prelude-manager

       Follow the on-screen instructions to complete the registration.

TIPS

       If you are aggregating multiple machines, you should enable node information in the  audit
       event  stream.  You  can  do  this  in  one of two places. If you want computer node names
       written to disk as well as sent in the realtime event stream, edit the name_format  option
       in  /etc/audit/auditd.conf.  If you only want the node names in the realtime event stream,
       then edit the name_format option in /etc/audisp/audispd.conf. Do not  enable  both  as  it
       will put 2 node fields in the event stream.

       At  this point, if you want have audit: forbidden login location, max concurrent sessions,
       max login failures, and forbidden login time anomalies being reported, you have  to  setup
       pam   modules  correctly.  The  pam  modules  are  respectively:  pam_access,  pam_limits,
       pam_tally2, and pam_time.  Please  see  the  respective  pam  module  man  pages  for  any
       instructions.

       For  performance reasons, some audit events will not produce syscall records which contain
       additional information about events unless there is at least one audit rule loaded. If you
       do  not  have  any  additional  audit rules, edit /etc/audit/audit.rules and add something
       simple that won't impact performance like this: -w /etc/shadow -p wa. This rule will watch
       the  shadow file for writes or changes to its attributes. The additional audit information
       provided by having at least one rule will allow the plugin to give a more complete view of
       the alert it is sending.

       If you are wanting to get alerts on watched syscalls, watched files, watched execution, or
       something becoming executable, you need to add some keys to your audit rules. For example,
       if you have the following audit watch in /etc/audit/audit.rules:

       -w /etc/shadow -p wa

       and  you  want  idmef  alerts  on  this,  you  need  to  add -k ids-file-med  or something
       appropriate to signal to the plugin that this message is for it. The format of the key has
       a  fixed format of keywords separated by a dash. It follows the form of ids-type-severity.
       The type can be either sys, file, exec, or mkexe depending on whether you want  the  event
       to   be  considered  a  watched_syscall,  watched_file,  watched_exec,  or  watched_mk_exe
       respectively. The severity can be either info, low, med, or hi depending on how urgent you
       would like it to be.

EXAMPLE RULES

       To alert on any use of the personality syscall:
       -a always,exit -S personality -k ids-sys-med

       To alert on a user failing to access the shadow file:
       -a always,exit -F path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med

       To alert on the execution of a program:
       -w /bin/ping -p x -k ids-exe-info

       To alert on users making exe's in their home dir (takes 2 rules):
       -a always,exit -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -k ids-mkexe-hi
       -a always,exit -S fchmod,chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi

FILES

       /etc/audisp/plugins.d/au-prelude.conf,  /etc/audit/auditd.conf,  /etc/audisp/audispd.conf,
       /etc/audisp/audisp-prelude.conf

SEE ALSO

       audispd(8), prelude-manager(1), auditd.conf(8), audispd.conf(8), audisp-prelude.conf(5).

AUTHOR

       Steve Grubb