Provided by: audispd-plugins_2.8.2-1ubuntu1.1_amd64 bug

NAME
       audisp-prelude - plugin for IDMEF alerts


SYNOPSIS
       audisp-prelude [ --test ]


DESCRIPTION
       audisp-prelude  is  a plugin for the audit event dispatcher daemon, audispd, that uses libprelude to send
       IDMEF  alerts  for  possible  Intrusion  Detection  events.  This  plugin  requires   connecting   to   a
       prelude-manager to record the events it sends. This plugin will analyze audit events in realtime and send
       detected events to the prelude-manager for correlation, recording, and display.

       Events that are currently supported are: Logins, Forbidden Login Location, Max Concurrent  Sessions,  Max
       Login  Failures,  Forbidden  Login  Time,  SE  Linux AVCs, SE Linux Enforcement Changes, Abnormal Program
       Termination, Promiscuous Socket Changes, and watched account logins.


OPTIONS
       --test Take input from stdin and  write  prelude  events  to  stdout  but  does  not  send  them  to  the
              prelude-manager.  This  can  be used for debugging or testing the system with suspicious log files
              when you do not want it to alert or react.


INSTALLATION
       This sensor has to be  registered  with  the  prelude-manager  before  it  will  work  properly.  If  the
       prelude-manager is on the same host as the sensor, you will need to open two windows to register. If not,
       you will have to adjust this example to fit your environment.

       In one window, type:

       prelude-admin register auditd idmef:w localhost --uid 0 --gid 0

       In another, type:

       prelude-admin registration-server prelude-manager

       Follow the on-screen instructions to complete the registration.


TIPS
       If you are aggregating multiple machines, you should enable node information in the audit  event  stream.
       You  can do this in one of two places. If you want computer node names written to disk as well as sent in
       the realtime event stream, edit the name_format option in /etc/audit/auditd.conf. If you  only  want  the
       node names in the realtime event stream, then edit the name_format option in /etc/audisp/audispd.conf. Do
       not enable both as it will put 2 node fields in the event stream.

       At this point, if you want have audit: forbidden login  location,  max  concurrent  sessions,  max  login
       failures, and forbidden login time anomalies being reported, you have to setup pam modules correctly. The
       pam modules are respectively: pam_access, pam_limits, pam_tally2, and pam_time. Please see the respective
       pam module man pages for any instructions.

       For  performance  reasons,  some  audit  events will not produce syscall records which contain additional
       information about events unless there is at least  one  audit  rule  loaded.  If  you  do  not  have  any
       additional  audit  rules,  edit  /etc/audit/audit.rules  and  add  something  simple  that  won't  impact
       performance like this: -w /etc/shadow -p wa. This rule will watch the shadow file for writes  or  changes
       to  its  attributes. The additional audit information provided by having at least one rule will allow the
       plugin to give a more complete view of the alert it is sending.

       If you are wanting to get alerts on watched syscalls, watched  files,  watched  execution,  or  something
       becoming  executable,  you  need  to  add  some  keys  to  your audit rules. For example, if you have the
       following audit watch in /etc/audit/audit.rules:

       -w /etc/shadow -p wa

       and you want idmef alerts on this, you need to add -k ids-file-med  or something appropriate to signal to
       the plugin that this message is for it. The format of the key has a fixed format of keywords separated by
       a dash. It follows the form of ids-type-severity.  The type can be  either  sys,  file,  exec,  or  mkexe
       depending  on  whether you want the event to be considered a watched_syscall, watched_file, watched_exec,
       or watched_mk_exe respectively. The severity can be either info, low, med, or hi depending on how  urgent
       you would like it to be.


EXAMPLE RULES
       To alert on any use of the personality syscall:
       -a always,exit -S personality -k ids-sys-med

       To alert on a user failing to access the shadow file:
       -a always,exit -F path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med

       To alert on the execution of a program:
       -w /bin/ping -p x -k ids-exe-info

       To alert on users making exe's in their home dir (takes 2 rules):
       -a always,exit -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -k ids-mkexe-hi
       -a always,exit -S fchmod,chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi


FILES
       /etc/audisp/plugins.d/au-prelude.conf,          /etc/audit/auditd.conf,         /etc/audisp/audispd.conf,
       /etc/audisp/audisp-prelude.conf


SEE ALSO
       audispd(8), prelude-manager(1), auditd.conf(8), audispd.conf(8), audisp-prelude.conf(5).


AUTHOR
       Steve Grubb