NAME¶
audisp-prelude - plugin for IDMEF alerts
SYNOPSIS¶
audisp-prelude [ --test ]
DESCRIPTION¶
audisp-prelude is a plugin for the audit event dispatcher daemon,
audispd, that uses libprelude to send IDMEF alerts for possible Intrusion
Detection events. This plugin requires connecting to a prelude-manager to
record the events it sends. This plugin will analyze audit events in realtime
and send detected events to the prelude-manager for correlation, recording,
and display.
Events that are currently supported are: Logins, Forbidden Login Location, Max
Concurrent Sessions, Max Login Failures, Forbidden Login Time, SE Linux AVCs,
SE Linux Enforcement Changes, Abnormal Program Termination, Promiscuous Socket
Changes, and watched account logins.
OPTIONS¶
- --test
- Take input from stdin and write prelude events to stdout but does not send
them to the prelude-manager. This can be used for debugging or testing the
system with suspicious log files when you do not want it to alert or
react.
INSTALLATION¶
This sensor has to be registered with the prelude-manager before it will work
properly. If the prelude-manager is on the same host as the sensor, you will
need to open two windows to register. If not, you will have to adjust this
example to fit your environment.
In one window, type:
prelude-admin register auditd idmef:w localhost --uid 0 --gid 0
In another, type:
prelude-admin registration-server prelude-manager
Follow the on-screen instructions to complete the registration.
TIPS¶
If you are aggregating multiple machines, you should enable node information in
the audit event stream. You can do this in one of two places. If you want
computer node names written to disk as well as sent in the realtime event
stream, edit the name_format option in /etc/audit/auditd.conf. If you only
want the node names in the realtime event stream, then edit the name_format
option in /etc/audisp/audispd.conf. Do not enable both as it will put 2 node
fields in the event stream.
At this point, if you want have audit: forbidden login location, max concurrent
sessions, max login failures, and forbidden login time anomalies being
reported, you have to setup pam modules correctly. The pam modules are
respectively: pam_access, pam_limits, pam_tally2, and pam_time. Please see the
respective pam module man pages for any instructions.
For performance reasons, some audit events will not produce syscall records
which contain additional information about events unless there is at least one
audit rule loaded. If you do not have any additional audit rules, edit
/etc/audit/audit.rules and add something simple that won't impact
performace like this:
-w /etc/shadow -p wa. This rule will watch the
shadow file for writes or changes to its attributes. The additional audit
information provided by having at least one rule will allow the plugin to give
a more complete view of the alert it is sending.
If you are wanting to get alerts on watched syscalls, watched files, watched
execution, or something becoming executable, you need to add some keys to your
audit rules. For example, if you have the following audit watch in
/etc/audit/audit.rules:
-w /etc/shadow -p wa
and you want idmef alerts on this, you need to add
-k ids-file-med or
something appropriate to signal to the plugin that this message is for it. The
format of the key has a fixed format of keywords separated by a dash. It
follows the form of
ids-type-severity. The
type
can be either
sys,
file,
exec, or
mkexe depending
on whether you want the event to be considered a watched_syscall,
watched_file, watched_exec, or watched_mk_exe respectively. The
severity can be either
info,
low,
med, or
hi depending on how urgent you would like it to be.
EXAMPLE RULES¶
To alert on any use of the personality syscall:
-a always,exit -S personality -k ids-sys-med
To alert on a user failing to access the shadow file:
-a always,exit -F path=/etc/shadow -F perms=wa -F success=0 -k
ids-file-med
To alert on the execution of a program:
-w /bin/ping -p x -k ids-exe-info
To alert on users making exe's in their home dir (takes 2 rules):
-a always,exit -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -k
ids-mkexe-hi
-a always,exit -S fchmod,chmod -F dir=/home -F a1&0111 -F filetype=file
-k ids-mkexe-hi
FILES¶
/etc/audisp/plugins.d/au-prelude.conf, /etc/audit/auditd.conf,
/etc/audisp/audispd.conf, /etc/audisp/audisp-prelude.conf
SEE ALSO¶
audispd(8),
prelude-manager(1),
auditd.conf(8),
audispd.conf(8),
audisp-prelude.conf(5).
AUTHOR¶
Steve Grubb