audisp-prelude.conf - the audisp-prelude configuration file
audisp-prelude.conf is the file that controls the
configuration of the audit based intrusion detection system. There are 2
general kinds of configuration option types, enablers and actions. The
enablers simply have yes/no as the only valid choices.
The action options currently allow ignore, and idmef
as its choices. The ignore option means that the IDS still detects
events, but only logs the detection in response. The idmef option
means that the IDS will send an IDMEF alert to the prelude manager upon
detection.
The configuration options that are available are as follows:
- profile
- This is a one word character string that is used to identify the profile
name in the prelude reporting tools. The default is auditd.
- detect_avc
- This an enabler that determines if the IDS should be examining SE Linux
AVC events. The default is yes.
- avc_action
- This is an action that determines what response should be taken whenever a
SE Linux AVC is detected. The default is idmef.
- detect_login
- This is an enabler that determines if the IDS should be examining login
events. The default is yes.
- login_action
- This is an action that determines what response should be taken whenever a
login event is detected. The default is idmef.
- detect_login_fail_max
- This is an enabler that determines if the IDS should be looking for
maximum number of failed logins for an account. The default is
yes.
- login_fail_max_action
- This is an action that determines what response should be taken whenever
the maximum number of failed logins for an account is detected. The
default is idmef.
- detect_login_session_max
- This is an enabler that determines if the IDS should be looking for
maximum concurrent sessions limit for an account. The default is
yes.
- login_session_max_action
- This is an action that determines what response should be taken whenever
the maximum concurrent sessions limit for an account is detected. The
default is idmef.
- detect_login_location
- This is an enabler that determines if the IDS should be looking for logins
being attempted from a forbidden location. The default is yes.
- login_location_action
- This is an action that determines what response should be taken whenever
logins are attempted from a forbidden location. The default is
idmef.
- detect_login_time_alerts
- This is an enabler that determines if the IDS should be looking for logins
attempted during a forbidden time. The default is yes.
- login_time_action
- This is an action that determines what response should be taken whenever
logins are attempted during a forbidden time. The default is
idmef.
- detect_abend
- This is an enabler that determines if the IDS should be looking for
programs terminating for an abnormal reason. The default is
yes.
- abend_action
- This is an action that determines what response should be taken whenever
programs terminate for an abnormal reason. The default is
idmef.
- detect_promiscuous
- This is an enabler that determines if the IDS should be looking for
promiscuous sockets being opened. The default is yes.
- promiscuous_action
- This is an action that determines what response should be taken whenever
promiscuous sockets are detected open. The default is idmef.
- detect_mac_status
- This is an enabler that determines if the IDS should be detecting changes
made to the SE Linux MAC enforcement. The default is yes.
- mac_status_action
- This is an action that determines what response should be taken whenever
changes are made to the SE Linux MAC enforcement. The default is
idmef.
- detect_group_auth
- This is an enabler that determines if the IDS should be detecting whenever
a user fails in changing their default group. The default is
yes.
- group_auth_act
- This is an action that determines what response should be taken whenever a
user fails in changing their default group. The default is
idmef.
- detect_watched_acct
- This is an enabler that determines if the IDS should be detecting a user
attempting to login on an account that is being watched. The accounts to
watch is set by the watched_accounts option. The default is
yes.
- watched_acct_act
- This is an action that determines what response should be taken whenever a
user attempts to login on an account that is being watched. The default is
idmef.
- watched_accounts
- This option is a whitespace and comma separated list of accounts to watch.
The accounts may be numeric or alphanumeric. If you want to include a
range of accounts, separate them with a dash but no spaces. For example,
to watch logins from bin to lp, use "bin-lp". Only successful
logins are recorded.
- detect_watched_syscall
- This is an enabler that determines if the IDS should be detecting whenever
a user runs a command that issues a syscall that is being watched. The
default is yes.
- watched_syscall_act
- This is an action that determines what response should be taken whenever a
user runs a command that issues a syscall that is being watched. The
default is idmef.
- detect_watched_file
- This is an enabler that determines if the IDS should be detecting whenever
a user accesses a file that is being watched. The default is
yes.
- watched_file_act
- This is an action that determines what response should be taken whenever a
user accesses a file that is being watched. The default is
idmef.
- detect_watched_exec
- This is an enabler that determines if the IDS should be detecting whenever
a user executes a program that is being watched. The default is
yes.
- watched_exec_act
- This is an action that determines what response should be taken whenever a
user executes a program that is being watched. The default is
idmef.
- detect_watched_mk_exe
- This is an enabler that determines if the IDS should be detecting whenever
a user creates a file that is executable. The default is yes.
- watched_mk_exe_act
- This is an action that determines what response should be taken whenever a
user creates a file that is executable. The default is idmef.