audispd(8) [debian man page]

AUDISPD:(8)						  System Administration Utilities					       AUDISPD:(8)

NAME

       audispd - an event multiplexor

SYNOPSIS

       audispd

DESCRIPTION

       audispd	is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distrib-
       utes them to child programs that want to analyze events in realtime. When the audit daemon recieves a SIGTERM or  SIGHUP,  it  passes  that
       signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.

       The  child programs install a configuration file in a plugins directory, /etc/audisp/plugins.d. Filenames are not allowed to have more than
       one '.' in the name or it will be treated as a backup copy and skipped. Options are given one per line with an equal sign between the  key-
       word and its value. The available options are as follows:

       active The options for this are yes or no.

       direction
	      The  option is dictated by the plugin.  In or out are the only choices. You cannot make a plugin operate in a way it wasn't designed
	      just by changing this option.This option is to give a clue to the event dispatcher about which direction events flow. NOTE:  inbound
	      events are not supported yet.

       path   This is the absolute path to the plugin executable. In the case of internal plugins, it would be the name of the plugin.

       type   This  tells the dispatcher how the plugin wants to be run. Choices are builtin and always.  Builtin should always be given for plug-
	      ins that are internal to the audit event dispatcher. These are af_unix and syslog. The option always should be given for most if not
	      all plugins. The default setting is always.

       args   This  allows you to pass arguments to the child program. Generally plugins do not take arguments and have their own config file that
	      instructs them how they should be configured. At the moment, there is a limit of 2 args.

       format The valid options for this are binary and string.  Binary passes the data exactly as the audit event dispatcher  gets  it  from  the
	      audit  daemon.  The  string  option  tells the dispatcher to completely change the event into a string suitable for parsing with the
	      audit parsing library. The default value is string.

FILES

       /etc/audisp/audispd.conf /etc/audisp/plugins.d

SEE ALSO

       audispd.conf(5), auditd(8).

AUTHOR

       Steve Grubb

Red Hat 							     Sept 2007							       AUDISPD:(8)

AUDISP-PRELUDE:(8)					  System Administration Utilities					AUDISP-PRELUDE:(8)

NAME

       audisp-prelude - plugin for IDMEF alerts

SYNOPSIS

       audisp-prelude [ --test ]

DESCRIPTION

       audisp-prelude is a plugin for the audit event dispatcher daemon, audispd, that uses libprelude to send IDMEF alerts for possible Intrusion
       Detection events. This plugin requires connecting to a prelude-manager to record the events it sends. This plugin will analyze audit events
       in realtime and send detected events to the prelude-manager for correlation, recording, and display.

       Events  that  are  currently  supported are: Logins, Forbidden Login Location, Max Concurrent Sessions, Max Login Failures, Forbidden Login
       Time, SE Linux AVCs, SE Linux Enforcement Changes, Abnormal Program Termination, Promiscuous Socket Changes, and watched account logins.

OPTIONS

       --test Take input from stdin and write prelude events to stdout but does not send them to the prelude-manager. This can be used for  debug-
	      ging or testing the system with suspicious log files when you do not want it to alert or react.

INSTALLATION

       This  sensor  has to be registered with the prelude-manager before it will work properly. If the prelude-manager is on the same host as the
       sensor, you will need to open two windows to register. If not, you will have to adjust this example to fit your environment.

       In one window, type:

       prelude-admin register auditd idmef:w localhost --uid 0 --gid 0

       In another, type:

       prelude-admin registration-server prelude-manager

       Follow the on-screen instructions to complete the registration.

TIPS

       If you are aggregating multiple machines, you should enable node information in the audit event stream. You can	do  this  in  one  of  two
       places.	If  you  want  computer  node  names  written to disk as well as sent in the realtime event stream, edit the name_format option in
       /etc/audit/auditd.conf. If you only want the node names in the realtime event stream, then edit the name_format option in  /etc/audisp/aud-
       ispd.conf. Do not enable both as it will put 2 node fields in the event stream.

       At  this  point,  if  you  want have audit: forbidden login location, max concurrent sessions, max login failures, and forbidden login time
       anomalies being reported, you have to setup pam modules correctly. The pam modules are respectively:  pam_access,  pam_limits,  pam_tally2,
       and pam_time. Please see the respective pam module man pages for any instructions.

       For  performance reasons, some audit events will not produce syscall records which contain additional information about events unless there
       is at least one audit rule loaded. If you do not have any additional audit rules, edit /etc/audit/audit.rules and add something simple that
       won't  impact performace like this: -w /etc/shadow -p wa. This rule will watch the shadow file for writes or changes to its attributes. The
       additional audit information provided by having at least one rule will allow the plugin to give a more complete view of	the  alert  it	is
       sending.

       If  you	are wanting to get alerts on watched syscalls, watched files, watched execution, or something becoming executable, you need to add
       some keys to your audit rules. For example, if you have the following audit watch in /etc/audit/audit.rules:

       -w /etc/shadow -p wa

       and you want idmef alerts on this, you need to add -k ids-file-med  or something appropriate to signal to the plugin that this  message	is
       for  it.  The format of the key has a fixed format of keywords separated by a dash. It follows the form of ids-type-severity.  The type can
       be either sys, file, exec, or mkexe depending on whether you want the event to be considered a watched_syscall, watched_file, watched_exec,
       or watched_mk_exe respectively. The severity can be either info, low, med, or hi depending on how urgent you would like it to be.

EXAMPLE RULES

       To alert on any use of the personality syscall:
       -a exit,always -S personality -k ids-sys-med

       To alert on a user failing to access the shadow file:
       -a always,exit -F path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med

       To alert on the execution of a program:
       -w /bin/ping -p x -k ids-exe-info

       To alert on users making exe's in their home dir (takes 2 rules):
       -a exit,always -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -k ids-mkexe-hi
       -a exit,always -S fchmod,chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi

FILES

       /etc/audisp/plugins.d/au-prelude.conf, /etc/audit/auditd.conf, /etc/audisp/audispd.conf, /etc/audisp/audisp-prelude.conf

SEE ALSO

       audispd(8), prelude-manager(1), auditd.conf(8), audispd.conf(8), audisp-prelude.conf(5).

AUTHOR

       Steve Grubb

Red Hat 							     Dec 2008							AUDISP-PRELUDE:(8)