diff options
author | Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
---|---|---|
committer | Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
commit | df5afa4fcd9725380f94ca6476248d4cc24f889a (patch) | |
tree | 65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 | |
parent | 76f6bf922552c00546e6e85ca471eab28f56986c (diff) |
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5')
-rw-r--r-- | framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 new file mode 100644 index 00000000..b7228ed3 --- /dev/null +++ b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 @@ -0,0 +1,153 @@ +.TH AUDISP-PRELUDE.CONF: "5" "Mar 2008" "Red Hat" "System Administration Utilities" +.SH NAME +audisp-prelude.conf \- the audisp-prelude configuration file +.SH DESCRIPTION +\fBaudisp-prelude.conf\fP is the file that controls the configuration of the audit based intrusion detection system. There are 2 general kinds of configuration option types, enablers and actions. The enablers simply have +.IR yes "/" no " +as the only valid choices. + +The action options currently allow +.IR ignore ", and "idmef " +as its choices. The +.IR ignore +option means that the IDS still detects events, but only logs the detection in response. The +.IR idmef +option means that the IDS will send an IDMEF alert to the prelude manager upon detection. + +The configuration options that are available are as follows: + +.TP +.I profile +This is a one word character string that is used to identify the profile name in the prelude reporting tools. The default is auditd. +.TP +.I detect_avc +This an enabler that determines if the IDS should be examining SE Linux AVC events. The default is +.IR yes ". +.TP +.I avc_action +This is an action that determines what response should be taken whenever a SE Linux AVC is detected. The default is +.IR idmef ". +.TP +.I detect_login +This is an enabler that determines if the IDS should be examining login events. The default is +.IR yes ". +.TP +.I login_action +This is an action that determines what response should be taken whenever a login event is detected. The default is +.IR idmef ". +.TP +.I detect_login_fail_max +This is an enabler that determines if the IDS should be looking for maximum number of failed logins for an account. The default is +.IR yes ". +.TP +.I login_fail_max_action +This is an action that determines what response should be taken whenever the maximum number of failed logins for an account is detected. The default is +.IR idmef ". +.TP +.I detect_login_session_max +This is an enabler that determines if the IDS should be looking for maximum concurrent sessions limit for an account. The default is +.IR yes ". +.TP +.I login_session_max_action +This is an action that determines what response should be taken whenever the maximum concurrent sessions limit for an account is detected. The default is +.IR idmef ". +.TP +.I detect_login_location +This is an enabler that determines if the IDS should be looking for logins being attempted from a forbidden location. The default is +.IR yes ". +.TP +.I login_location_action +This is an action that determines what response should be taken whenever logins are attempted from a forbidden location. The default is +.IR idmef ". +.TP +.I detect_login_time_alerts +This is an enabler that determines if the IDS should be looking for logins attempted during a forbidden time. The default is +.IR yes ". +.TP +.I login_time_action +This is an action that determines what response should be taken whenever logins are attempted during a forbidden time. The default is +.IR idmef ". +.TP +.I detect_abend +This is an enabler that determines if the IDS should be looking for programs terminating for an abnormal reason. The default is +.IR yes ". +.TP +.I abend_action +This is an action that determines what response should be taken whenever programs terminate for an abnormal reason. The default is +.IR idmef ". +.TP +.I detect_promiscuous +This is an enabler that determines if the IDS should be looking for promiscuous sockets being opened. The default is +.IR yes ". +.TP +.I promiscuous_action +This is an action that determines what response should be taken whenever promiscuous sockets are detected open. The default is +.IR idmef ". +.TP +.I detect_mac_status +This is an enabler that determines if the IDS should be detecting changes made to the SE Linux MAC enforcement. The default is +.IR yes ". +.TP +.I mac_status_action +This is an action that determines what response should be taken whenever changes are made to the SE Linux MAC enforcement. The default is +.IR idmef ". +.TP +.I detect_group_auth +This is an enabler that determines if the IDS should be detecting whenever a user fails in changing their default group. The default is +.IR yes ". +.TP +.I group_auth_act +This is an action that determines what response should be taken whenever a user fails in changing their default group. The default is +.IR idmef ". +.TP +.I detect_watched_acct +This is an enabler that determines if the IDS should be detecting a user attempting to login on an account that is being watched. The accounts to watch is set by the +.IR watched_accounts +option. The default is +.IR yes ". +.TP +.I watched_acct_act +This is an action that determines what response should be taken whenever a user attempts to login on an account that is being watched. The default is +.IR idmef ". +.TP +.I watched_accounts +This option is a whitespace and comma separated list of accounts to watch. The accounts may be numeric or alphanumeric. If you want to include a range of accounts, separate them with a dash but no spaces. For example, to watch logins from bin to lp, use "bin-lp". Only successful logins are recorded. +.TP +.I detect_watched_syscall +This is an enabler that determines if the IDS should be detecting whenever a user runs a command that issues a syscall that is being watched. The default is +.IR yes ". +.TP +.I watched_syscall_act +This is an action that determines what response should be taken whenever a user runs a command that issues a syscall that is being watched. The default is +.IR idmef ". +.TP +.I detect_watched_file +This is an enabler that determines if the IDS should be detecting whenever a user accesses a file that is being watched. The default is +.IR yes ". +.TP +.I watched_file_act +This is an action that determines what response should be taken whenever a user accesses a file that is being watched. The default is +.IR idmef ". +.TP +.I detect_watched_exec +This is an enabler that determines if the IDS should be detecting whenever a user executes a program that is being watched. The default is +.IR yes ". +.TP +.I watched_exec_act +This is an action that determines what response should be taken whenever a user executes a program that is being watched. The default is +.IR idmef ". +.TP +.I detect_watched_mk_exe +This is an enabler that determines if the IDS should be detecting whenever a user creates a file that is executable. The default is +.IR yes ". +.TP +.I watched_mk_exe_act +This is an action that determines what response should be taken whenever a user creates a file that is executable. The default is +.IR idmef ". +.SH "SEE ALSO" +.BR audispd (8), +.BR audisp-prelude (8), +.BR prelude-manager (1). +.SH AUTHOR +Steve Grubb + |