From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001
From: Ashlee Young <ashlee@wildernessvoice.com>
Date: Sun, 29 Nov 2015 08:22:13 -0800
Subject: v2.4.4 audit sources

Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
---
 .../audisp/plugins/prelude/audisp-prelude.conf.5   | 153 +++++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5

(limited to 'framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5')

diff --git a/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5 b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5
new file mode 100644
index 00000000..b7228ed3
--- /dev/null
+++ b/framework/src/audit/audisp/plugins/prelude/audisp-prelude.conf.5
@@ -0,0 +1,153 @@
+.TH AUDISP-PRELUDE.CONF: "5" "Mar 2008" "Red Hat" "System Administration Utilities"
+.SH NAME
+audisp-prelude.conf \- the audisp-prelude configuration file
+.SH DESCRIPTION
+\fBaudisp-prelude.conf\fP is the file that controls the configuration of the audit based intrusion detection system. There are 2 general kinds of configuration option types, enablers and actions. The enablers simply have
+.IR yes "/" no "
+as the only valid choices.
+
+The action options currently allow
+.IR ignore ", and "idmef "
+as its choices. The 
+.IR ignore
+option means that the IDS still detects events, but only logs the detection in response. The
+.IR idmef
+option means that the IDS will send an IDMEF alert to the prelude manager upon detection.
+
+The configuration options that are available are as follows:
+
+.TP
+.I profile
+This is a one word character string that is used to identify the profile name in the prelude reporting tools. The default is auditd.
+.TP
+.I detect_avc
+This an enabler that determines if the IDS should be examining SE Linux AVC events. The default is 
+.IR yes ".
+.TP
+.I avc_action
+This is an action that determines what response should be taken whenever a SE Linux AVC is detected. The default is 
+.IR idmef ".
+.TP
+.I detect_login
+This is an enabler that determines if the IDS should be examining login events. The default is 
+.IR yes ".
+.TP
+.I login_action
+This is an action that determines what response should be taken whenever a login event is detected. The default is 
+.IR idmef ".
+.TP
+.I detect_login_fail_max
+This is an enabler that determines if the IDS should be looking for maximum number of failed logins for an account. The default is 
+.IR yes ".
+.TP
+.I login_fail_max_action
+This is an action that determines what response should be taken whenever the maximum number of failed logins for an account is detected. The default is 
+.IR idmef ".
+.TP
+.I detect_login_session_max
+This is an enabler that determines if the IDS should be looking for maximum concurrent sessions limit for an account. The default is 
+.IR yes ".
+.TP
+.I login_session_max_action
+This is an action that determines what response should be taken whenever the maximum concurrent sessions limit for an account is detected. The default is 
+.IR idmef ".
+.TP
+.I detect_login_location
+This is an enabler that determines if the IDS should be looking for logins being attempted from a forbidden location. The default is 
+.IR yes ".
+.TP
+.I login_location_action
+This is an action that determines what response should be taken whenever logins are attempted from a forbidden location. The default is 
+.IR idmef ".
+.TP
+.I detect_login_time_alerts
+This is an enabler that determines if the IDS should be looking for logins attempted during a forbidden time. The default is 
+.IR yes ".
+.TP
+.I login_time_action
+This is an action that determines what response should be taken whenever logins are attempted during a forbidden time. The default is 
+.IR idmef ".
+.TP
+.I detect_abend
+This is an enabler that determines if the IDS should be looking for programs terminating for an abnormal reason. The default is 
+.IR yes ".
+.TP
+.I abend_action
+This is an action that determines what response should be taken whenever programs terminate for an abnormal reason. The default is 
+.IR idmef ".
+.TP
+.I detect_promiscuous
+This is an enabler that determines if the IDS should be looking for promiscuous sockets being opened. The default is 
+.IR yes ".
+.TP
+.I promiscuous_action
+This is an action that determines what response should be taken whenever promiscuous sockets are detected open. The default is 
+.IR idmef ".
+.TP
+.I detect_mac_status
+This is an enabler that determines if the IDS should be detecting changes made to the SE Linux MAC enforcement. The default is 
+.IR yes ".
+.TP
+.I mac_status_action
+This is an action that determines what response should be taken whenever changes are made to the SE Linux MAC enforcement. The default is 
+.IR idmef ".
+.TP
+.I detect_group_auth
+This is an enabler that determines if the IDS should be detecting whenever a user fails in changing their default group. The default is 
+.IR yes ".
+.TP
+.I group_auth_act
+This is an action that determines what response should be taken whenever a user fails in changing their default group. The default is 
+.IR idmef ".
+.TP
+.I detect_watched_acct
+This is an enabler that determines if the IDS should be detecting a user attempting to login on an account that is being watched. The accounts to watch is set by the
+.IR watched_accounts
+option. The default is 
+.IR yes ".
+.TP
+.I watched_acct_act
+This is an action that determines what response should be taken whenever a user attempts to login on an account that is being watched. The default is 
+.IR idmef ".
+.TP
+.I watched_accounts
+This option is a whitespace and comma separated list of accounts to watch. The accounts may be numeric or alphanumeric. If you want to include a range of accounts, separate them with a dash but no spaces. For example, to watch logins from bin to lp, use "bin-lp". Only successful logins are recorded.
+.TP
+.I detect_watched_syscall
+This is an enabler that determines if the IDS should be detecting whenever a user runs a command that issues a syscall that is being watched. The default is 
+.IR yes ".
+.TP
+.I watched_syscall_act
+This is an action that determines what response should be taken whenever a user runs a command that issues a syscall that is being watched. The default is 
+.IR idmef ".
+.TP
+.I detect_watched_file
+This is an enabler that determines if the IDS should be detecting whenever a user accesses a file that is being watched. The default is 
+.IR yes ".
+.TP
+.I watched_file_act
+This is an action that determines what response should be taken whenever a user accesses a file that is being watched. The default is 
+.IR idmef ".
+.TP
+.I detect_watched_exec
+This is an enabler that determines if the IDS should be detecting whenever a user executes a program that is being watched. The default is 
+.IR yes ".
+.TP
+.I watched_exec_act
+This is an action that determines what response should be taken whenever a user executes a program that is being watched. The default is 
+.IR idmef ".
+.TP
+.I detect_watched_mk_exe
+This is an enabler that determines if the IDS should be detecting whenever a user creates a file that is executable. The default is 
+.IR yes ".
+.TP
+.I watched_mk_exe_act
+This is an action that determines what response should be taken whenever a user creates a file that is executable. The default is 
+.IR idmef ".
+.SH "SEE ALSO"
+.BR audispd (8),
+.BR audisp-prelude (8),
+.BR prelude-manager (1).
+.SH AUTHOR
+Steve Grubb
+
-- 
cgit 1.2.3-korg