This section explains how to setup the audit event plugin for Linux Systems. The audit package is likely included in your Linux Distribution and you should use it to set up.
Get the sources¶
If your distro doesn't supply the Linux audit daemon, you can find the source code here: "Add --with-prelude to the ./configure options and build:
Then, compile and install auditd using the following:
$ ./configure --with-prelude $ make # make install
In order to use audisp-prelude, you will need to edit the file /etc/audisp/plugins.d/au-prelude.conf and change a line as follows
active = yes
Not strictly necessary, but you may also want to increase the priority of the audit event dispatcher and lengthen its internal queue to handle floods of data. To do that, edit /etc/audisp/audispd.conf and increase these options:
q_depth = 1024 priority_boost = 12 name_format = NUMERIC
The name_format option above controls how the originating host's event labels itself.
Lastly, you probably want to change a few audit daemon parameters. You can edit /etc/audit/auditd.conf and tune the following parameters:
priority_boost = 5 disp_qos = lossless
The priority_boost mentioned above is the default priority boost that the audisp-prelude plugin will inherit. The default should be good but if you have a very busy system and bursty data, it may be good to raise it slightly.
Registering Auditd profile¶
You now you need to create the Auditd profile with a command like:
$ prelude-admin register auditd "idmef:w" <manager address> --uid X --gid X
and follow the instructions. If the registration is successful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.
Running Auditd Sensor¶
Before running the auditd sensor, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.
The audisp-prelude program can detect more that 15 different suspicious scenarios, Each one can be enabled individually in the /etc/audisp/audisp-prelude.conf file. They are described in the audisp-prelude man page which also has many hints or tips for configuring everything right.
You can write a few audit rules in a way that gives the prelude plugin some hints about what its seeing. This is done by add a specially formatted key to the audit rule:
-k ids-type-severity ids - gets the attention of key processor type - file, exec, or mkexe severity - info, low, med, or hi
Some sample auditctl rules that make use of them are as follows:
-a exit,always -F path=/full-path/file -F perm=wa -k ids-file-low -a exit,always -F path=/full-path/file -F perm=x -k ids-exec-med -a exit,always -S chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi
In the order listed above, these will watch for the specified access of a certain file, watch for the execution of a specific program, and watch for the creation of an executable in the specified directory tree. There are many things you can do with audit rules, so you may want to learn more about it by looking at some of the sample rules supplied with the audit package and looking over the auditctl man page.