Prelude/prelude-manager: Unterschied zwischen den Versionen
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
Zeile 98: | Zeile 98: | ||
active = yes | active = yes | ||
+ | <br/> | ||
+ | |||
+ | If you are in an environment where you have many machines reporting to a<br/> | ||
+ | single prelude-manager, you will probably want your audit logs to include the<br/> | ||
+ | node information. Go into /etc/audit/auditd.conf change name_format to<br/> | ||
+ | something that makes sense to your environment. Look at the auditd.conf man<br/> | ||
+ | page. For this howto, just change it to "name_format = hostname".<br/> | ||
+ | <br/> | ||
+ | The default configuration of the audit daemon is a best effort delivery of<br/> | ||
+ | events to the event dispatcher. If you want to make sure all events get<br/> | ||
+ | reviewed, change disp_qos to lossless. You should also probably set the<br/> | ||
+ | priority_boost to 4 or 5 to make sure auditd and its children get higher<br/> | ||
+ | priority in the scheduler.<br/> | ||
+ | <br/> | ||
+ | It also might be a good idea to bump up the internal queue size of audispd.<br/> | ||
+ | This is done by editing /etc/audisp/audispd.conf. You want to change q_depth<br/> | ||
+ | to something like 512.<br/> | ||
+ | <br/> | ||
+ | Then run | ||
+ | /etc/init.d/auditd restart |
Version vom 1. Juli 2010, 10:02 Uhr
Inhaltsverzeichnis
prelude-manager.conf
config-file of prelude-manager
global options
listen = 127.0.0.1
this is ok if you have a manager per host
if you want this manager to collect data from other hosts
you will have to bind him to an other address
# user = prelude # group = prelude
User and group are commented out!
For testing ok, but change if everythis is configured propperly
ipv6-only
since i'm running IPv6 i will set 'ipv6-only' for gathered addresses.
this causes the manager to convert all addresses to an ipv6-address
for raw ipv4 addresses this will cause converting to ::ffff:192.168.0.1
section [db]
i will not explain database-settings in here.
well documented in the config file and nothing special!
section [XmlMod]
validate format logfile = /var/log/prelude-xml.log
tells the XmlMod-module to validate xml
format human readable
and write it to log-file instead to stderr
section [Debug]
logfile = /var/log/prelude.log
turns on debug-log and setting it to a file since i dont want that on stderr
section [TextMod]
logfile = /var/log/prelude.log
not sure what it will do. same description as for section [Debug]
but has only one value to configure; the log-file. i think i want that ... so configuring it! ;-)
section [smtp]
sender = prelude-manager@myhost.tld recipients = admin@myhost.tld smtp-server = localhost subject = Prelude-Alert: $alert.classification.text template = /etc/prelude-manager/email.template dbtype = mysql dbname = prelude dbuser = prelude dbpass = sUp3RsEcur3 dbhost = db-hostname
copied /usr/share/doc/prelude-manager/smtp/template.example to /etc/prelude-manager/email.template
the rest is self-explaining i think
if the smtp-server is NOT running on localhost please give aproppriate ip/hostname
the db*-parameters are for the smtp-plugin to get a CorrelationAlert from the database.
section [prelude]
here the main prelude-options/config-vals are set!
i'll keep the default-vals which come from systemOS
Not all OS'es allow to overwrite OS-settings. Prelude will display a WARNING if so! |
Filtering plugins configuration
from here the base-config is ready!
configuring the filtering-plugins now...
nothing to configure here for now...
Final config-steps
prelude-admin add prelude-manager --uid 0 --gid 0
generate an prelude admin-user
this may take a long time generating the key's
debian-lenny did that allready for me... no need to do that by hand!
/etc/init.d/prelude-manager start
starts the manager-daemon
audisp (optional)
if you want to use audisp, first register audisp-sensor
in prelude, and then activate it in audisp
audisp-prelude sensor
prelude-admin register auditd "idmef:w" localhost --uid 0 --gid 0
Then in another window, run
prelude-admin registration-server prelude-manager
this creates a One-Time password to be used for the 1st command
which will prompt you for one...
You should be ready to use the new plugin.
Now you will have to configure audisp itself, which is quite easy!
audisp activation
You will need to edit the file /etc/audisp/plugins.d/au-prelude.conf
active = no
find the above line and change to 'yes'
active = yes
If you are in an environment where you have many machines reporting to a
single prelude-manager, you will probably want your audit logs to include the
node information. Go into /etc/audit/auditd.conf change name_format to
something that makes sense to your environment. Look at the auditd.conf man
page. For this howto, just change it to "name_format = hostname".
The default configuration of the audit daemon is a best effort delivery of
events to the event dispatcher. If you want to make sure all events get
reviewed, change disp_qos to lossless. You should also probably set the
priority_boost to 4 or 5 to make sure auditd and its children get higher
priority in the scheduler.
It also might be a good idea to bump up the internal queue size of audispd.
This is done by editing /etc/audisp/audispd.conf. You want to change q_depth
to something like 512.
Then run
/etc/init.d/auditd restart