Events that are currently supported are: Logins, Forbidden Login Location, Max Concurrent Sessions, Max Login Failures, Forbidden Login Time, SE Linux AVCs, SE Linux Enforcement Changes, Abnormal Program Termination, Promiscuous Socket Changes, and watched account logins.
In one window, type:
prelude-admin register auditd "idmef:w" localhost --uid 0 --gid 0
In another, type:
prelude-admin registration-server prelude-manager
Follow the on-screen instructions to complete the registration.
At this point, if you want have audit: forbidden login location, max concurrent sessions, max login failures, and forbidden login time anomalies being reported, you have to setup pam modules correctly. The pam modules are respectively: pam_access, pam_limits, pam_tally2, and pam_time. Please see the respective pam module man pages for any instructions.
For performance reasons, some audit events will not produce syscall records which contain additional information about events unless there is at least one audit rule loaded. If you do not have any additional audit rules, edit /etc/audit/audit.rules and add something simple that won't impact performace like this: -w /etc/shadow -p wa. This rule will watch the shadow file for writes or changes to its attributes. The additional audit information provided by having at least one rule will allow the plugin to give a more complete view of the alert it is sending.
If you are wanting to get alerts on watched syscalls, watched files, watched execution, or something becoming executable, you need to add some keys to your audit rules. For example, if you have the following audit watch in /etc/audit/audit.rules:
-w /etc/shadow -p wa
and you want idmef alerts on this, you need to add -k ids-file-med or something appropriate to signal to the plugin that this message is for it. The format of the key has a fixed format of keywords separated by a dash. It follows the form of ids-type-severity. The type can be either sys, file, exec, or mkexe depending on whether you want the event to be considered a watched_syscall, watched_file, watched_exec, or watched_mk_exe respectively. The severity can be either info, low, med, or hi depending on how urgent you would like it to be.
To alert on a user failing to access the shadow file: -a always,exit -F path=/etc/shadow -F perms=wa -F success=0 -k ids-file-med
To alert on the execution of a program: -w /bin/ping -p x -k ids-exe-info
To alert on users making exe's in their home dir (takes 2 rules): -a exit,always -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -k ids-mkexe-hi -a exit,always -S fchmod,chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi