On Wed, 2008-11-12 at 11:16 -0500, Dan Gruhn wrote:
Greetings,
I have some systems with RHEL 5.2 (a server and three workstations)
that I'd like to put the latest audit software on to put me on the
path of getting NISPOM approval. My plan is to get to the point that I
will have prelude running with information display via Prewikka.
1) I have read the HowTo at
http://people.redhat.com/sgrubb/audit/prelude.txt but it seems rather
old as it talks about audit 1.6.6 to 1.6.7 upgrading and updates to
come after things have been checked out. Does anyone have any updates
to this procedure that will be helpful?
I have used this procedure for 1.7.7 and soon 1.7.9.
I believe it is up to date.
I assume you want to point all machines to just one which will display
the prewikka info? If that is the case you will need to register the
audit senders to the single prelude-manager which isn't detailed exactly
on those instructions (last I looked).
However, it is easy. Just follow the instructions for single server and
then register the non-prewikka machines to the main collector.
I register the audit prelude sensor with the prelude-manager on each
host. Then I register the prelude-manager to the prelude-manager on the
Prelude Collector/Server (set the "parent-managers" option
in /etc/prelude-manager/prelude-manager.conf.
Here are some example instructions for the above.
Edit /etc/prelude-manager/prelude-manager.conf
* Locate and uncomment the [relaying] section
* Add parent-managers = <prelude server IP>
Register the prelude-manager with the Prelude Server's prelude-manager :
* Run prelude-admin register prelude-manager "idmef:w" <prelude
server IP> --uid 0 --gid 0
* Open a second terminal window and ssh <prelude server IP>
* On the Prelude Server, run: prelude-admin registration-server
prelude-manager
* The Prelude Server will generate a one time password. You will
need to copy and paste the password to the first window when it
prompts for the password.
* Confirm the password
* Acknowledge the registration in the Prelude Server terminal
window.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com