Installing on Fedora with packages¶
Since Prelude is back in Fedora, this guide is for Fedora 26
First of all, install the packages :
[tandrejak@pc-93 ~]$ sudo dnf install prelude-manager-db-plugin prelude-lml prelude-lml-rules prelude-correlator prewikka libpreludedb prelude-tools preludedb-tools preludedb-mysql mariadb-server Last metadata expiration check: 2:35:18 ago on Sun Apr 16 11:06:31 2017 CEST. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: mariadb-server x86_64 3:10.1.21-3.fc26 fedora 18 M prelude-correlator noarch 3.1.0-2.fc26 fedora 175 k prelude-lml x86_64 3.1.0-2.fc26 fedora 94 k prelude-lml-rules x86_64 3.1.0-2.fc26 fedora 113 k prelude-manager-db-plugin x86_64 3.1.0-2.fc26 fedora 14 k prelude-tools x86_64 3.1.0-30.fc26 fedora 44 k preludedb-tools x86_64 3.1.0-2.fc26 fedora 25 k preludedb-mysql x86_64 3.1.0-2.fc26 fedora 22 k prewikka noarch 3.1.0-2.fc26 fedora 1.4 M Installing dependencies: libprelude x86_64 3.1.0-30.fc26 fedora 306 k libpreludedb x86_64 3.1.0-2.fc26 fedora 106 k prelude-manager x86_64 3.1.0-2.fc26 fedora 104 k python2-prelude x86_64 3.1.0-30.fc26 fedora 98 k python2-preludedb x86_64 3.1.0-2.fc26 fedora 87 k python3-prelude x86_64 3.1.0-30.fc26 fedora 97 k python3-prelude-correlator noarch 3.1.0-2.fc26 fedora 45 k Installing weak dependencies: mariadb-server-utils x86_64 3:10.1.21-3.fc26 fedora 2.2 M Transaction Summary ================================================================================ Install 17 Packages Total download size: 23 M Installed size: 105 M Is this ok [y/N]:
Prelude need a SQL database, this tutorial use MariaDB as an example.
Start the database :
[tandrejak@pc-93 ~]$ sudo systemctl start mariadb
Initialize the database :
[tandrejak@pc-93 ~]$ sudo mysql_secure_installation
Create two databases, one for IDMEF alerts, one for the Web interface :
[tandrejak@pc-93 ~]$ sudo mysql -u root MariaDB [(none)]> CREATE DATABASE prelude; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE DATABASE prewikka; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec)
Initialize the database :
[tandrejak@pc-93 ~]$ sudo mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Configure the database into web interface configuration :
[tandrejak@pc-93 ~]$ sudo vim /etc/prewikka/prewikka.conf # Events DB [idmef_database] type: mysql host: localhost user: prelude pass: prelude name: prelude # Prewikka DB [database] type: mysql host: localhost user: prelude pass: prelude name: prewikka
Configure the database into prelude-manager configuration (for IDMEF alerts):
[tandrejak@pc-93 ~]$ sudo vim /etc/prelude-manager/prelude-manager.conf [db] type = mysql host = localhost name = prelude user = prelude pass = prelude
Now, you have to initialize the communication between all prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short logs of standard initialization.
Register Prelude Manager¶
Registration :
[tandrejak@pc-93 ~]$ sudo prelude-admin add "prelude-manager" --uid 0 --gid 0
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-manager
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-manager ● prelude-manager.service - Prelude bus communicator Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2017-04-16 14:01:27 CEST; 20s ago Docs: man:prelude-manager(1) Main PID: 3469 (prelude-manager) Tasks: 2 (limit: 4915) CGroup: /system.slice/prelude-manager.service └─3469 /usr/sbin/prelude-manager Apr 16 14:01:27 pc-93.home systemd[1]: Started Prelude bus communicator.
Register Prelude Correlator¶
Registration, prelude-manager side :
[tandrejak@pc-93 ~]$ sudo prelude-admin registration-server prelude-manager The "h6cdm63i" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54968... Registration request for analyzerID="581192161139905" permission="idmef:rw". Approve registration? [y/n]: y 127.0.0.1:54968 successfully registered.
Registration, prelude-correlator side :
[tandrejak@pc-93 ~]$ sudo prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-correlator
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-correlator ● prelude-correlator.service - Correlator of events received by Prelude Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2017-04-16 14:10:31 CEST; 6s ago Main PID: 3494 (prelude-correla) Tasks: 1 (limit: 4915) CGroup: /system.slice/prelude-correlator.service └─3494 /usr/libexec/system-python /usr/sbin/prelude-correlator Apr 16 14:10:31 pc-93.home systemd[1]: Started Correlator of events received by Prelude. Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.pluginmanager (pid:3494) INFO: [BusinessHourPlugin]: disabled on user request Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.pluginmanager (pid:3494) INFO: [FirewallPlugin]: disabled on user request Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.plugins.CIArmyPlugin (pid:3494) INFO: Downloading CIArmy report, this might take some time... Apr 16 14:10:33 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:33 preludecorrelator.plugins.CIArmyPlugin (pid:3494) INFO: Downloading CIArmy report done. Apr 16 14:10:33 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:33 preludecorrelator.plugins.DshieldPlugin (pid:3494) INFO: Downloading DShield report, this might take some time...
Register Prelude LML¶
Registration, prelude-manager side:
[tandrejak@pc-93 ~]$ sudo prelude-admin registration-server prelude-manager The "syikvtdu" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54972... Registration request for analyzerID="1824705452416373" permission="idmef:w". Approve registration? [y/n]: y 127.0.0.1:54972 successfully registered.
Registration, prelude-lml side :
[tandrejak@pc-93 ~]$ sudo prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-lml
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-lml ● prelude-lml.service - Log analyzer sensor with IDMEF output Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2017-04-16 14:13:55 CEST; 5s ago Main PID: 3513 (prelude-lml) Tasks: 1 (limit: 4915) CGroup: /system.slice/prelude-lml.service └─3513 /usr/sbin/prelude-lml Apr 16 14:13:55 pc-93.home systemd[1]: Started Log analyzer sensor with IDMEF output. Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/apache2/error_log does not exist. Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/httpd/error_log does not exist. Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/apache2/access_log does not exist. Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/httpd/access_log does not exist. Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/everything/current does not exist.
Web interface¶
Configure the local firewall :
[tandrejak@pc-93 ~]$ sudo firewall-cmd --zone=public --add-service=http success
Start the web interface :
[tandrejak@pc-93 ~]$ sudo prewikka-httpd -p 80
Tests¶
Generate some logs to test the alerts. For example, try to connect to ssh in localhost and failed the password
[tandrejak@pc-93 ~]$ ssh localhost tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [tandrejak@pc-93 ~]$ ssh localhost tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).