Installing on Fedora with packages¶
Since Prelude is back in Fedora, this guide is for Fedora 26
First of all, install the packages :
[tandrejak@pc-93 ~]$ sudo dnf install prelude-manager-db-plugin prelude-lml prelude-lml-rules
prelude-correlator prewikka libpreludedb prelude-tools preludedb-tools preludedb-mysql mariadb-server
Last metadata expiration check: 2:35:18 ago on Sun Apr 16 11:06:31 2017 CEST.
Dependencies resolved.
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
mariadb-server x86_64 3:10.1.21-3.fc26 fedora 18 M
prelude-correlator noarch 3.1.0-2.fc26 fedora 175 k
prelude-lml x86_64 3.1.0-2.fc26 fedora 94 k
prelude-lml-rules x86_64 3.1.0-2.fc26 fedora 113 k
prelude-manager-db-plugin x86_64 3.1.0-2.fc26 fedora 14 k
prelude-tools x86_64 3.1.0-30.fc26 fedora 44 k
preludedb-tools x86_64 3.1.0-2.fc26 fedora 25 k
preludedb-mysql x86_64 3.1.0-2.fc26 fedora 22 k
prewikka noarch 3.1.0-2.fc26 fedora 1.4 M
Installing dependencies:
libprelude x86_64 3.1.0-30.fc26 fedora 306 k
libpreludedb x86_64 3.1.0-2.fc26 fedora 106 k
prelude-manager x86_64 3.1.0-2.fc26 fedora 104 k
python2-prelude x86_64 3.1.0-30.fc26 fedora 98 k
python2-preludedb x86_64 3.1.0-2.fc26 fedora 87 k
python3-prelude x86_64 3.1.0-30.fc26 fedora 97 k
python3-prelude-correlator noarch 3.1.0-2.fc26 fedora 45 k
Installing weak dependencies:
mariadb-server-utils x86_64 3:10.1.21-3.fc26 fedora 2.2 M
Transaction Summary
================================================================================
Install 17 Packages
Total download size: 23 M
Installed size: 105 M
Is this ok [y/N]:
Prelude need a SQL database, this tutorial use MariaDB as an example.
Start the database :
[tandrejak@pc-93 ~]$ sudo systemctl start mariadb
Initialize the database :
[tandrejak@pc-93 ~]$ sudo mysql_secure_installation
Create two databases, one for IDMEF alerts, one for the Web interface :
[tandrejak@pc-93 ~]$ sudo mysql -u root MariaDB [(none)]> CREATE DATABASE prelude; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE DATABASE prewikka; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec)
Initialize the database :
[tandrejak@pc-93 ~]$ sudo mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Configure the database into web interface configuration :
[tandrejak@pc-93 ~]$ sudo vim /etc/prewikka/prewikka.conf # Events DB [idmef_database] type: mysql host: localhost user: prelude pass: prelude name: prelude # Prewikka DB [database] type: mysql host: localhost user: prelude pass: prelude name: prewikka
Configure the database into prelude-manager configuration (for IDMEF alerts):
[tandrejak@pc-93 ~]$ sudo vim /etc/prelude-manager/prelude-manager.conf [db] type = mysql host = localhost name = prelude user = prelude pass = prelude
Now, you have to initialize the communication between all prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short logs of standard initialization.
Register Prelude Manager¶
Registration :
[tandrejak@pc-93 ~]$ sudo prelude-admin add "prelude-manager" --uid 0 --gid 0
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-manager
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-manager
● prelude-manager.service - Prelude bus communicator
Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2017-04-16 14:01:27 CEST; 20s ago
Docs: man:prelude-manager(1)
Main PID: 3469 (prelude-manager)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/prelude-manager.service
└─3469 /usr/sbin/prelude-manager
Apr 16 14:01:27 pc-93.home systemd[1]: Started Prelude bus communicator.
Register Prelude Correlator¶
Registration, prelude-manager side :
[tandrejak@pc-93 ~]$ sudo prelude-admin registration-server prelude-manager The "h6cdm63i" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54968... Registration request for analyzerID="581192161139905" permission="idmef:rw". Approve registration? [y/n]: y 127.0.0.1:54968 successfully registered.
Registration, prelude-correlator side :
[tandrejak@pc-93 ~]$ sudo prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-correlator
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-correlator
● prelude-correlator.service - Correlator of events received by Prelude
Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2017-04-16 14:10:31 CEST; 6s ago
Main PID: 3494 (prelude-correla)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/prelude-correlator.service
└─3494 /usr/libexec/system-python /usr/sbin/prelude-correlator
Apr 16 14:10:31 pc-93.home systemd[1]: Started Correlator of events received by Prelude.
Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.pluginmanager (pid:3494) INFO: [BusinessHourPlugin]: disabled on user request
Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.pluginmanager (pid:3494) INFO: [FirewallPlugin]: disabled on user request
Apr 16 14:10:32 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:32 preludecorrelator.plugins.CIArmyPlugin (pid:3494) INFO: Downloading CIArmy report, this might take some time...
Apr 16 14:10:33 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:33 preludecorrelator.plugins.CIArmyPlugin (pid:3494) INFO: Downloading CIArmy report done.
Apr 16 14:10:33 pc-93.home prelude-correlator[3494]: 16 Apr 14:10:33 preludecorrelator.plugins.DshieldPlugin (pid:3494) INFO: Downloading DShield report, this might take some time...
Register Prelude LML¶
Registration, prelude-manager side:
[tandrejak@pc-93 ~]$ sudo prelude-admin registration-server prelude-manager The "syikvtdu" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:54972... Registration request for analyzerID="1824705452416373" permission="idmef:w". Approve registration? [y/n]: y 127.0.0.1:54972 successfully registered.
Registration, prelude-lml side :
[tandrejak@pc-93 ~]$ sudo prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service :
[tandrejak@pc-93 ~]$ sudo systemctl start prelude-lml
Check the service :
[tandrejak@pc-93 ~]$ sudo systemctl status prelude-lml
● prelude-lml.service - Log analyzer sensor with IDMEF output
Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2017-04-16 14:13:55 CEST; 5s ago
Main PID: 3513 (prelude-lml)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/prelude-lml.service
└─3513 /usr/sbin/prelude-lml
Apr 16 14:13:55 pc-93.home systemd[1]: Started Log analyzer sensor with IDMEF output.
Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/apache2/error_log does not exist.
Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/httpd/error_log does not exist.
Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/apache2/access_log does not exist.
Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/httpd/access_log does not exist.
Apr 16 14:13:55 pc-93.home prelude-lml[3513]: 16 Apr 14:13:55 (process:3513) WARNING: /var/log/everything/current does not exist.
Web interface¶
Configure the local firewall :
[tandrejak@pc-93 ~]$ sudo firewall-cmd --zone=public --add-service=http success
Start the web interface :
[tandrejak@pc-93 ~]$ sudo prewikka-httpd -p 80
Tests¶
Generate some logs to test the alerts. For example, try to connect to ssh in localhost and failed the password
[tandrejak@pc-93 ~]$ ssh localhost tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [tandrejak@pc-93 ~]$ ssh localhost tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied, please try again. tandrejak@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).