Installing on RHEL/CentOS with packages¶
This guide is for CentOS 7.
Installation¶
First of all, install the EPEL7 repository:
[root@rhel7 ~]# yum install epel-release
Then, install all Prelude packages :
[root@rhel7 ~]# yum install prelude-manager-db-plugin prelude-lml prelude-lml-rules prelude-correlator prewikka prelude-tools preludedb-tools libpreludedb-mysql
Prelude needs a SQL database, this tutorial uses MariaDB as example.
Install the database:
[root@rhel7 ~]# yum install mariadb-server
Start the database :
[root@rhel7 ~]# systemctl start mariadb
Initialize the database :
[root@rhel7 ~]# mysql_secure_installation
Install timezone for mariadb :
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
Create two databases, one for IDMEF alerts, one for the web interface :
[root@rhel7 ~]# mysql -u root Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 5.5.56-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE prelude; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE DATABASE prewikka; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost'; Query OK, 0 rows affected (0.00 sec)
Initialize the database:
[root@rhel7 ~]# mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql
Configure the database to be used in the web interface:
[root@rhel7 ~]# vim /etc/prewikka/prewikka.conf # Events DB [idmef_database] type: mysql host: localhost user: prelude pass: prelude name: prelude # Prewikka DB [database] type: mysql host: localhost user: prelude pass: prelude name: prewikka
Configure the database to be used by prelude-manager (for IDMEF alerts):
[root@rhel7 ~]# vim /etc/prelude-manager/prelude-manager.conf [db] type = mysql host = localhost name = prelude user = prelude pass = prelude
Now, you have to authorize the communication between all Prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short log of standard initializations.
Register Prelude Manager¶
Registration:
[root@rhel7 ~]# prelude-admin add "prelude-manager" --uid 0 --gid 0
Start the service:
[root@rhel7 ~]# systemctl start prelude-manager
Check the service :
[root@rhel7 ~]# systemctl status prelude-manager ● prelude-manager.service - Prelude bus communicator Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled) Active: active (running) since jeu. 2018-04-26 11:22:25 CEST; 3s ago Docs: man:prelude-manager(1) Main PID: 1630 (prelude-manager) CGroup: /system.slice/prelude-manager.service └─1630 /usr/sbin/prelude-manager avril 26 11:22:25 rhel7.prelude systemd[1]: Started Prelude bus communicator. avril 26 11:22:25 rhel7.prelude systemd[1]: Starting Prelude bus communicator...
Register Prelude Correlator¶
Registration, prelude-manager side:
[root@rhel7 ~]# prelude-admin registration-server prelude-manager The "a751zs24" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:45068... Registration request for analyzerID="3525482479983286" permission="idmef:rw". Approve registration? [y/n]: y 127.0.0.1:45068 successfully registered.
Registration, prelude-correlator side:
[root@rhel7 ~]# prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service:
[root@rhel7 ~]# systemctl start prelude-correlator
Check the service:
[root@rhel7 ~]# systemctl status prelude-correlator ● prelude-correlator.service - Correlator of events received by Prelude Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled) Active: active (running) since lun. 2018-04-30 01:18:32 CEST; 3s ago Main PID: 13366 (prelude-correla) CGroup: /system.slice/prelude-correlator.service └─13366 /usr/bin/python3.4 /usr/sbin/prelude-correlator avril 30 01:18:32 rhel7.prelude systemd[1]: Started Correlator of events received by Prelude. avril 30 01:18:32 rhel7.prelude systemd[1]: Starting Correlator of events received by Prelude... avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [BusinessHourPlugin]: disabled on user request avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [FirewallPlugin]: disabled on user request avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) WARNING: Unable to load SpamhausDropPlugin: missing netaddr modu...ypi/netaddr avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.CIArmyPlugin (pid:13366) INFO: Loaded CIArmy data from a previous run (age=0.13 hours) avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.DshieldPlugin (pid:13366) INFO: Loaded DShield data from a previous run (age=0.13 hours) avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.main (pid:13366) INFO: 8 plugins have been loaded. avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: Connecting to 127.0.0.1:4690 prelude Manager server. avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: TLS authentication succeed with Prelude Manager.
Register Prelude LML¶
Registration, prelude-manager side:
[root@rhel7 ~]# prelude-admin registration-server prelude-manager The "yv67yggx" password will be requested by "prelude-admin register" in order to connect. Please remove the quotes before using it. Generating 1024 bits Diffie-Hellman key for anonymous authentication... Waiting for peers install request on 0.0.0.0:5553... Waiting for peers install request on :::5553... Connection from 127.0.0.1:45698... Registration request for analyzerID="1973745155986225" permission="idmef:w". Approve registration? [y/n]: y 127.0.0.1:45698 successfully registered.
Registration, prelude-lml side:
[root@rhel7 ~]# prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0 Generating 2048 bits RSA private key... This might take a very long time. [Increasing system activity will speed-up the process]. Generation in progress... You now need to start "prelude-admin" registration-server on 127.0.0.1: example: "prelude-admin registration-server prelude-manager" Enter the one-shot password provided on 127.0.0.1: Confirm the one-shot password provided on 127.0.0.1: Connecting to registration server (127.0.0.1:5553)... Authentication succeeded. Successful registration to 127.0.0.1:5553.
Start the service:
[root@rhel7 ~]# systemctl start prelude-lml
Check the service:
[root@rhel7 ~]# systemctl status prelude-lml ● prelude-lml.service - Log analyzer sensor with IDMEF output Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; disabled; vendor preset: disabled) Active: active (running) since lun. 2018-04-30 01:21:12 CEST; 1min 19s ago Main PID: 13380 (prelude-lml) CGroup: /system.slice/prelude-lml.service └─13380 /usr/sbin/prelude-lml
Web interface¶
Configure your firewall:
[root@rhel7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent success
[root@rhel7 ~]# firewall-cmd --reload success
Start the web interface:
[root@rhel7 ~]# prewikka-httpd -p 80
Tests¶
Generate some logs to test the alerts. For example, try to connect to localhost in SSH and fail the password.
[root@rhel7 ~]# ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive).
[root@rhel7 ~]# ssh localhost Password: Password: Password: Permission denied (publickey,keyboard-interactive).