Project

General

Profile

Installing on RHEL/CentOS with packages

This guide is for CentOS 7.

Installation

First of all, install the EPEL7 repository:

[root@rhel7 ~]# yum install epel-release

Then, install all Prelude packages :

[root@rhel7 ~]# yum install prelude-manager-db-plugin prelude-lml prelude-lml-rules prelude-correlator prewikka prelude-tools preludedb-tools libpreludedb-mysql

Prelude needs a SQL database, this tutorial uses MariaDB as example.

Install the database:

[root@rhel7 ~]# yum install mariadb-server

Start the database :

[root@rhel7 ~]# systemctl start mariadb

Initialize the database :

[root@rhel7 ~]# mysql_secure_installation

Install timezone for mariadb :

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql

Create two databases, one for IDMEF alerts, one for the web interface :

[root@rhel7 ~]# mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE prelude;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE prewikka;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> CREATE USER 'prelude'@'localhost' IDENTIFIED BY 'prelude';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON prelude.* TO 'prelude'@'localhost';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON prewikka.* TO 'prelude'@'localhost';
Query OK, 0 rows affected (0.00 sec)

Initialize the database:

[root@rhel7 ~]# mysql -u prelude -p prelude < /usr/share/libpreludedb/classic/mysql.sql

Configure the database to be used in the web interface:

[root@rhel7 ~]# vim /etc/prewikka/prewikka.conf

# Events DB
[idmef_database]
type: mysql
host: localhost
user: prelude
pass: prelude
name: prelude

# Prewikka DB
[database]
type: mysql
host: localhost
user: prelude
pass: prelude
name: prewikka

Configure the database to be used by prelude-manager (for IDMEF alerts):

[root@rhel7 ~]# vim /etc/prelude-manager/prelude-manager.conf

[db]
type = mysql
host = localhost
name = prelude
user = prelude
pass = prelude

Now, you have to authorize the communication between all Prelude modules (prelude-manager, prelude-lml and prelude-correlator) as explained in InstallingAgentRegistration. Here is a short log of standard initializations.

Register Prelude Manager

Registration:

[root@rhel7 ~]# prelude-admin add "prelude-manager" --uid 0 --gid 0

Start the service:

[root@rhel7 ~]# systemctl start prelude-manager

Check the service :

[root@rhel7 ~]# systemctl status prelude-manager
● prelude-manager.service - Prelude bus communicator
   Loaded: loaded (/usr/lib/systemd/system/prelude-manager.service; disabled; vendor preset: disabled)
   Active: active (running) since jeu. 2018-04-26 11:22:25 CEST; 3s ago
     Docs: man:prelude-manager(1)
 Main PID: 1630 (prelude-manager)
   CGroup: /system.slice/prelude-manager.service
           └─1630 /usr/sbin/prelude-manager

avril 26 11:22:25 rhel7.prelude systemd[1]: Started Prelude bus communicator.
avril 26 11:22:25 rhel7.prelude systemd[1]: Starting Prelude bus communicator...

Register Prelude Correlator

Registration, prelude-manager side:

[root@rhel7 ~]# prelude-admin registration-server prelude-manager
The "a751zs24" password will be requested by "prelude-admin register" 
in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Connection from 127.0.0.1:45068...
Registration request for analyzerID="3525482479983286" permission="idmef:rw".
Approve registration? [y/n]: y
127.0.0.1:45068 successfully registered.

Registration, prelude-correlator side:

[root@rhel7 ~]# prelude-admin register "prelude-correlator" "idmef:rw" 127.0.0.1 --uid 0 --gid 0
Generating 2048 bits RSA private key... This might take a very long time.
[Increasing system activity will speed-up the process].
Generation in progress...

You now need to start "prelude-admin" registration-server on 127.0.0.1:
example: "prelude-admin registration-server prelude-manager" 

Enter the one-shot password provided on 127.0.0.1:
Confirm the one-shot password provided on 127.0.0.1:

Connecting to registration server (127.0.0.1:5553)... Authentication succeeded.
Successful registration to 127.0.0.1:5553.

Start the service:

[root@rhel7 ~]# systemctl start prelude-correlator

Check the service:

[root@rhel7 ~]# systemctl status prelude-correlator
● prelude-correlator.service - Correlator of events received by Prelude
   Loaded: loaded (/usr/lib/systemd/system/prelude-correlator.service; disabled; vendor preset: disabled)
   Active: active (running) since lun. 2018-04-30 01:18:32 CEST; 3s ago
 Main PID: 13366 (prelude-correla)
   CGroup: /system.slice/prelude-correlator.service
           └─13366 /usr/bin/python3.4 /usr/sbin/prelude-correlator

avril 30 01:18:32 rhel7.prelude systemd[1]: Started Correlator of events received by Prelude.
avril 30 01:18:32 rhel7.prelude systemd[1]: Starting Correlator of events received by Prelude...
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [BusinessHourPlugin]: disabled on user request
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) INFO: [FirewallPlugin]: disabled on user request
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.pluginmanager (pid:13366) WARNING: Unable to load SpamhausDropPlugin: missing netaddr modu...ypi/netaddr
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.CIArmyPlugin (pid:13366) INFO: Loaded CIArmy data from a previous run (age=0.13 hours)
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.plugins.DshieldPlugin (pid:13366) INFO: Loaded DShield data from a previous run (age=0.13 hours)
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 preludecorrelator.main (pid:13366) INFO: 8 plugins have been loaded.
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: Connecting to 127.0.0.1:4690 prelude Manager server.
avril 30 01:18:32 rhel7.prelude prelude-correlator[13366]: 30 Apr 01:18:32 libprelude (pid:13366) INFO: TLS authentication succeed with Prelude Manager.

Register Prelude LML

Registration, prelude-manager side:

[root@rhel7 ~]# prelude-admin registration-server prelude-manager
The "yv67yggx" password will be requested by "prelude-admin register" 
in order to connect. Please remove the quotes before using it.

Generating 1024 bits Diffie-Hellman key for anonymous authentication...
Waiting for peers install request on 0.0.0.0:5553...
Waiting for peers install request on :::5553...

Connection from 127.0.0.1:45698...
Registration request for analyzerID="1973745155986225" permission="idmef:w".
Approve registration? [y/n]: y
127.0.0.1:45698 successfully registered.

Registration, prelude-lml side:

[root@rhel7 ~]# prelude-admin register "prelude-lml" "idmef:w" 127.0.0.1 --uid 0 --gid 0
Generating 2048 bits RSA private key... This might take a very long time.
[Increasing system activity will speed-up the process].
Generation in progress...

You now need to start "prelude-admin" registration-server on 127.0.0.1:
example: "prelude-admin registration-server prelude-manager" 

Enter the one-shot password provided on 127.0.0.1:
Confirm the one-shot password provided on 127.0.0.1:

Connecting to registration server (127.0.0.1:5553)... Authentication succeeded.
Successful registration to 127.0.0.1:5553.

Start the service:

[root@rhel7 ~]# systemctl start prelude-lml

Check the service:

[root@rhel7 ~]# systemctl status prelude-lml
● prelude-lml.service - Log analyzer sensor with IDMEF output
   Loaded: loaded (/usr/lib/systemd/system/prelude-lml.service; disabled; vendor preset: disabled)
   Active: active (running) since lun. 2018-04-30 01:21:12 CEST; 1min 19s ago
 Main PID: 13380 (prelude-lml)
   CGroup: /system.slice/prelude-lml.service
           └─13380 /usr/sbin/prelude-lml

Web interface

Configure your firewall:

[root@rhel7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success


[root@rhel7 ~]# firewall-cmd --reload
success

Start the web interface:

[root@rhel7 ~]# prewikka-httpd -p 80

Tests

Generate some logs to test the alerts. For example, try to connect to localhost in SSH and fail the password.

[root@rhel7 ~]# ssh localhost
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).

[root@rhel7 ~]# ssh localhost
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).