Cluster-Handbook/Prelude
Prelude
editPrelude is a sensor-based monitoring system that is a perfect choice for monitoring a cluster because of it's the manager module. This guide explains what Prelude is and how you install it in a virtual Ubuntu system.
What is Prelude?
editPrelude is a so-called ’Intrusion Detection System’ (IDS). A distinction is made between ’host’- and ’network’-based intrusion detection systems. A HIDS protects and controls the activities directly on the operating system, it takes care of the logging and kernel files and to the registry. A NIDS on the other hand takes care of the network monitoring system employed. Prelude combines these two methods, and thus belongs to the group of “Hybrid Intrusion Detection System”.
Manager
editThe Prelude-Manager is the heart of the software, here all messages of the sensors come together and then are written into the database. The sensors can observe very different places such as various logs, or the kernel itself. In this way, a sensor is arranged for each relevant interface, which then being conntected to the manager. The manager collects, sorts and normalizes the incoming data and stores it in IDMEF format in the created database.
In addition to the sensors Prelude brings from home, it is also possible to register third-party sensors to the Manager.
Software Packages
editSo Prelude is runs smoothly, it is necessary to install a handful of packages on your system.
- prelude-manager: The Prelude Manager is, as already described, the heart of the software. This is where all messages from the sensors come together.
- prelude-lml: The Prelude Log Monitoring Lackey reads various log files and provides them as input for the manager. In our case, we later read from the auth.log file, this gives us information on the login attempts in our system.
- prewikka: Prewikka graphically prepares our data that the manager has written to the database, so that we can also recall it from the browser.
- apache2: An Apache Webserver is necessary for us to open the site Prewikka provides.
- postgresql-9.1: We need a total of two databases, in this case it is advisable to use PostgreSQl instead of mySQL, more on that later. The manager and Prewikka each require their own database.
Installation
editShell commands can be recognized by the following scheme:
# nano /etc/hosts
Requirements
editThis installation has been tested on a virtual system with one master and several workers. On all machines the 64 bit version of Ubuntu Server was used. For ease of passage of the installation, it is recommended to give appropriate “root” rights once with the command
# sudo su
.
Step by Step Installation
edit- Step 1
-
Install all software packages: (All packets are solely installed on the master)
# apt-get install prelude-lml prelude-manager prelude-correlator prelude-notify apache2 postgresql-9.1 prewikka
The user is eventually asked if he wants to set up the database using a wizard, this is recommended here for inexperienced users. - Step 2
-
Now various configuration files must be set. We start with the Prelude configuration.
# nano /etc/prelude/default/global.conf
Here, the “node-name” must be entered, as well as the right address. When on a virtual machine, use the following address for the local environment “127.0.0.1”. It is important that [NODE ADDRESS] is also commented here!
- Step 3
-
Start the Prelude Manager:
# /etc/init.d/prelude-manager start
Here we are told that the prelude-manager has yet to be activated. The matching file is given in the error message.
prelude-manager disabled, please adjust the configuration to your needs * and then set RUN to ’yes’ in /etc/default/prelude-manager to enable it.
After activating the Prelude Manager in the following file, we start it again with the command from above.
# nano /etc/default/prelude-manager
- Step 4
-
The Prelude sensors must be registered in the manager, so that they can communicate with each other. For this we register the Prelude in this step - LML Sensor to the Manager. On the Manager, we run the following command to register the prelude-lml sensor.
# prelude-admin register prelude-lml ’idmef:w admin:r’ 127.0.0.1 –uid 0 –gid 0
This now awaits the entry of a on the server generated password. Since our Prelude-lml tool is running on the same master as the manager, a second terminal window should be used.
# prelude-admin registration-server prelude-manager
This command generates for our sensor a password, which is necessary to enter at the registration, after successfully entering the password in the manager, the registration must again be confirmed. Now Manager and Sensor (Prelude-lml) are connected to each other.
- Step 5
-
We configured our managers already in step 2, now the sensor (Prelude-lml) must be set. For this, we edit the file:
# nano /etc/prelude-lml/prelude-lml.conf
Here are two lines need to be commented, so that the sensor has set the correct server address.
[prelude]
server-addr = 127.0.0.1
- Step 6
-
Prelude is now fully functional, but we still lack the graphical representation of the results, we get this with Prewikka displayed in the browser. Therefore it is recommended once again to check the databases.
# nano /etc/prewikka/prewikka.conf
- Listing 10.1 Database name and user (example)
type: pgsql
host: localhost
user: prelude
pass: prelude
name: prelude
[database]
type: pgsql
host: localhost
user: prewikka
pass: prewikka
name: prewikka
Lastly the Apache server can be configured so that it also takes the necessary files from Prewikka.
# nano /etc/apache2/apache2.conf
At the end of this file, the following code must be added:
- Listing 10.2 Apache configuration for Prewikka
{{TT block
Alias /prewikka/prewikka/ /usr/share/prewikka/htdocs/ScriptAlias /prewikka/ /usr/share/prewikka/cgi-bin/prewikka.cgi<Directory /usr/share/prewikka/htdocs/>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/prewikka/cgi-bin/>
AllowOverride None
Options ExecCGI
<IfModule mod_mime.c>
AddHandler cgi-script .cgi
</IfModule>
Order allow,deny
Allow from all
</Directory>
}}
Apache has to be restarted once after reconfiguration.
# /etc/init.d/apache2 restart
Prewikka must be started (after every reboot) with the following daemon:
# /usr/bin/prewikka-httpd
Now Prewikka can be accessed in the browser. (Of course, replace the IP address with your eth0 inet address)
192.168.178.56/prewikka/
Name: admin
Password: admin
Issues during installation
editWhen you install a few problems might occur, a few of them, I would like to briefly discuss.
lack of access rights in step 8
editeventually an error that reports a lack of privileges of prewikka.conf file appears when starting Prewikka in step 8. If this error occurs the rights to the file must be again be adjusted with the command, .
# chmod 755 /etc/prewikka/prewikka.conf
PreSQL instead of mySQL
editThe reason we use PreSQL and not mySQL is that Prelude uses outdated database settings. It uses the outdated command ’TYPE = InnoDB’, however, mySQL 5.0+ accepts only the command ENGINE = InnoDB ’. This can indeed be corrected in the file:
# nano /usr/share/libpreludedb/classic/mysql.sql
It then accepts this file also, but then fails to start from the prelude-manager due to an error in the libpreludedb.
It is therefore advisable to use a PreSQL database for Prelude.
Prewikka
editWe use Prewikka so that our data, the Prelude Manager collects from all its sensors, are clearly displayed in a graphical web interface. Here we get all the needed information that can also be found in the Prelude Manager database. In our case, we have only registered the Prelude Manager and the Prelude-LML sensor, which currently reads the auth.log file of the system.
Useful websites
edit- Prelude website: https://www.prelude-ids.org/
- Prelude Manager Guide: https://www.prelude-ids.org/wiki/1/PreludeManager
- Prewikka Guide: http://security.ncsa.illinois.edu/research/mithril/PrewikkaInstall.html
- PostgreSQL Guide: https://help.ubuntu.com/community/PostgreSQL
- Video Install Tutorial: http://www.youtube.com/watch?v=oV4JCqi0FJw