PSAD config Fix

Jsitech · Apr 7, 2018 · 825e45d · 825e45d
1 parent 55e53c9
commit 825e45d
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/UbuntuServer_16.04LTS/jshielder.sh b/UbuntuServer_16.04LTS/jshielder.sh
@@ -819,8 +819,8 @@ echo -n " Do you want to install PSAD (Recommended)? (y/n): " ; read psad_answer
 if [ "$psad_answer" == "y" ]; then
      echo -n " Type an Email Address to Receive PSAD Alerts: " ; read inbox1
      apt-get install psad
-     sed s/INBOX/$inbox1/g templates/psad.conf
-     sed s/hostname/$host_name.$domain_name/g templates/psad.conf > /etc/psad/psad.conf
+     sed -i 's/INBOX/$inbox1/g' templates/psad.conf
+     sed -i 's/CHANGEME/$host_name.$domain_name/g' templates/psad.conf > /etc/psad/psad.conf
      psad --sig-update
      service psad restart
      echo "Installation and Configuration Complete"

diff --git a/UbuntuServer_16.04LTS/templates/psad.conf b/UbuntuServer_16.04LTS/templates/psad.conf
@@ -5,7 +5,12 @@
 #  Normally this file gets installed at /etc/psad/psad.conf, but can be put
 #  anywhere in the filesystem and then the path can be specified on the
 #  command line argument "-c <file>" to psad.  All three psad daemons (psad,
-#  kmsgsd, and psadwatchd) reference this config file.
+#  kmsgsd, and psadwatchd) reference this config file.  Note that kmsgsd is
+#  generally deprecated since by default psad parses iptables log messages
+#  directly from the file where syslog writes them.  Further, psadwatchd is
+#  not required if running on a Linux system that already has a process
+#  monitoring and restarting capability built-in such as provided by the
+#  upstart daemon.
 #
 #  Each line has the form  "<variable name>    <value>;".  Note the semi-
 #  colon after the <value>.  All characters after the semicolon will be
@@ -19,7 +24,7 @@
 EMAIL_ADDRESSES             INBOX;
 
 ### Machine hostname
-HOSTNAME                    hostname;
+HOSTNAME                    CHANGEME;
 
 ### Specify the home and external networks.  Note that by default the
 ### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
@@ -89,6 +94,12 @@ CHECK_INTERVAL              5;
 ### or snort2iptables
 SNORT_SID_STR               SID;
 
+### For systems with an init daemon like 'upstart' that offer built-in process
+### monitoring, it is not necessary to run the psadwatchd daemon.  For such
+### systems, the following variable can be set to 'N' to disable psadwatched
+### altogether.
+ENABLE_PSADWATCHD           N;
+
 ### Set the minimum range of ports that must be scanned before
 ### psad will send an alert.  The default is 1 so that at
 ### least two port must be scanned (p2-p1 >= 1).  This can be set
@@ -148,14 +159,23 @@ ALERTING_METHODS            ALL;
 ### usually recommended.
 ENABLE_SYSLOG_FILE          Y;
 IPT_WRITE_FWDATA            Y;
-IPT_SYSLOG_FILE             /var/log/syslog;
+IPT_SYSLOG_FILE             /var/log/messages;
 
 ### When enabled, this instructs psad to write the "msg" field
 ### associated with Snort rule matches to syslog.
 ENABLE_SIG_MSG_SYSLOG       Y;
 SIG_MSG_SYSLOG_THRESHOLD    10;
 SIG_SID_SYSLOG_THRESHOLD    10;
 
+### Expect that all logged TCP SYN packets include the options portion of the
+### TCP header (requires the --log-tcp-options argument to the iptables LOG
+### rule).  If a SYN packet is received that does not include TCP options, then
+### it may be created by a scanner such as Eratta Security's "masscan").  Note
+### that psad still does a check to see if at least one log message is seen
+### includes the OPT field before expecting the remaining messages to also
+### include this field.
+EXPECT_TCP_OPTIONS          Y;
+
 ### TTL values are decremented depending on the number of hops
 ### the packet has taken before it hits the firewall.  We will
 ### assume packets will not jump through more than 20 hops on
@@ -595,4 +615,4 @@ dfCmd            /bin/df;
 fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;
 psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;
 kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;
-psadCmd          $INSTALL_ROOT/usr/sbin/psad;
+psadCmd          $INSTALL_ROOT/usr/sbin/psad;