cscli collections install crowdsecurity/teleportTeleport collection includes:
Teleport supports multiple storage backends for storing audit events. The dir backend uses the local filesystem of an Auth Service host. When this backend is used, events are written to the filesystem in JSON format. The dir backend rotates the event file approximately once every 24 hours, but never deletes captured events.
Example acquisition:
filenames:
- /var/lib/teleport/log/*.log
labels:
type: teleportThe reason why we have set remediation to false by default is we don't want to lock out legitimate users and want you to fully understand how the collection works before you jump in feet first.
You can enable remediation by setting remediation label within crowdsecurity/impossible-travel.yaml to true within the scenarios folder.
You can enable user remediation by setting remediation label within crowdsecurity/impossible-travel-user.yaml to true within the scenarios folder and you must add a profiles to handle this scope example:
#/etc/crowdsec/profiles.yaml.local
name: username_temp_ban
filters:
- 'Alert.Remediation == true && Alert.GetScope() == "username"'
decisions:
- type: tempban
scope: "username"
duration: 12h
on_success: break