Difference between revisions of "ASL installation"

From Atomicorp Wiki
Jump to: navigation, search
m (Before You Start)
m (Step 2: Run the Automated ASL installer)
(54 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== '''Before You Start''' ==
+
= Introduction =
  
ASL is designed to integrate with the operating system as shipped by the vendor (CentOS, RedHat, Scientific Linux, Oracle Linux, CloudLinux, Amazon EC2, etc.). Customized environments that deviate from the vendor designed standards, and packaging can use ASL Lite, or consult with our services group for a custom solution.
+
ASL is designed to integrate with your existing operating system. Customized environments that deviate from OS vendor designed standards, and packaging should consult with our services group for a custom solution.
  
Dedicated systems will be using the ASL hardened kernel. For older distributions this can involve changes in the names of kernel modules involved with SATA, SCSI, and Network card modules.
+
== Before You Start ==
  
== '''Running the Automated installer''' ==
+
'''Please note: If you purchased a Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation '''.  These are instructions to install [[ASL]].
  
Installing ASL is as simple as running one command.  The rest is taken care of for you.  No need to mess around with configuration files, installing rpms or setting up repos.  Just run the installer as root and let us do the work for you.
+
If you purchased Atomic Secured Linux, then continue to the steps below.
  
wget -q -O - https://www.atomicorp.com/installers/asl |sh
+
== Prerequisites ==
  
If you prefer to use a standard HTTP connection run this command:
+
Please ensure that your system meets all prerequisites before installing ASL.  The [[ASL prerequisites]] page includeds important information outlining the systems requirements for ASL to install and function correctly, as well as recommendations for it to perform optimally.
  
wget -q -O - http://www.atomicorp.com/installers/asl |sh
+
= Installation and Downloads =
  
'''If you are using cpanel''', please use this command instead:
+
== Command Line installation==
  
wget -q -O - http://www.atomicorp.com/installers/cpanel/installer |sh
+
=== Step 1: Read the Notes ===
  
And thats it!  Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.  Once the installation is complete you will need to reboot your system to boot into the new hardened kernel that comes with ASL.  You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL system.
+
Confirm that your system meets the ASL requirements, which are documented on the [[ASL prerequisites]] page.
  
== Changing your ASL password ==
+
Note:  ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.
  
You can change your ASL password via the License Manager at this URL:
+
=== Step 2: Run the Automated ASL installer ===
  
https://www.atomicorp.com/amember/member.php
+
'''Pre Step 1)'''
  
== Post-Installation Quickstart/Configuration ==
+
If the system does not have mysql or mariadb installed, run these commands as root:
  
Log into the GUI:
+
RHEL/Centos 6:
  
https://YOUR_SERVERS_IP:30000
+
''yum install mysql-server''
  
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
+
''service mysqld start''
  
If you're a command line person you can also run or re-run many of ASL's features from the command line.  Here are a few highlights:
+
''systemctl enable mysqld''
  
1) Configure/Re-Configure ASL
 
  
  asl -c
+
RHEL/Centos 7:
  
2) Scan the system for vulnerabilities, malware and other security issues.
+
''yum install mariadb-server''
  
  asl -s
+
''service mariadb start''
  
3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.
+
''systemctl enable mariadb''
  
  asl -s -f
+
'''Step A)'''
  
4) Configure the ASL GUI
+
Become root on your system.  To become root run this command:
  
/var/asl/bin/asl-web-setup
+
''su -''
  
5) Check to make sure you haven't locked yourself out of your system
+
then enter your root password.
  
Before you reboot your system and if you told ASL to lock down SSH, make sure you can log into your system.  Don't close out your current session, log in with a new session.  This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
+
'''Step B)'''
  
6) Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to setup your support account:
+
Cut and paste the command below, and run this command as root:
  
https://www.atomicorp.com/portal
+
''wget -q -O - https://updates.atomicorp.com/installers/asl |sh''
  
The support system uses the same username and password used to install ASL (your ASL username and password)Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
+
Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.   
  
== '''Testing the Kernel''' ==
+
'''Note:  You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.'''  
  
 +
If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL.  Please see this article to test if your wget supports SSL if you are unsure:
  
'''Grub Users'''
+
https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget
  
1) Once the Atomic kernel is installed, determine which position the ''Atomic kernel'' has been installed.  
+
See the [[unattended installs]] article for advanced instructions for unattended installations.
  
Example:  
+
=== Step 3: (Optional) If you have installed the ASL kernel ===
  [root@ac3 ~]# cat /etc/grub.conf
+
  
# grub.conf generated by anaconda
+
Once the installation is complete, if you want to use the secure ASL kernel you will need to reboot your system to boot into the new hardened kernel that comes with ASL'''You do not have to use this kernel to enjoy the other features of ASL''', but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL kernels.
  #
+
# Note that you do not have to rerun grub after making changes to this file
+
# NOTICE:  You have a /boot partition.  This means that
+
#          all kernel and initrd paths are relative to /boot/, eg.
+
#          root (hd0,0)
+
#          kernel /vmlinuz-version ro root=/dev/hda3
+
#          initrd /initrd-version.img
+
#boot=/dev/hda
+
default=1
+
timeout=5
+
serial --unit=0 --speed=57600
+
terminal --timeout=5 serial console
+
title CentOS (2.6.17-1.art)
+
        root (hd0,0)
+
        kernel /vmlinuz-2.6.17-1.art ro root=LABEL=/ console=ttyS0,57600n8 selinux=0
+
        initrd /initrd-2.6.17-1.art.img
+
title CentOS (2.6.9-34.0.2.ELsmp)
+
        root (hd0,0)
+
        kernel /vmlinuz-2.6.9-34.0.2.ELsmp ro root=LABEL=/ console=ttyS0,57600n8
+
        initrd /initrd-2.6.9-34.0.2.ELsmp.img
+
  
Note the line: default=1, this indicates the kernel the system will boot by default, starting at position 0. Position 0 is "title CentOS (2.6.17-1.art)", and position 1 is "title CentOS (2.6.9-34.0.2.ELsmp)" in this example, indicating the system is configured to boot into the default CentOS kernel.
+
Note: The secure ASL kernel is not required to run ASL, but it will make your system more secure and protect your system from attacks that your regular kernel can not.
  
2) Type: grub
+
==== VPS based systems ====
  
the following will be displayed:
+
If you are using a [[VPS]] based virtualization technology, like openvz or Virtuzzo, you can not install any kernel in a VPSVPS' do not have a kernel, they share the host systems kernelTherefore, you will not be able to install any kernel in a VPS, including the ASL secure kernel, and do not need to reboot.
GNU GRUB  version 0.97  (640K lower / 3072K upper memory)
+
[ Minimal BASH-like line editing is supportedFor the first word, TAB
+
  lists possible command completionsAnywhere else TAB lists the possible
+
  completions of a device/filename.]
+
grub>
+
  
3) At the grub prompt set the default kernel to 0, and to only boot once with the following:
+
==== Cloud Linux ====
  
grub> savedefault --default=0 --once
+
'''Cloudlinux requires that you use their default kernel with their product.'''  Therefore, you should not use the secure ASL kernel with Cloud Linux.  Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.
  
4) type: quit
+
https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot
  
5) reboot the system. If for some reason the kernel does not work with the Atomic kernel, or is otherwise non-responsive, powercycling the system will restore the system to the default kernel.
+
Note:  When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel.  These security vulnerabilities are real.  The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities.  Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.
  
'''Lilo Users'''
+
=== Before you reboot ===
  
1) The art kernel should be listed in /boot - for example:
+
==== Check to make sure you can log in ====
  
        /boot/vmlinuz-2.6.19-7.art
+
Check to make sure you haven't locked yourself out of your system. If you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, '''log in with a new session'''.  This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
  
2) Create a symbolic link to this:
+
If you are rebooting into the secure ASL kernel, make sure you have an alternative means to log into your system should your system encounter an issue rebooting.  For example, a diverse means such as serial port access, or a KVM system, and not SSH or other direct network based remote access.  If a Linux system fails to reboot, network based protocols like SSH will not work.
  
        ln -s  /boot/vmlinuz-2.6.19-7.art  /boot/vmlinuz-art
+
==== Cloud Linux ====
  
3) edit /etc/lilo.conf to add a section for the art kernel. Eg:
+
'''Cloudlinux requires that you use their default kernel with their product.'''  Therefore, you should not use the secure ASL kernel with Cloud Linux.  Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.
  
        image=/boot/vmlinuz-art
+
https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot
        label=lxart
+
        append="console=tty0 console=ttyS0,57600 panic=30"
+
  
4) Type: lilo to make the change permanent. Then to test that you can boot into the new kernel do
+
Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real.  The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities.  Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.
      lilo -v -v
+
      lilo -R lxart
+
      shutdown -r now
+
  
5) When it's rebooted, doing a uname -r should show the new art kernel. Now you can make it permanent. Edit /etc/lilo.conf so that it has the line:
+
== Control panel installation==
      default=lxart
+
  
6) type lilo. Then reboot.
+
=== Plesk ===
  
 +
=== Step 1:  Read the Notes ===
  
== '''manual installation''' (Not Recommended or Supported) ==
+
Confirm that your system meets the ASL requirements, which are documented on the [[ASL prerequisites]] page.
  
'''This method of installation is not supported.''' If the automated installer is not working for your system please notify our support team and we will be happy to fix the issue for you.
+
Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.
  
1) vim /etc/yum.repos.d/asl.repo
+
=== Step 2: Install ASL from Plesk ===
  
2) add the following:
+
To install Atomic Secured Linux using the Plesk extension:
  
  [asl-2.0]
+
Step 1: In the Extensions Catalog, select the 'Security' category and click on 'Atomic Secured Linux'
name=ASL 2.0
+
baseurl=http://USERNAME:PASSWORD@atomicorp.com/channels/asl-2.0/DISTRO/$releasever/$basearch
+
  
3) replace DISTRO with fedora, centos, redhat, and USERNAME/PASSWORD with your username and password from the signup page
+
Step 2:  Click the 'Install' button to install the extension
  
4) yum install asl
+
Step 3:  After the extension is installed, click the 'Go To Extension' link
  
5) asl -c
+
Step 4:  Click the 'Install' button to install Atomic Secured Linux
  
== Special Installation: Ensim ==
+
== Step 4: Post-Installation Quickstart/Configuration ==
  
If you get the following error message:
+
=== Log into the GUI ===
  
Error: Missing Dependency: libclamav.so.2 is needed by package perl-Mail-ClamAV
+
https://YOUR_SERVERS_IP:30000
  
Grab the latest update of perl-Mail-ClamAV from Dag's RPMforge archive:
+
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
  
  http://dag.wieers.com/rpm/packages/perl-Mail-ClamAV/
+
The username and password are the same credentials you created when you purchased your license. You can change the ASL control panel credentials by following the process [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_reset_my_ASL_GUI_password.28s.29.3F here], and you can add additional users by following [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_create_new_accounts_in_the_ASL_GUI_.3F this process].
  
Upgrade with rpm -Uvh perl-Mail-ClamAV-0.21-*rpm --nodeps
+
=== Log into the support portal ===
  
Re-run the ASL installer.
+
Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to log into your support account:
  
== ASL addon - Atomic Scanner ==
+
https://www.atomicorp.com/support/support-portal.html
  
To install the ASL antispam scanner, just run this command as root:
+
The support system uses the same username and password used to install ASL (your ASL username and password).  Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
  
yum --enablerepo=asl-2.0-testing install atomic-scanner
+
=== ASL FAQ ===
  
== Atomic Addon - Yum GUI ==
+
And also, please read thru the [[ASL FAQ]].  It covers just about everything anyone has every asked us about, regarding ASL.  Seriously, its got answers to nearly anything you might want to know about [[ASL]], and we really have documented the answer to nearly every question anyone has every asked us about ASL.
  
This is an unsupported tool released to the ASL community.  It is not part of ASL.  If you run into bugs with it, please report them, however the tool is not supported as part of an ASL subscription.
+
== Command Line ==
  
To install, just run this command as root:
+
If you're a command line person you can also run or re-run many of ASL's features from the command line.  Here are a few highlights:
  
yum --enablerepo=asl-2.0-testing install atomic-yum
+
1) Configure/Re-Configure ASL
  
== ASL Troubleshooting ==
+
  asl -c
  
Please see the [[ASL Troubleshooting]] article.
+
2) Scan the system for vulnerabilities, malware and other security issues.
  
We also recommend you read the [[ASL FAQ]].
+
  asl -s
  
=== SELinux ===
+
3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.
  
SELinux policies have been known to interfere with RPM updates. This is because SELinux policies are not always adjusted for modern platforms.  This can manifest itself in mysterious failures in %pre and %post macros (confirmed on RHEL4).
+
  asl -s -f
  
ASL includes an advanced RBAC system that is more powerful and easier to use than SELinux and we recommend you use that instead of SELinux.  However, if you wish to use SELinux ASL will work fine with SELinux, however you may need to adjust your SELinux policies for your systems specific needs.
+
You can also find out about all the command line options in asl by running this command:
  
If you encounter any issues with rpm installations on your system, and you are not qualified to adjust your SELinux policies that came with your operating system, we recommend you disable SELinux and use the built in RBAC in ASL.
+
  asl -h
  
To disable SELinux set:
+
= Upgrading ASL =
  
selinux=0
+
Please see the [[Upgrading ASL]] page for details.
  
in the kernel boot parameters for your system.
+
= Troubleshooting =
  
setenable 0 and disabling SELinux with sysctl are not effective.  To disable selinux you must boot with selinux=0 set for your system.
+
Please see the [[ASL Troubleshooting]] article.
  
 +
We also recommend you read the [[ASL FAQ]].
  
=== Known Kernel Module Name Changes ===
 
 
1and1 network card module name changes
 
 
Vmware SCSI emulation name changes
 
  
 +
= Important Notes =
  
'''1and1 Checklist for /etc/modules.conf or /etc/modprobe.conf'''
+
== Kernel ==
  
Step 1) Enumerate hardware with /sbin/lspci
+
See the [[Kernel]] page for additional information on the ASL kernel.
  
Step 2) Check network cards,
+
== Cpanel ==
  
Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] was
+
Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurityCPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL.  ASL will automatically upgrade modsecurity if necessary.
  alias eth0 8139too
+
change to
+
  alias eth0 via-rhine
+
  
Step 3) Check SATA modules
+
Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported.  This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.
  <PENDING>
+

Revision as of 19:22, 27 April 2020

Contents

Introduction

ASL is designed to integrate with your existing operating system. Customized environments that deviate from OS vendor designed standards, and packaging should consult with our services group for a custom solution.

Before You Start

Please note: If you purchased a Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation . These are instructions to install ASL.

If you purchased Atomic Secured Linux, then continue to the steps below.

Prerequisites

Please ensure that your system meets all prerequisites before installing ASL. The ASL prerequisites page includeds important information outlining the systems requirements for ASL to install and function correctly, as well as recommendations for it to perform optimally.

Installation and Downloads

Command Line installation

Step 1: Read the Notes

Confirm that your system meets the ASL requirements, which are documented on the ASL prerequisites page.

Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.

Step 2: Run the Automated ASL installer

Pre Step 1)

If the system does not have mysql or mariadb installed, run these commands as root:

RHEL/Centos 6:

yum install mysql-server

service mysqld start

systemctl enable mysqld


RHEL/Centos 7:

yum install mariadb-server

service mariadb start

systemctl enable mariadb

Step A)

Become root on your system. To become root run this command:

su -

then enter your root password.

Step B)

Cut and paste the command below, and run this command as root:

wget -q -O - https://updates.atomicorp.com/installers/asl |sh

Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.

Note: You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.

If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL if you are unsure:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget

See the unattended installs article for advanced instructions for unattended installations.

Step 3: (Optional) If you have installed the ASL kernel

Once the installation is complete, if you want to use the secure ASL kernel you will need to reboot your system to boot into the new hardened kernel that comes with ASL. You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL kernels.

Note: The secure ASL kernel is not required to run ASL, but it will make your system more secure and protect your system from attacks that your regular kernel can not.

VPS based systems

If you are using a VPS based virtualization technology, like openvz or Virtuzzo, you can not install any kernel in a VPS. VPS' do not have a kernel, they share the host systems kernel. Therefore, you will not be able to install any kernel in a VPS, including the ASL secure kernel, and do not need to reboot.

Cloud Linux

Cloudlinux requires that you use their default kernel with their product. Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.

https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot

Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.

Before you reboot

Check to make sure you can log in

Check to make sure you haven't locked yourself out of your system. If you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, log in with a new session. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.

If you are rebooting into the secure ASL kernel, make sure you have an alternative means to log into your system should your system encounter an issue rebooting. For example, a diverse means such as serial port access, or a KVM system, and not SSH or other direct network based remote access. If a Linux system fails to reboot, network based protocols like SSH will not work.

Cloud Linux

Cloudlinux requires that you use their default kernel with their product. Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.

https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot

Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.

Control panel installation

Plesk

Step 1: Read the Notes

Confirm that your system meets the ASL requirements, which are documented on the ASL prerequisites page.

Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.

Step 2: Install ASL from Plesk

To install Atomic Secured Linux using the Plesk extension:

Step 1: In the Extensions Catalog, select the 'Security' category and click on 'Atomic Secured Linux'

Step 2: Click the 'Install' button to install the extension

Step 3: After the extension is installed, click the 'Go To Extension' link

Step 4: Click the 'Install' button to install Atomic Secured Linux

Step 4: Post-Installation Quickstart/Configuration

Log into the GUI

https://YOUR_SERVERS_IP:30000

You can view alerts, block attackers, configure ASL and use its many features from the GUI.

The username and password are the same credentials you created when you purchased your license. You can change the ASL control panel credentials by following the process here, and you can add additional users by following this process.

Log into the support portal

Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to log into your support account:

https://www.atomicorp.com/support/support-portal.html

The support system uses the same username and password used to install ASL (your ASL username and password). Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.

ASL FAQ

And also, please read thru the ASL FAQ. It covers just about everything anyone has every asked us about, regarding ASL. Seriously, its got answers to nearly anything you might want to know about ASL, and we really have documented the answer to nearly every question anyone has every asked us about ASL.

Command Line

If you're a command line person you can also run or re-run many of ASL's features from the command line. Here are a few highlights:

1) Configure/Re-Configure ASL

 asl -c

2) Scan the system for vulnerabilities, malware and other security issues.

 asl -s

3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.

 asl -s -f

You can also find out about all the command line options in asl by running this command:

 asl -h

Upgrading ASL

Please see the Upgrading ASL page for details.

Troubleshooting

Please see the ASL Troubleshooting article.

We also recommend you read the ASL FAQ.


Important Notes

Kernel

See the Kernel page for additional information on the ASL kernel.

Cpanel

Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.

Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.

Personal tools