Difference between revisions of "ASL Configuration"
(→RESOURCE_LOGGING: correction, disabled by default) |
m (→RESTART_APACHE) |
||
(114 intermediate revisions by 5 users not shown) | |||
Line 2: | Line 2: | ||
ASL is configured to a secure set of defaults upon installation. Most users do not need to change these settings. | ASL is configured to a secure set of defaults upon installation. Most users do not need to change these settings. | ||
+ | |||
+ | Note: Manual modification of the /etc/asl/config file is not supported. Please change these settings through the ASL web console. | ||
= Installation = | = Installation = | ||
Line 8: | Line 10: | ||
== Post Installation Configuration == | == Post Installation Configuration == | ||
+ | |||
+ | === GUI === | ||
You can access the ASL configuration settings by following this process: | You can access the ASL configuration settings by following this process: | ||
Line 18: | Line 22: | ||
This will pull up all the ASL Configuration options, which are broken into classes and are documented below or links are provided to the specific documentation pages for those options. | This will pull up all the ASL Configuration options, which are broken into classes and are documented below or links are provided to the specific documentation pages for those options. | ||
+ | |||
+ | === Command Line === | ||
+ | |||
+ | You can also change these settings from the command line. These settings are stored in this file: | ||
+ | |||
+ | /etc/asl/config | ||
+ | |||
+ | After changing these settings, run this command as root to set the new security policy: | ||
+ | |||
+ | asl -s -f | ||
=== Authentication Information === | === Authentication Information === | ||
Line 33: | Line 47: | ||
This is the password ASL will use to download updates. This should be the same password you use to log into the License Manager. | This is the password ASL will use to download updates. This should be the same password you use to log into the License Manager. | ||
− | === | + | === Data Retention Policies === |
− | + | Data retention policies control the automated clean up of file and database storage used by ASL, ossec, and mod_security. | |
− | + | ==== RETENTION_USE_CONSOLIDATED ==== | |
+ | Selecting yes for this setting will apply the retention period specified by RETENTION_CONSOLIDATED to events and archive tables in the database, file backups generated by ASL, mod_security alert files, diff files created by ossec, and malware scan reports. | ||
− | + | ==== RETENTION_CONSOLIDATED ==== | |
+ | A value and unit of measure indicating how long data should be retained. | ||
− | + | ex: "3 months" | |
+ | ex: "1 years" | ||
+ | ex: "24 days" | ||
− | + | ==== DB_USE_ARCHIVE ==== | |
+ | If set to no, no monthly archive tables of event data will be created by ASL. If set to yes, the tables will be created and kept based on retention settings. | ||
+ | ==== DB_ARCHIVE_PERIOD ==== | ||
+ | A value and unit of measure indicating how long tables should be retained. | ||
− | + | ex: "3 months" | |
+ | ex: "1 years" | ||
+ | ex: "24 days" | ||
− | ASL will | + | ==== RETENTION_MAX_RBC_COUNT ==== |
+ | This setting indicates the maximum number of file backups created by ASL that will be kept at any given time, without regard to time based retention settings. | ||
− | === | + | ==== HIDS_CLEAN_DIFF ==== |
+ | If consolidated settings are not being used, this value will determine the number of days that ossec's diff files will be kept. The default value is 60. | ||
− | ==== | + | ==== HIDS_ARCHIVE_ALL ==== |
+ | By default ASL only retains alert logs, enabling this will archive all logs. Please note this can use considerable disk space. | ||
− | + | ==== MODSEC_CLEAN_ALERT ==== | |
+ | If consolidated settings are not being used, this value will determine the number of days to retain mod_security alert files. The default value is 14. | ||
+ | |||
+ | ==== PURGE_LOGS ==== | ||
+ | If consolidated settings are being used, they will not override this setting. | ||
+ | |||
+ | This setting determines the number of days that ossec's alert files will be kept. A value of "no" or "-1" will retain the files indefinitely. The default value is -1. | ||
=== General Settings === | === General Settings === | ||
Line 64: | Line 96: | ||
==== EMAIL ==== | ==== EMAIL ==== | ||
− | + | The customer email address set by the user to send alerts to. This is also set by the user during installation. | |
==== HOSTNAME ==== | ==== HOSTNAME ==== | ||
Line 72: | Line 104: | ||
==== ADMIN_USERS ==== | ==== ADMIN_USERS ==== | ||
− | + | This defines special SSH users. This is not to be confused with users that can log into the ASL web console, or any other "admin" user on the system. | |
+ | |||
+ | '''No users are defined by default.''' | ||
+ | |||
+ | This setting allows you define special administrative users that ASL will check to make sure they can SSH into the system (users other than root). If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. This list is not used to restrict what users can ssh into the system, its just a list of special users that should always be allowed to ssh into the system. ASL uses this list to check these accounts to make sure they are working correctly, to ensure that those users can still log into the system when changes are made to the ssh settings via ASL (for example, disabling password authentication, ASL will check this list of users to make sure they have SSH keys installed). This is an important fail safe feature, and you should list all your administrative users (other than root) in this list to help ensure they will be able to log into the system. | ||
+ | |||
+ | Usernames are separated with spaces. Example: | ||
+ | |||
+ | bob joe karen | ||
+ | |||
+ | Note: This setting has nothing to with the AllowUsers setting in sshd. | ||
+ | |||
+ | '''Important: If an admin user is not defined, ASL will not allow SSH settings to be modified'''. | ||
+ | |||
+ | For example, if no admin users are defined, ASL will not allow password authentication to be disabled nor will it allow root logins to be disabled. '''This is a critical safeguard to prevent users from accidentally locking themselves out of the system.''' | ||
+ | |||
+ | If an admin user or users are defined, and if password authentication is disabled, ASL will also check to make sure the admin user or users have ssh keys installed in the correct place, and that their permissions are valid. If the keys are not installed, the permissions are wrong, or they are not installed in the right place, ASL will not allow any SSH configuration changes to take place and will ensure the defaults are used. Again, this is a critical safeguard to prevent users from accidentally locking themselves out of the system. | ||
+ | |||
+ | ASL can not test the keys themselves for validity as an authentication credential, as it only has access to the public key. Therefore it is the users responsibility to ensure the SSH key pair works correctly for the account. | ||
+ | |||
+ | Please see the article [[SSH keys]] for courtesy information about using SSH keys with SSH. | ||
==== SYSTEM_TYPE ==== | ==== SYSTEM_TYPE ==== | ||
− | Defines a basic services policy for the system. | + | Defines a basic services policy for the system, and configures ASL to work with control panels that do not use package management. |
+ | |||
+ | Setting the profile to anything other than "custom" will configure ASL to disable the following services: | ||
+ | |||
+ | *portmap | ||
+ | *nfs | ||
+ | *nfslock | ||
+ | *rpcidmapd | ||
+ | *cups | ||
+ | *gpm | ||
+ | *xfs | ||
+ | *pcscd | ||
+ | *mcstrans | ||
+ | *kdump | ||
+ | *isdn | ||
+ | *hplip | ||
+ | *hidd | ||
+ | *messagebus | ||
+ | *haldaemon | ||
+ | *gpm | ||
+ | *bluetooth | ||
+ | *avahi-daemon | ||
+ | *autofs | ||
+ | *apmd | ||
+ | |||
+ | '''Options''' | ||
+ | |||
+ | webserver: You should use this setting for all system types except for the three below. | ||
+ | |||
+ | cpanel: setting this to cpanel, will configure the system for cpanel | ||
+ | |||
+ | directadmin: setting this to directadmin, will configure the system for directadmin. | ||
+ | |||
+ | custom: If this is set to custom, no services will be automatically disabled and no special configuration changes are made to the system to work with non-package managed control panels. Do not use this setting with platforms like cpanel or directadmin. It will void support on your system. | ||
+ | |||
+ | ===== ALLOW_NFS ===== | ||
+ | |||
+ | This will disable the service checks that would normally disable NFS services when SYSTEM_TYPE is set to "webserver", "cpanel" or "directadmin". | ||
− | + | '''Notes: | |
− | + | #This does not enable or configure NFS services, please consult your vendor for support with configuring NFS. | |
+ | # You will need to reboot your system if you have locked the kernel to prevent kernel modules from loading. | ||
+ | ''' | ||
==== AUTOMATIC_UPDATES ==== | ==== AUTOMATIC_UPDATES ==== | ||
Line 98: | Line 189: | ||
'''Exclude-kernel:''' This will upgrade all ASL software, rule and signatures updates but not upgrade the kernel. | '''Exclude-kernel:''' This will upgrade all ASL software, rule and signatures updates but not upgrade the kernel. | ||
− | '''rules-only:''' This will exclude all software updates, | + | '''rules-only:''' This will exclude all software updates, including updates to ASL. This will prevent ASL from updating any rpm package updates and kernel updates and will only install rule and signature updates. |
− | ''Some rule and signature updates may not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected.'' | + | '''Important Notice: Some rule and signature updates may not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected and to ensure compatibility.''' |
==== RESTART_APACHE ==== | ==== RESTART_APACHE ==== | ||
Line 112: | Line 203: | ||
No: Do not restart apache. | No: Do not restart apache. | ||
− | Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF. | + | '''Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.''' |
+ | |||
+ | ==== Kernel Channel ==== | ||
+ | |||
+ | KERNEL_CHANNEL: Select the kernel channel, valid sources are Disabled, Tortix-kernel and tortix-kernel-xen for xen environments. [Default: tortix-kernel] | ||
+ | |||
+ | ==== Web Application Firewall rule feed source ==== | ||
+ | |||
+ | |||
+ | FEED_TYPE: This setting allows you to toggle between different WAF feeds. Currently this is only used by ASL Lite, and supports the Real-Time and 90-day delayed feeds. [ Default: real-time ] | ||
+ | |||
+ | ==== Compliance Module ==== | ||
+ | |||
+ | COMPLIANCE: This enables a compliance module based on one of 5 standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp. It should only be used if you are required by a 3rd party regulator. D. | ||
+ | |||
+ | [Default: off] | ||
+ | |||
+ | ==== Send reputation reports ==== | ||
+ | |||
+ | REPUTATION_REPORT: Allow sending of statistical information on local events and event sources to Atomicorp. | ||
+ | |||
+ | ==== Reputation report frequency ==== | ||
+ | |||
+ | REPUTATION_FREQUENCY: How often reputation reports will be sent. | ||
==== ASL_USER ==== | ==== ASL_USER ==== | ||
Line 120: | Line 234: | ||
==== FEED_TYPE ==== | ==== FEED_TYPE ==== | ||
− | This setting allows you to toggle between different WAF feeds. | + | This setting allows you to toggle between different WAF feeds. This was only used by ASL Lite, and only supports the Real-Time since the delayed feed was retired. ASL Users should not change this setting. |
==== COMPLIANCE ==== | ==== COMPLIANCE ==== | ||
− | This a | + | This enables a compliance module based on one of 5 third party standards (CIS, DISA, DHS, NISPOM, PCI). |
− | + | '''It should only be used if you are required by a 3rd party regulator. It is not recommended by Atomicorp that you use any of these without assistance from our professional services group.''' | |
− | These compliance standards are | + | These compliance standards are set by third parties, and may break things on your system and need to be adjusted for your specific risk profile. These are not Atomicorp standards, so if you enable them and they cause issues with your system please understand that while we welcome the feedback, we can not change these standards. |
=== Firewall Configuration === | === Firewall Configuration === | ||
Line 136: | Line 250: | ||
=== Kernel configuration === | === Kernel configuration === | ||
− | If you are not using the ASL [[Kernel]] these settings in the ASL web console will have no effect. | + | '''If you are not using the ASL [[Kernel]] these settings in the ASL web console will have no effect.''' |
==== ALLOW_kmod_loading ==== | ==== ALLOW_kmod_loading ==== | ||
Line 142: | Line 256: | ||
The default configuration for ASL is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by "locking" the kernel and preventing any additional changes to the kernel once it has been configured. | The default configuration for ASL is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by "locking" the kernel and preventing any additional changes to the kernel once it has been configured. | ||
− | Setting this flag to "yes" and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to "yes", as a properly configured server should not require the kernel to dynamically modified. A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and | + | Setting this flag to "yes" and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to "yes", as a properly configured server should not require the kernel to be dynamically modified. If you need to load custom modules in your kernel, please see this article which explains how to do this securely, and without needing to open this hole in your system. |
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/Using_ASL#Can.27t_install_kernel_modules. | ||
+ | |||
+ | A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and are used to compromise Linux systems. | ||
The secure and recommended setting is "no". Do not allow kernel module loading. | The secure and recommended setting is "no". Do not allow kernel module loading. | ||
+ | |||
+ | Note: In Linux, when you change this option to allow kernel module loading, that is if you unlock the kernel, you must reboot the system. This is a failsafe built into all Linux kernels to ensure that once the kernel is locked, it can not be unlocked by an attacker. | ||
+ | |||
+ | ==== GRKERNSEC_DETER_BRUTEFORCE ==== | ||
+ | |||
+ | If you say Y here, attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is killed by PaX or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal. | ||
+ | |||
+ | [Default: no] | ||
+ | |||
+ | Note: This option is available in ASL 4.0 and up. | ||
==== ENABLE_TPE ==== | ==== ENABLE_TPE ==== | ||
− | Trusted Path Execution | + | Trusted Path Execution [[TPE]] will allow you to choose a gid to add to the supplementary groups of users you want to mark as "untrusted" or "trusted". These users will not be able to execute any files that are not in root-owned directories writable only by root. |
==== TPE_GROUP_POLICY ==== | ==== TPE_GROUP_POLICY ==== | ||
Line 157: | Line 285: | ||
Users in this group will have the TPE policy applied if the system is configured to operate in "untrusted" mode. The root user is automatically trusted. | Users in this group will have the TPE policy applied if the system is configured to operate in "untrusted" mode. The root user is automatically trusted. | ||
+ | |||
+ | Untrusted users can only run applications owned by root. This prevents untrusted users from uploading code to the system, such as malware and spam tools, and will prevent them from running regardless of where they are located on the system. | ||
==== TPE_TRUSTED_USERS ==== | ==== TPE_TRUSTED_USERS ==== | ||
Line 190: | Line 320: | ||
==== CHROOT_CAPS ==== | ==== CHROOT_CAPS ==== | ||
− | When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, | + | When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, changing the system time and elevating capabilities via the SYS_ADMIN capability. |
− | Note: EL6 boots the system into a chroot. Enabling this protection will cause the first tty on the system to "echo" all input that should not be "echoed". For example, the password field will echo from the console on tty1. | + | Note: EL6 boots the system into a chroot. Enabling this protection will cause the first tty on the system to "echo" all input that should not be "echoed". For example, the password field will echo from the console on tty1. This may also cause problems with serial consoles that use the first tty (which is normally the default case). |
− | The solution is to either disable this protection, or to use a different tty. | + | The solution is to either disable this protection, or to use a different tty. |
+ | |||
+ | '''WARNING: Disabling this protection will make it possible for applications to escape chroots.''' | ||
+ | |||
+ | See these posts for a more detailed explanation of the technical and security issues with disabling this protection. | ||
+ | |||
+ | https://forums.grsecurity.net/viewtopic.php?f=7&t=2522 | ||
https://www.atomicorp.com/forums/viewtopic.php?f=3&t=6292&p=36069&hilit=chroot#p36069 | https://www.atomicorp.com/forums/viewtopic.php?f=3&t=6292&p=36069&hilit=chroot#p36069 | ||
Line 290: | Line 426: | ||
==== IP_BLACKHOLE ==== | ==== IP_BLACKHOLE ==== | ||
− | When enabled, | + | When enabled, neither TCP resets nor ICMP destination-unreachable packets will be sent in response to packets sent to ports for which no associated listening process exists. |
+ | |||
+ | Default: y | ||
+ | |||
+ | This feature supports both IPv4 and IPv6 and exempts the loopback interface from blackholing. Enabling this feature makes a host more resilient to DoS attacks and reduces network visibility against scanners. The blackhole feature prevents RST responses to all packets, not just SYNs. | ||
+ | |||
+ | Note: Under most application behavior this causes no problems, but applications (like haproxy) may not close certain connections in a way that cleanly terminates them on the remote end, leaving the remote host in LAST_ACK state. Because of this side-effect and to prevent intentional LAST_ACK DoSes, this feature also adds automatic mitigation against such attacks. The mitigation drastically reduces the amount of time a socket can spend in LAST_ACK state. If you're using haproxy and not all servers it connects to have this option enabled, consider disabling this feature on the haproxy host. | ||
+ | |||
+ | traceroute may also not complete when directed at a system that has this safeguard enabled. This is because traceroute works by sending UDP packets to ports on the system that do not have a service (a high port for example, 12345). The system will then send back an ICMP destination-unreachable packet. If traceroute does not get this packet it will continue to try high ports and eventually conclude, wrongly, that the server is not up. | ||
+ | |||
+ | When this option is enabled, two sysctl options with names ip_blackhole and lastack_retries will be created. While ip_blackhole takes the standard zero/non-zero on/off toggle, lastack_retries uses the same kinds of values as tcp_retries1 and tcp_retries2. The default value of 4 prevents a socket from lasting more than 45 seconds in LAST_ACK state. | ||
==== LASTACK_RETRIES ==== | ==== LASTACK_RETRIES ==== | ||
Line 316: | Line 462: | ||
==== SIGNAL_LOGGING ==== | ==== SIGNAL_LOGGING ==== | ||
− | When enabled, certain important signals will be logged, such as SIGSEGV, which will as a result inform you of when a error in a program occurred, which in some cases could mean a possible exploit attempt. This is | + | When enabled, certain important signals will be logged, such as SIGSEGV, which will as a result inform you of when a error in a program occurred, which in some cases could mean a possible exploit attempt. This is enabled by default. |
==== SOCKET_ALL ==== | ==== SOCKET_ALL ==== | ||
Line 375: | Line 521: | ||
==== TIMECHANGE_LOGGING ==== | ==== TIMECHANGE_LOGGING ==== | ||
+ | |||
+ | Enable or Disable logging of any major time changes on the system. | ||
=== ClamAV configuration === | === ClamAV configuration === | ||
− | + | See the [[anti virus]] page for configuration settings. | |
− | === | + | === PSMON configuration === |
− | + | ==== PSMON_ENABLED ==== | |
− | + | Allows the Process monitoring daemon to be enabled/disabled. This will monitor services that are configured to start on boot and are managed by the OS via the chkconfig or systemctl systems. If you want ASL to stop monitoring a process, see the [[psmon]] article. | |
− | + | Note: not supported on systems that do not use package managed PERL installations. | |
− | + | ==== PSMON_NOTIFY ==== | |
− | + | Enable/Disable email notification for PSMON. The default is to use the $NOTIFY setting. | |
− | + | ==== PSMON_EMAIL ==== | |
− | + | Email address notifications of restart events will be sent to. The default is to use the value set for EMAIL | |
− | ==== | + | ==== PSMON_FROM ==== |
− | + | From: line used for notifications of restart events. The default is to use psmon@hostname of the system | |
− | === | + | === OSSEC configuration === |
− | + | ==== OSSEC_ENABLED ==== | |
− | + | '''Enable HIDS''' | |
− | + | Enable or Disable OSSEC HIDS | |
− | ==== | + | ==== Notification ==== |
− | + | ===== OSSEC_NOTIFY ===== | |
− | + | '''Email notification''' | |
− | + | Configure OSSEC to send alert notifications over email or not. Default is yes. | |
− | === | + | ===== OSSEC_EMAIL ===== |
− | + | '''Email to''' | |
− | + | Email address to send all OSSEC alert notifications | |
− | + | ===== OSSEC_SMTP_SERVER ===== | |
− | + | '''Mail Server''' | |
− | + | SMTP server to send OSSEC alert notifications. | |
− | ==== | + | ===== OSSEC_FROM ===== |
− | + | From: line used for OSSEC alert notifications | |
− | ==== | + | =====HIDS_EMAIL_ALERT_LEVEL===== |
− | + | '''Email Alert Level''' | |
− | + | This controls the minimum level an alert will need to be in order to activate an email event. Some events will be sent that are lower levels than this, for example 1002 which is the suspicious event alert. You can disable specific over rides in the rule manager. | |
− | + | [Default: 7] | |
− | + | ===== OSSEC_MAX_MSG ===== | |
− | + | '''Max messages per hour''' | |
− | + | Maximum number of email messages OSSEC will send per hour. Multiple alerts will be sent in digest mode (a single email) once per hour if the value is set to 1. | |
+ | To receive emails more frequently, you must increase the value between 1 and 9999. If you use a value outside of this range, the maild service will fail and you will not receive email alerts. | ||
− | ==== | + | ==== Database Settings ==== |
− | + | =====OSSEC_USE_MYSQL===== | |
− | + | '''Database support''' | |
− | Configure OSSEC to store events in mysql | + | OSSEC_USE_MYSQL: Configure OSSEC to store events in mysql |
− | ==== OSSEC_DATABASE_SERVER ==== | + | Default: yes |
+ | |||
+ | ===== OSSEC_DATABASE_SERVER ===== | ||
+ | |||
+ | '''Database Server''' | ||
IP or hostname of OSSEC database server. Note OSSEC only uses tcp sockets. Network access is required | IP or hostname of OSSEC database server. Note OSSEC only uses tcp sockets. Network access is required | ||
Line 460: | Line 613: | ||
Remote mysql servers are not currently supported (but they may work). | Remote mysql servers are not currently supported (but they may work). | ||
− | ==== OSSEC_DATABASE ==== | + | ===== OSSEC_DATABASE ===== |
+ | |||
+ | '''Database Name''' | ||
Name of OSSEC database | Name of OSSEC database | ||
− | ==== OSSEC_DATABASE_USERNAME ==== | + | ===== OSSEC_DATABASE_USERNAME ===== |
+ | |||
+ | '''Database Username''' | ||
Name of OSSEC database user | Name of OSSEC database user | ||
− | ==== OSSEC_DATABASE_PASSWORD ==== | + | ===== OSSEC_DATABASE_PASSWORD ===== |
+ | |||
+ | '''Database Password''' | ||
Password for OSSEC database user | Password for OSSEC database user | ||
− | ==== | + | ==== General Settings ==== |
− | + | ===== OSSEC_ACTIVE_RESPONSE ===== | |
− | + | '''Active Response''' | |
− | + | Enable/Disable Active response mode. Setting this to yes will enable active firewall blocks when OSSEC detects and attack | |
− | ==== | + | ===== OSSEC_SHUN_ENABLE_TIMEOUT ===== |
− | + | '''Active Response: Enable timeout''' | |
− | + | Enable/Disable expiration of active response firewall blocks. Setting this to yes will expire blocks after a fixed interval defined in OSSEC_SHUN_TIME. Setting this to no will make all blocks permanent (not recommended). | |
− | + | ===== HIDS_IPSET_DROP ===== | |
− | + | This will configure the system to use the ipset instead of iptables. This is newer, faster and less memory intensive method of shunning and is highly recommended on systems that support it. | |
− | + | Note: Virtuzzo and OpenVZ are not known to support ipset. Enabling this option on those platforms may break shunning and other aspects of the firewall. | |
− | ==== | + | ===== OSSEC_SHUN_TIME ===== |
− | + | '''Active Response: Shun Time''' | |
− | + | This configuration setting defines the number of seconds to maintain an active response block. | |
− | + | Default: 600 seconds (10 minutes). | |
− | ==== | + | ===== HIDS_SHUN_MULTIPLIER ===== |
− | + | '''Active Response: Shun Multiplier''' | |
− | + | Enable a block time exponential multiplier for '''repeat''' offenders based on the Shun Time setting. | |
− | + | To disable this functionality, set the value to "0". | |
− | + | This feature will multiple the shun time by the HIDS_SHUN_MULTIPLE value for any successive attacks from the same IP. For the first attack from an IP, the shun period will always be the setting OSSEC_SHUN_TIME. For the second, and successive attacks from an IP the Shun Time for that IP will be multipled by the HIDS_SHUN_MULTIPLER number for ''each successive attack'' from that IP. That value will then be multipled for the next attack and so on. '''This causes repeat attackers to be blocked for longer and longer periods based on this setting.''' | |
− | This controls the minimum level an alert will need to be in order to activate an | + | Note: '''This is exponential, not linear.''' The shun time for an attack is calculated by multiplying the ''previous shun time'' by the multipler. This means the value will not increase linearly to the base Shun Time, but rather the shun time will increase exponentially with each attack. |
+ | |||
+ | For example: | ||
+ | |||
+ | If the shun time is configured to 600 seconds, and HIDS_SHUN_MULTIPLE is set to "3". The shun times would be: | ||
+ | |||
+ | * First attack: 600 seconds | ||
+ | * Second attack: 1800 seconds | ||
+ | * Third attack: 5400 seconds | ||
+ | * Forth and any following attacks: 16200 seconds | ||
+ | |||
+ | The current system does not increase the shun time past the forth attack. | ||
+ | |||
+ | This period is valid for as long as the OSSEC Daemon is running, once OSSEC is restarted, all of this data will be lost/reset and the counter returns to the lowest value (in this example 600 seconds) and the process starts over. | ||
+ | |||
+ | =====HIDS_LOG_ALERT_LEVEL===== | ||
+ | |||
+ | '''Log Alert Level''' | ||
+ | |||
+ | This controls the minimum level (1-15) an alert will need to be in order to activate an log event. This controls what events are both inserted into the database, and logged. Any event below this level will neither be logged, nor inserted into the database. | ||
+ | |||
+ | [Default: 1] | ||
+ | |||
+ | =====HIDS_CLEAN_DIFF===== | ||
+ | |||
+ | '''Number of Days to retain File Diff data''' | ||
+ | |||
+ | HIDS_CLEAN_DIFF: This controls the number of days the File Integrity manager will retain (diff format) changes to files in this directory /var/ossec/queue/diff/. [Default: 60] | ||
+ | |||
+ | Note: Removal of old events occurs nightly. Therefore, if you change this to a lower setting, the older events will be removed within 24 hours of the change. | ||
+ | |||
+ | ==== Internal settings ==== | ||
+ | |||
+ | Note: Do not change these settings unless you know what you are doing. Changing these settings can cause the HIDS to fail to perform correctly. | ||
+ | |||
+ | =====HIDS_analysisd_default_timeframe===== | ||
+ | |||
+ | '''Analysisd: Rule Timeframe''' | ||
+ | |||
+ | Analysisd default rule timeframe in seconds. | ||
+ | |||
+ | Default: 360 | ||
+ | |||
+ | =====Analysisd: Stats maxdiff===== | ||
+ | |||
+ | HIDS_analysisd_stats_maxdiff: Analysisd stats maximum diff. | ||
+ | |||
+ | =====Analysisd: Stats mindiff===== | ||
+ | |||
+ | HIDS_analysisd_stats_mindiff: Analysisd stats minimum diff. | ||
+ | |||
+ | =====Analysisd: Stats percentdiff===== | ||
+ | |||
+ | HIDS_analysisd_stats_percent_diff: Analysisd stats percentage (how much to differ from average) | ||
+ | |||
+ | =====Analysisd: FTS list size===== | ||
+ | |||
+ | HIDS_analysisd_fts_list_size: Analysisd FTS list size. | ||
+ | |||
+ | =====Analysisd: FTS min size===== | ||
+ | |||
+ | HIDS_analysisd_fts_min_size_for_str: Analysisd FTS minimum string size. | ||
+ | |||
+ | =====Analysisd: enable firewall.log===== | ||
+ | |||
+ | HIDS_analysisd_log_fw: Analysisd Enable the firewall log (at logs/firewall/firewall.log) | ||
+ | |||
+ | =====Logcollector: file loop timeout===== | ||
+ | |||
+ | HIDS_logcollector_loop_timeout: Logcollector file loop timeout (check every 2 seconds for file changes) | ||
+ | |||
+ | =====Logcollector: open attempts===== | ||
+ | |||
+ | HIDS_logcollector_open_attempts: Logcollector number of attempts to open a log file. | ||
+ | |||
+ | =====Logcollector: remote commands===== | ||
+ | |||
+ | HIDS_logcollector_remote_commands: Logcollector - If it should accept remote commands from the manager | ||
+ | |||
+ | =====Remoted: receive counter flush===== | ||
+ | |||
+ | HIDS_remoted_recv_counter_flush: Remoted counter io flush. | ||
+ | |||
+ | =====Remoted: compression averages printout===== | ||
+ | |||
+ | HIDS_remoted_comp_average_printout: Remoted compression averages printout. | ||
+ | |||
+ | =====Remoted: verify message id===== | ||
+ | |||
+ | HIDS_remoted_verify_msg_id: Verify msg id (set to 0 to disable it) | ||
+ | |||
+ | =====Maild: strict checking===== | ||
+ | |||
+ | HIDS_maild_strict_checking: Maild strict checking (0=disabled, 1=enabled) | ||
+ | |||
+ | =====Maild: group alerts===== | ||
+ | |||
+ | HIDS_maild_groupping: Maild grouping (0=disabled, 1=enabled) Groups alerts within the same e-mail. And yes we know its spelled wrong. | ||
+ | |||
+ | =====Maild: Full subject===== | ||
+ | |||
+ | HIDS_maild_full_subject: Maild full subject (0=disabled, 1=enabled) | ||
+ | |||
+ | =====Maild: display geoip data===== | ||
+ | |||
+ | HIDS_maild_geoip: Maild display GeoIP data (0=disabled, 1=enabled) | ||
+ | |||
+ | =====Monitord: Wait period before compress/sign===== | ||
+ | |||
+ | HIDS_monitord_day_wait: Monitord day_wait. Amount of seconds to wait before compressing/signing the files. | ||
+ | |||
+ | =====Monitord: Compress files | ||
+ | |||
+ | HIDS_monitord_compress: Monitord compress. (0=do not compress, 1=compress) | ||
+ | |||
+ | =====Monitord: Sign files===== | ||
+ | |||
+ | HIDS_monitord_sign: Monitord sign. (0=do not sign, 1=sign) | ||
+ | |||
+ | =====Monitord: Monitor Agents===== | ||
+ | |||
+ | HIDS_monitord_monitor_agents: Monitord monitor_agents. (0=do not monitor, 1=monitor) | ||
+ | |||
+ | =====Syscheck: Sleep after checksum===== | ||
+ | |||
+ | HIDS_syscheck_sleep: Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. The default is to sleep 2 seconds after reading 15 files. | ||
+ | |||
+ | =====Syscheck: Sleep after checksum 2===== | ||
+ | |||
+ | HIDS_syscheck_sleep_after: Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. The default is to sleep 2 seconds after reading 15 files. | ||
+ | |||
+ | =====DBD: Max database reconnect attempts===== | ||
+ | |||
+ | HIDS_dbd_reconnect_attempts: Database - maximum number of reconnect attempts | ||
+ | |||
+ | |||
+ | ===== OSSEC_MODE ===== | ||
+ | |||
+ | Operating mode for OSSEC, can be configured as either 'server' or 'client'. When in client mode you will need to set up the OSSEC key from the command line. | ||
+ | |||
+ | ===== OSSEC_SERVER ===== | ||
+ | |||
+ | IP address of OSSEC server, when this node is configured to be an OSSEC client. Leave this blank if OSSEC_MODE is set to server. | ||
=== Mod_security configuration === | === Mod_security configuration === | ||
Line 517: | Line 818: | ||
=== PHP configuration === | === PHP configuration === | ||
+ | |||
+ | These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by ASL. This option exists for ASL to manage these functions and settings. | ||
+ | |||
+ | '''Note: If you want ASL to manage these settings do not change them manually in php.ini, and do not use third party tools to manage these settings.''' | ||
+ | |||
+ | '''Important Note: When php functions are disabled, and an application tries to use them, Apache will ONLY log that in the domains error_log file. It will not log this in the global error_log. Therefore, if you have a PHP application that does not work correctly after changing these settings, please check the effected domains error_log file. This is the only place that errors involving disabling functions will be logged or reported. They will not show up in the security events window.''' | ||
==== PHP_CHECKS ==== | ==== PHP_CHECKS ==== | ||
+ | |||
+ | '''Enforce PHP Security policy''' | ||
Enable/Disable PHP check enforcement mode. Default: No. | Enable/Disable PHP check enforcement mode. Default: No. | ||
Line 527: | Line 836: | ||
==== PHP_SAFE_MODE ==== | ==== PHP_SAFE_MODE ==== | ||
+ | |||
+ | '''Enable Safe Mode''' | ||
Enable/Disable PHP Safe_Mode | Enable/Disable PHP Safe_Mode | ||
Line 539: | Line 850: | ||
Enable/Disable url_fopen | Enable/Disable url_fopen | ||
+ | |||
+ | Please see this page for information on this function and a serious vulnerability that can be created by allowing this function in PHP: | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/Vuln_php_allow_url_fopen | ||
==== PHP_URL_INCLUDE ==== | ==== PHP_URL_INCLUDE ==== | ||
Enable/Disable URL includes | Enable/Disable URL includes | ||
+ | |||
+ | |||
+ | ==== Expose PHP ==== | ||
+ | |||
+ | PHP_EXPOSE_PHP: Enable/Disable expose_php [Default: no] | ||
+ | |||
+ | ==== Display Errors==== | ||
+ | |||
+ | PHP_DISPLAY_ERRORS: Enable/Disable display_errors [Default: no] | ||
+ | |||
+ | ==== Add X-PHP-Originating-Script to mail() events ==== | ||
+ | |||
+ | PHP_MAIL_XHEADER: Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes] | ||
==== ALLOW_curl_exec ==== | ==== ALLOW_curl_exec ==== | ||
Line 555: | Line 883: | ||
Enable/Disable the dl() function | Enable/Disable the dl() function | ||
+ | |||
+ | ==== Allow Function: escapeshellcmd ==== | ||
+ | |||
+ | ALLOW_escapeshellcmd: Enable/Disable the escapeshellcmd() function | ||
+ | |||
+ | ==== Allow Function: exec() ==== | ||
+ | |||
+ | ALLOW_exec: Enable/Disable the exec() function | ||
+ | |||
+ | ====Allow Function: ftp_exec()==== | ||
+ | |||
+ | ALLOW_ftp_exec: Enable/Disable the ftp_exec() function | ||
+ | ====Allow Function: fsockopen()==== | ||
+ | |||
+ | ALLOW_fsockopen: Enable/Disable the fsockopen() function | ||
+ | |||
+ | |||
+ | ====Allow Function: ini_set()==== | ||
+ | |||
+ | ALLOW_fsockopen: Enable/Disable the fsockopen() function | ||
+ | |||
+ | ====Allow Function: leak()==== | ||
+ | |||
+ | ALLOW_leak: Enable/Disable the leak() function | ||
+ | ====Allow Function: passthru()==== | ||
+ | |||
+ | ALLOW_passthru: Enable/Disable the passthru() function | ||
+ | ====Allow Function: pcntl_exec()==== | ||
+ | |||
+ | ALLOW_pcntl_exec: Enable/Disable the pcntl_exec() function | ||
+ | ====Allow Function: pfsockopen()==== | ||
+ | |||
+ | ALLOW_pfsockopen: Enable/Disable the pfsockopen() function | ||
+ | ====Allow Function: phpinfo()==== | ||
+ | |||
+ | ALLOW_phpinfo: Enable/Disable the phpinfo() function | ||
+ | ====Allow Function: popen()==== | ||
+ | |||
+ | ALLOW_popen: Enable/Disable the popen() function | ||
+ | ====Allow Function: posix_kill()==== | ||
+ | |||
+ | ALLOW_posix_kill: Enable/Disable the posix_kill() function | ||
+ | ====Allow Function: mkfifo()==== | ||
+ | |||
+ | ALLOW_posix_mkfifo: Enable/Disable the mkfifo() function | ||
+ | ====Allow Function: posix_setpgid()==== | ||
+ | |||
+ | ALLOW_posix_setpgid: Enable/Disable the setpgid() function | ||
+ | ====Allow Function: setsid()==== | ||
+ | |||
+ | ALLOW_posix_setsid: Enable/Disable the setsid() function | ||
+ | ====Allow Function: setuid()==== | ||
+ | |||
+ | ALLOW_posix_setuid: Enable/Disable the setuid() function | ||
+ | ====Allow Function: proc_close()==== | ||
+ | |||
+ | ALLOW_proc_close: Enable/Disable the proc_close() function | ||
+ | ====Allow Function: proc_get_status()==== | ||
+ | |||
+ | ALLOW_proc_get_status: Enable/Disable the proc_get_status() function | ||
+ | ====Allow Function: proc_nice()==== | ||
+ | |||
+ | ALLOW_proc_nice: Enable/Disable the proc_nice() function | ||
+ | ====Allow Function: proc_open()==== | ||
+ | |||
+ | ALLOW_proc_open: Enable/Disable the proc_open() function | ||
+ | ====Allow Function: proc_terminate()==== | ||
+ | |||
+ | ALLOW_proc_terminate: Enable/Disable the proc_terminate() function | ||
+ | ====Allow Function: shell_exec()==== | ||
+ | |||
+ | ALLOW_shell_exec: Enable/Disable the shell_exec() function | ||
+ | ====Allow Function: show_source()==== | ||
+ | |||
+ | ALLOW_show_source: Enable/Disable the show_sourc() function | ||
+ | ====Allow Function: system()==== | ||
+ | |||
+ | ALLOW_system: Enable/Disable the system() function | ||
=== SSH daemon configuration === | === SSH daemon configuration === | ||
Also, see the [[SSH debugging]] page in case you can't log into your ASL server via SSH. | Also, see the [[SSH debugging]] page in case you can't log into your ASL server via SSH. | ||
+ | |||
+ | Note: This does not import existing settings from SSH. '''The purpose of these settings to enforce the sshd configuration settings''', based on these settings. Therefore if you change sshd settings, and they do not match what is set in ASL, ASL will set them to the settings defined in ASL. The use of third party products to change these settings is not supported. | ||
==== SSH_PROTOCOL ==== | ==== SSH_PROTOCOL ==== | ||
Line 567: | Line 975: | ||
Default: 2 | Default: 2 | ||
+ | |||
+ | ==== Custom Port ==== | ||
+ | |||
+ | CUSTOM_SSH_PORT: Use a custom ssh port. [Default: no] | ||
==== SSH_PORT ==== | ==== SSH_PORT ==== | ||
Line 573: | Line 985: | ||
Default: no | Default: no | ||
+ | |||
+ | Note: This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for ASL to manage this function, if you do not change this option to a port number ASL will not make any changes to this option in sshd. | ||
==== SSH_STRICTMODE ==== | ==== SSH_STRICTMODE ==== | ||
Line 580: | Line 994: | ||
Default: yes | Default: yes | ||
− | ==== SSH_IGNORE_RHOSTS= | + | ==== SSH_IGNORE_RHOSTS ==== |
− | This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. | + | This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will '''not''' asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. |
Default: yes | Default: yes | ||
Line 597: | Line 1,011: | ||
Default: yes | Default: yes | ||
+ | |||
+ | '''Note: ASL will only disable root logins if you have defined a valid ADMIN_USER, and ASL reports that it has confirmed the user is both valid and can log in. Please see this option:''' | ||
+ | |||
+ | https://www.atomicorp.com/wiki/index.php/ASL_Configuration#ADMIN_USERS | ||
==== SSH_PASSWORD_AUTH ==== | ==== SSH_PASSWORD_AUTH ==== | ||
− | This enables/disables password authentication via SSH. | + | This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. Please ensure you have so via the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#ADMIN_USERS ADMIN_USERS] option. |
Default: yes | Default: yes | ||
− | ==== SSH_PRIV_SEPARATION | + | |
+ | Options: | ||
+ | |||
+ | Yes - Allows password authentication | ||
+ | |||
+ | No - Does not allow password authentication, but ASL will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, ASL will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system. | ||
+ | |||
+ | Override - Does not allow password authentication, but will '''NOT''' check to make sure at least one valid ADMIN_USER exists with keys installed. '''Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and ASL will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).''' | ||
+ | |||
+ | ==== SSH_PRIV_SEPARATION ==== | ||
This ensures that SSH runs with privilege separation. | This ensures that SSH runs with privilege separation. | ||
Line 609: | Line 1,036: | ||
Default: Yes. | Default: Yes. | ||
− | ==== SSH_GSSAPI_AUTH | + | ==== SSH_GSSAPI_AUTH ==== |
Default: No. | Default: No. | ||
Line 624: | Line 1,051: | ||
==== SSH_USEDNS ==== | ==== SSH_USEDNS ==== | ||
− | + | SSH_USEDNS: Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is “yes”. | |
Default: yes | Default: yes | ||
+ | |||
+ | ==== SSH_ALLOWAGENTFORWARDING==== | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | This setting configures SSH to allow agent forwarding. SSH has an optional credential agent that be used to store a private key, and can respond to servers requestions for key based authentication without asking a user for a password. This method can be forwarded to other systems by the client, allowing that system to query the users keys as well should the user attempt to connect to ssh from that server to another system. | ||
+ | |||
+ | This can present a security risk if the server is not completely trusted, as malicious processes can authenticate as the user over this channel and ssh into other systems. | ||
+ | |||
+ | ==== SSH_X11FORWARDING==== | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine. | ||
+ | |||
+ | This can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop. | ||
+ | |||
+ | ====SSH_ALLOWTCPFORWARDING ==== | ||
+ | |||
+ | Default: no | ||
+ | |||
+ | This setting configures SSH to allow port forwarding from a client. This will allow a client to "tunnel" to a port on the server over an SSH connection. | ||
+ | |||
+ | This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked. | ||
=== Rkhunter settings === | === Rkhunter settings === | ||
− | === | + | ==== RKHUNTER_ENABLED ==== |
+ | |||
+ | Enable/Disable nightly rkhunter scanning | ||
+ | |||
+ | ==== RKHUNTER_EMAIL ==== | ||
+ | |||
+ | Email address to send rkhunter alerts | ||
+ | |||
+ | === Denial of Service === | ||
+ | |||
+ | ==== Web DoS module ==== | ||
+ | |||
+ | MODEV_ENABLED: Enable/Disable mod_evasive (DoS protection) | ||
Also, see the [[Mod evasive]] page for important documentation about configuring the DOS protection system for Apache. | Also, see the [[Mod evasive]] page for important documentation about configuring the DOS protection system for Apache. | ||
+ | |||
+ | ===== Hash Table size ===== | ||
+ | |||
+ | MODEV_DOSHashTableSize: The hash table size defines the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space. | ||
+ | |||
+ | ===== Threshold: Same Page count ===== | ||
+ | |||
+ | MODEV_DOSPageCount: Threshhold for the number of requests for the same page (or URI) per page interval. | ||
+ | |||
+ | ===== Threshold: Site count ===== | ||
+ | |||
+ | MODEV_DOSSiteCount: Threshhold for the total number of requests for any object by the same client on the same listener per site interval. | ||
+ | |||
+ | ===== Threshold: Same Page interval ===== | ||
+ | |||
+ | MODEV_DOSPageInterval: Interval for the page count threshhold. [Default: 2] | ||
+ | |||
+ | ===== Threshold: Site count ===== | ||
+ | |||
+ | MODEV_DOSSiteInterval: Interval for the site count threshhold. [Default: 2] | ||
+ | |||
+ | =====Block period===== | ||
+ | |||
+ | MODEV_DOSBlockingPeriod: Number of seconds to block a client IP. Clients will be returned a 403 error. | ||
=== Web App Inventory === | === Web App Inventory === | ||
Line 639: | Line 1,126: | ||
Interval to run the web application inventory engine. Default is daily. | Interval to run the web application inventory engine. Default is daily. | ||
+ | |||
+ | === MySQL Security Settings === | ||
+ | |||
+ | ==== Enforce: Mysql security policy ==== | ||
+ | |||
+ | MYSQL_CHECKS: Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes] | ||
+ | |||
+ | ==== Disable: local-infile ==== | ||
+ | |||
+ | MYSQL_DISABLE_LOAD_DATA: Enable/Disable mysql local-infile [Default: yes] | ||
+ | |||
+ | ==== Log: enable mysql error log ==== | ||
+ | |||
+ | MYSQL_ENABLE_LOG_ERRORS: Enable/Disable mysql /var/log/mysqld.log error log [Default: yes] | ||
+ | |||
+ | ==== Log: enable log warnings ==== | ||
+ | |||
+ | MYSQL_ENABLE_LOG_WARNINGS: Enable/Disable mysql log warnings [Default: yes] | ||
+ | |||
+ | ==== Disable: symbolic links ==== | ||
+ | |||
+ | MYSQL_DISABLE_SYMBOLIC_LINKS: Enable/Disable mysql symbolic links[Default: yes] | ||
+ | |||
+ | ==== Performance: Query Cache ==== | ||
+ | |||
+ | MYSQL_QUERY_CACHE: Mysql query cache settings [Default: 32m] | ||
+ | |||
+ | Note: This must be in multiples of 32, for example 64, 128, etc. | ||
=== Plesk Security Settings === | === Plesk Security Settings === | ||
+ | |||
+ | ====Plesk Update policy==== | ||
+ | |||
+ | FW_PLESK_UPDATES: Enable/Disable Plesk keyserver update firewall policy. Default:[no] | ||
+ | |||
+ | This setting allows the plesk update process to bypass any firewall rules you may add to the system. | ||
==== PSA_DISABLE_CRONTAB ==== | ==== PSA_DISABLE_CRONTAB ==== |
Latest revision as of 19:23, 23 May 2020
[edit] Introduction
ASL is configured to a secure set of defaults upon installation. Most users do not need to change these settings.
Note: Manual modification of the /etc/asl/config file is not supported. Please change these settings through the ASL web console.
[edit] Installation
ASL Installation settings are documented on the ASL installation page, please see that page for installation configuration options.
[edit] Post Installation Configuration
[edit] GUI
You can access the ASL configuration settings by following this process:
Step 1) Log into the ASL GUI
Step 2) Click on the Configuration tab
Step 3) Select "ASL Configuration"
This will pull up all the ASL Configuration options, which are broken into classes and are documented below or links are provided to the specific documentation pages for those options.
[edit] Command Line
You can also change these settings from the command line. These settings are stored in this file:
/etc/asl/config
After changing these settings, run this command as root to set the new security policy:
asl -s -f
[edit] Authentication Information
[edit] ASL Web Settings
In addition to the settings below, also, please see the ASL Web Settings page for documentation about configuring the ASL GUI itself.
[edit] USERNAME
This is the username ASL will use to download updates. This should be the same username you use to log into the License Manager.
[edit] PASSWORD
This is the password ASL will use to download updates. This should be the same password you use to log into the License Manager.
[edit] Data Retention Policies
Data retention policies control the automated clean up of file and database storage used by ASL, ossec, and mod_security.
[edit] RETENTION_USE_CONSOLIDATED
Selecting yes for this setting will apply the retention period specified by RETENTION_CONSOLIDATED to events and archive tables in the database, file backups generated by ASL, mod_security alert files, diff files created by ossec, and malware scan reports.
[edit] RETENTION_CONSOLIDATED
A value and unit of measure indicating how long data should be retained.
ex: "3 months" ex: "1 years" ex: "24 days"
[edit] DB_USE_ARCHIVE
If set to no, no monthly archive tables of event data will be created by ASL. If set to yes, the tables will be created and kept based on retention settings.
[edit] DB_ARCHIVE_PERIOD
A value and unit of measure indicating how long tables should be retained.
ex: "3 months" ex: "1 years" ex: "24 days"
[edit] RETENTION_MAX_RBC_COUNT
This setting indicates the maximum number of file backups created by ASL that will be kept at any given time, without regard to time based retention settings.
[edit] HIDS_CLEAN_DIFF
If consolidated settings are not being used, this value will determine the number of days that ossec's diff files will be kept. The default value is 60.
[edit] HIDS_ARCHIVE_ALL
By default ASL only retains alert logs, enabling this will archive all logs. Please note this can use considerable disk space.
[edit] MODSEC_CLEAN_ALERT
If consolidated settings are not being used, this value will determine the number of days to retain mod_security alert files. The default value is 14.
[edit] PURGE_LOGS
If consolidated settings are being used, they will not override this setting.
This setting determines the number of days that ossec's alert files will be kept. A value of "no" or "-1" will retain the files indefinitely. The default value is -1.
[edit] General Settings
[edit] NOTIFY
Determines if ASL will notify by email or not. Set this to yes if you want ASL to email you, and no if you do not.
[edit] EMAIL
The customer email address set by the user to send alerts to. This is also set by the user during installation.
[edit] HOSTNAME
Hostname for the system. This is also set during installation.
[edit] ADMIN_USERS
This defines special SSH users. This is not to be confused with users that can log into the ASL web console, or any other "admin" user on the system.
No users are defined by default.
This setting allows you define special administrative users that ASL will check to make sure they can SSH into the system (users other than root). If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. This list is not used to restrict what users can ssh into the system, its just a list of special users that should always be allowed to ssh into the system. ASL uses this list to check these accounts to make sure they are working correctly, to ensure that those users can still log into the system when changes are made to the ssh settings via ASL (for example, disabling password authentication, ASL will check this list of users to make sure they have SSH keys installed). This is an important fail safe feature, and you should list all your administrative users (other than root) in this list to help ensure they will be able to log into the system.
Usernames are separated with spaces. Example:
bob joe karen
Note: This setting has nothing to with the AllowUsers setting in sshd.
Important: If an admin user is not defined, ASL will not allow SSH settings to be modified.
For example, if no admin users are defined, ASL will not allow password authentication to be disabled nor will it allow root logins to be disabled. This is a critical safeguard to prevent users from accidentally locking themselves out of the system.
If an admin user or users are defined, and if password authentication is disabled, ASL will also check to make sure the admin user or users have ssh keys installed in the correct place, and that their permissions are valid. If the keys are not installed, the permissions are wrong, or they are not installed in the right place, ASL will not allow any SSH configuration changes to take place and will ensure the defaults are used. Again, this is a critical safeguard to prevent users from accidentally locking themselves out of the system.
ASL can not test the keys themselves for validity as an authentication credential, as it only has access to the public key. Therefore it is the users responsibility to ensure the SSH key pair works correctly for the account.
Please see the article SSH keys for courtesy information about using SSH keys with SSH.
[edit] SYSTEM_TYPE
Defines a basic services policy for the system, and configures ASL to work with control panels that do not use package management.
Setting the profile to anything other than "custom" will configure ASL to disable the following services:
- portmap
- nfs
- nfslock
- rpcidmapd
- cups
- gpm
- xfs
- pcscd
- mcstrans
- kdump
- isdn
- hplip
- hidd
- messagebus
- haldaemon
- gpm
- bluetooth
- avahi-daemon
- autofs
- apmd
Options
webserver: You should use this setting for all system types except for the three below.
cpanel: setting this to cpanel, will configure the system for cpanel
directadmin: setting this to directadmin, will configure the system for directadmin.
custom: If this is set to custom, no services will be automatically disabled and no special configuration changes are made to the system to work with non-package managed control panels. Do not use this setting with platforms like cpanel or directadmin. It will void support on your system.
[edit] ALLOW_NFS
This will disable the service checks that would normally disable NFS services when SYSTEM_TYPE is set to "webserver", "cpanel" or "directadmin".
Notes:
- This does not enable or configure NFS services, please consult your vendor for support with configuring NFS.
- You will need to reboot your system if you have locked the kernel to prevent kernel modules from loading.
[edit] AUTOMATIC_UPDATES
Configures the update frequency for ASL to download and install updates, such as new rules and signatures
NOTE: Updates can be run manually from the command line with aum -u.
If a software update is available you should follow your normal patch management procedure. We recommend that all users test upgrades on a test system before deploying to a production system. See "UPDATE_TYPE" below.
[edit] UPDATE_TYPE
Configures the behavior of the AUTOMATIC_UPDATE event. There are three options:
All: This will upgrade all ASL software, rule and signatures updates.
Exclude-kernel: This will upgrade all ASL software, rule and signatures updates but not upgrade the kernel.
rules-only: This will exclude all software updates, including updates to ASL. This will prevent ASL from updating any rpm package updates and kernel updates and will only install rule and signature updates.
Important Notice: Some rule and signature updates may not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected and to ensure compatibility.
[edit] RESTART_APACHE
Sets the restart policy for actions involving the web server. Updates to the WAF, mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting has three options:
Yes: Restart apache when needed.
Graceful: Use the "graceful" method which tries to wait for all clients to finish being served before restarting Apache. If apache has a stuck thread or worker Graceful may not complete.
No: Do not restart apache.
Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.
[edit] Kernel Channel
KERNEL_CHANNEL: Select the kernel channel, valid sources are Disabled, Tortix-kernel and tortix-kernel-xen for xen environments. [Default: tortix-kernel]
[edit] Web Application Firewall rule feed source
FEED_TYPE: This setting allows you to toggle between different WAF feeds. Currently this is only used by ASL Lite, and supports the Real-Time and 90-day delayed feeds. [ Default: real-time ]
[edit] Compliance Module
COMPLIANCE: This enables a compliance module based on one of 5 standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp. It should only be used if you are required by a 3rd party regulator. D.
[Default: off]
[edit] Send reputation reports
REPUTATION_REPORT: Allow sending of statistical information on local events and event sources to Atomicorp.
[edit] Reputation report frequency
REPUTATION_FREQUENCY: How often reputation reports will be sent.
[edit] ASL_USER
Sets the user to run ASL web activity under. This can be either "tortix" for use with ASL-Web, or "psaadm" for use with the Plesk ASL module. Note: this setting has been deprecated.
[edit] FEED_TYPE
This setting allows you to toggle between different WAF feeds. This was only used by ASL Lite, and only supports the Real-Time since the delayed feed was retired. ASL Users should not change this setting.
[edit] COMPLIANCE
This enables a compliance module based on one of 5 third party standards (CIS, DISA, DHS, NISPOM, PCI).
It should only be used if you are required by a 3rd party regulator. It is not recommended by Atomicorp that you use any of these without assistance from our professional services group.
These compliance standards are set by third parties, and may break things on your system and need to be adjusted for your specific risk profile. These are not Atomicorp standards, so if you enable them and they cause issues with your system please understand that while we welcome the feedback, we can not change these standards.
[edit] Firewall Configuration
Please see the ASL firewall page for documentation on these settings.
[edit] Kernel configuration
If you are not using the ASL Kernel these settings in the ASL web console will have no effect.
[edit] ALLOW_kmod_loading
The default configuration for ASL is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by "locking" the kernel and preventing any additional changes to the kernel once it has been configured.
Setting this flag to "yes" and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to "yes", as a properly configured server should not require the kernel to be dynamically modified. If you need to load custom modules in your kernel, please see this article which explains how to do this securely, and without needing to open this hole in your system.
https://www.atomicorp.com/wiki/index.php/Using_ASL#Can.27t_install_kernel_modules.
A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and are used to compromise Linux systems.
The secure and recommended setting is "no". Do not allow kernel module loading.
Note: In Linux, when you change this option to allow kernel module loading, that is if you unlock the kernel, you must reboot the system. This is a failsafe built into all Linux kernels to ensure that once the kernel is locked, it can not be unlocked by an attacker.
[edit] GRKERNSEC_DETER_BRUTEFORCE
If you say Y here, attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is killed by PaX or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal.
[Default: no]
Note: This option is available in ASL 4.0 and up.
[edit] ENABLE_TPE
Trusted Path Execution TPE will allow you to choose a gid to add to the supplementary groups of users you want to mark as "untrusted" or "trusted". These users will not be able to execute any files that are not in root-owned directories writable only by root.
[edit] TPE_GROUP_POLICY
The TPE group policy indicates the mode to enforce on the system. These are "trusted", which is an Unless Allow, Deny configuration where only users in the "trusted" group can execute commands that are not owned by the root user. It is the more aggressive and constricted mode. The default "untrusted" mode is an Unless Deny, Allow policy where the TPE security controls only apply to users in the "untrusted" group.
[edit] TPE_UNTRUSTED_USERS
Users in this group will have the TPE policy applied if the system is configured to operate in "untrusted" mode. The root user is automatically trusted.
Untrusted users can only run applications owned by root. This prevents untrusted users from uploading code to the system, such as malware and spam tools, and will prevent them from running regardless of where they are located on the system.
[edit] TPE_TRUSTED_USERS
Users in this group will NOT have the TPE policy applied if the system is configured to operate in the "trusted" mode. Setting the policy to "trusted" means that only users in this list are trusted, all other users are considered untrusted. The root user is automatically trusted.
[edit] DISABLE_PRIVILEGED_IO
If you say yes here, all ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel. This is generally safe to set to "yes". Very few applications require that this be set to "no".
Some programs may need this access to operate properly, the most notable of which are XFree86 and hwclock.
hwclock is remedied by having RTC support in the the ASL kernel, so real-time clock support is enabled if this option is enabled, to ensure that hwclock operates correctly.
XFree86 still will not operate correctly with this option enabled, so DO NOT CHOOSE YES IF YOU USE XFree86.
[edit] AUDIT_MOUNT
Log all mount() and umount() actions.
[edit] AUDIT_CHDIR
Log all chdir() calls, or every time an application or user changes their directory. This is a high volume setting, and is disabled by default.
[edit] AUDIT_PTRACE
Log all attempts to attach to a process via ptrace().
[edit] AUDIT_TEXTREL
Log text relocations with the filename of the offending library or binary. This is a high volume setting, and is disabled by default.
[edit] CHROOT_CAPS
When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, changing the system time and elevating capabilities via the SYS_ADMIN capability.
Note: EL6 boots the system into a chroot. Enabling this protection will cause the first tty on the system to "echo" all input that should not be "echoed". For example, the password field will echo from the console on tty1. This may also cause problems with serial consoles that use the first tty (which is normally the default case).
The solution is to either disable this protection, or to use a different tty.
WARNING: Disabling this protection will make it possible for applications to escape chroots.
See these posts for a more detailed explanation of the technical and security issues with disabling this protection.
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
https://www.atomicorp.com/forums/viewtopic.php?f=3&t=6292&p=36069&hilit=chroot#p36069
[edit] CHROOT_DENY_CHMOD
When enabled, processes inside a chroot will not be able to chmod or fchmod files to make them have suid or sgid bits.
[edit] CHROOT_DENY_CHROOT
When enabled, processes inside a chroot will not be able to chroot again outside the chroot.
[edit] CHROOT_DENY_FCHDIR
When enabled, a well-known method of breaking chroots by fchdir'ing to a file descriptor of the chrooting process that points to a directory outside the filesystem will be stopped.
[edit] CHROOT_DENY_MKNOD
When enabled, processes inside a chroot will not be allowed to mknod.
[edit] CHROOT_DENY_MOUNT
When enabled, processes inside a chroot will not be able to mount or remount.
[edit] CHROOT_DENY_PIVOT
When enabled, processes inside root will not be able to use pivot_root().
[edit] CHROOT_DENY_SHMAT
When enabled, processes inside a chroot will not be able to attach to shared memory segments that were created outside of the chroot jail.
[edit] CHROOT_DENY_SYSCTL
When enabled, an attacker in a chroot will not be able to write to sysctl entries, either by sysctl(2) or through a /proc interface.
[edit] CHROOT_DENY_UNIX
When enabled, processes inside a chroot will not be able to connect to abstract (meaning not belonging to a filesystem) Unix domain sockets that were bound outside of a chroot.
[edit] CHROOT_ENFORCE_CHDIR
When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.
[edit] CHROOT_ENFORCE_CHDIR
When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.
[edit] CHROOT_EXECLOG
When enabled, all executions inside a chroot jail will be logged to syslog. This is a high volume setting and is disabled by default.
[edit] CHROOT_FINDTASK
When enabled, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, getsid, or view any process outside of the chroot.
[edit] CHROOT_RESTRICT_NICE
When enabled, processes inside a chroot will not be able to raise the priority of processes in the chroot, or alter the priority of processes outside the chroot.
[edit] EXEC_LOGGING
When enabled, all execve() calls for users in the group execlog (1007) will be logged (since the other exec*() calls are frontends to execve(), all execution will be logged). This is a high volume setting and is disabled by default.
[edit] EXEC_LOG_USERS
Users in the group execlog will have all execve() actions logged to syslog if EXEC_LOGGING is enabled. This is a high volume setting, and is disabled by default.
[edit] DMESG
When enabled, non-root users will not be able to use dmesg(8) to view up to the last 4kb of messages in the kernel's log buffer.
[edit] EXECVE_LIMITING
When enabled, users with a resource limit on processes will have the value checked during execve() calls.
[edit] FIFO_RESTRICTIONS
When enabled, users will not be able to write to FIFOs they don't own in world-writable +t directories (i.e. /tmp), unless the owner of the FIFO is the same owner of the directory it's held in.
[edit] FORKFAIL_LOGGING
When enabled, all failed fork() attempts will be logged.
[edit] HARDEN_PTRACE
When enabled, TTY sniffers and other malicious monitoring programs implemented through ptrace will be defeated.
Certain Parallels products have a bug that requires that this protection be disabled. These products have a bug that incorrectly reports that users are running a debugger, when they are not if this protection is enabled. This is a bug in Plesk, and not in ASL. Please report this bug to Parallels if you wish to use these feature.
You can read more about this bug in Plesk at the forum post below:
https://atomicorp.com/forums/viewtopic.php?f=3&t=4636&p=26867#p26867
[edit] IP_BLACKHOLE
When enabled, neither TCP resets nor ICMP destination-unreachable packets will be sent in response to packets sent to ports for which no associated listening process exists.
Default: y
This feature supports both IPv4 and IPv6 and exempts the loopback interface from blackholing. Enabling this feature makes a host more resilient to DoS attacks and reduces network visibility against scanners. The blackhole feature prevents RST responses to all packets, not just SYNs.
Note: Under most application behavior this causes no problems, but applications (like haproxy) may not close certain connections in a way that cleanly terminates them on the remote end, leaving the remote host in LAST_ACK state. Because of this side-effect and to prevent intentional LAST_ACK DoSes, this feature also adds automatic mitigation against such attacks. The mitigation drastically reduces the amount of time a socket can spend in LAST_ACK state. If you're using haproxy and not all servers it connects to have this option enabled, consider disabling this feature on the haproxy host.
traceroute may also not complete when directed at a system that has this safeguard enabled. This is because traceroute works by sending UDP packets to ports on the system that do not have a service (a high port for example, 12345). The system will then send back an ICMP destination-unreachable packet. If traceroute does not get this packet it will continue to try high ports and eventually conclude, wrongly, that the server is not up.
When this option is enabled, two sysctl options with names ip_blackhole and lastack_retries will be created. While ip_blackhole takes the standard zero/non-zero on/off toggle, lastack_retries uses the same kinds of values as tcp_retries1 and tcp_retries2. The default value of 4 prevents a socket from lasting more than 45 seconds in LAST_ACK state.
[edit] LASTACK_RETRIES
When enabled, prevents a socket from lasting more than 45 seconds in LAST_ACK state. The default value of 4 prevents a socket from lasting more than 45 seconds in LAST_ACK state.
The default is 4.
[edit] LINKING_RESTRICTIONS
When enabled, /tmp race exploits will be prevented, since users will no longer be able to follow symlinks owned by other users in world-writable +t directories (i.e. /tmp), unless the owner of the symlink is the owner of the directory. users will also not be able to hardlink to files they do not own.
[edit] RESOURCE_LOGGING
When enabled, all attempts to overstep resource limits will be logged with the resource name, the requested size, and the current limit. Due to high volume alerts you can consider disabling this option. RESOURCE_LOGGING is disabled by default.
[edit] ROMOUNT_PROTECT
By setting this option to 1 at runtime, filesystems will be protected in the following ways: No new writable mounts will be allowed, Existing read-only mounts won't be able to be remounted read/write, Write operations will be denied on all block devices. This is best used in embedded or appliance type environments, and is disabled by default.
[edit] RWXMAP_LOGGING
When enabled, calls to mmap() and mprotect() with explicit usage of PROT_WRITE and PROT_EXEC together will be logged when denied by the PAX_MPROTECT feature.
[edit] SIGNAL_LOGGING
When enabled, certain important signals will be logged, such as SIGSEGV, which will as a result inform you of when a error in a program occurred, which in some cases could mean a possible exploit attempt. This is enabled by default.
[edit] SOCKET_ALL
When enabled, you will be able to choose which users will be unable to connect to other hosts from your machine or run server applications from your machine.
[edit] SOCKET_USERS
Users in the socket group be unable to connect to other hosts from your machine or run server applications from your machine.
[edit] SOCKET_CLIENT
When enabled, users in the client group will only be able to create outbound connections, and will be prevented from creating servers on the system (clients can not listen for incoming connections).
[edit] SOCKET_CLIENT_USERS
Users in the client group will be unable to run server applications from your machine. This is in a comma delimited format.
[edit] SOCKET_SERVER
When enabled, the server-only policy group will be enabled on the system. Users in the servers group will be able to run servers on the system, but be unable to connect to other hosts from the machine.
[edit] SOCKET_SERVER_USERS
Users in the server group will be able to run services on the system, but be unable to connect to other hosts from the system as a client. This is in a comma delimited format.
[edit] Non GUI options
There are a few options that are not currently configurable via the web console. These will be added in a future release of ASL.
[edit] Restrict symlinks to owner
This is a kernel-based race-free implementation of Apache's SymlinksIfOwnerMatch option. This is enabled by placing users into a special group. When users are made part of this group, ASL restricts the following of symlinks to the owner of the file. This means that if a user is part of this special group, and creates a symlink to a file or directory they do not own, the kernel will prevent the symlink from being followed. This feature ensures that a compromised user on a shared hosting server can't cause Apache to follow a symlink to a sensitive file in another user's webroot in order to read its contents.
Note: This requires kernel 2.6.32.59-28 and up, and gradm 2.9.1 and up.
To add a user
To restrict a user, simply add their user ID to the symlinkown_gid. By default, that group is "1008". So if you add a user ID to group ID 1008, that user will not be able to follow symlinks to files and directories they do not own. For example:
If user "bob" has the uid "123", and symlinkown_gid is set to 1006, you can add bob to the symlinkown_gid with this command:
usermod -a -G 1008 bob
Note: For web applications, if you wish to enforce this restriction, its important to make sure that the effective uid for the web application is included in this group. For example, if your web applications run as the user "apache", then apache must be added to this group.
To change the group ID
If you wish to change the GID for the symlinkown group, you will need to set this condition as part of your /etc/sysctl.conf file:
kernel.grsecurity.symlinkown_gid = 12345
Change 12345 to the GID you wish to use.
One trick with this option, is to set the GID to the default GID for your users. This is a quick way to cause this restriction to be automatically inherited by your users.
Note: If your kernel is locked, this may require a reboot of your system.
[edit] TIMECHANGE_LOGGING
Enable or Disable logging of any major time changes on the system.
[edit] ClamAV configuration
See the anti virus page for configuration settings.
[edit] PSMON configuration
[edit] PSMON_ENABLED
Allows the Process monitoring daemon to be enabled/disabled. This will monitor services that are configured to start on boot and are managed by the OS via the chkconfig or systemctl systems. If you want ASL to stop monitoring a process, see the psmon article.
Note: not supported on systems that do not use package managed PERL installations.
[edit] PSMON_NOTIFY
Enable/Disable email notification for PSMON. The default is to use the $NOTIFY setting.
[edit] PSMON_EMAIL
Email address notifications of restart events will be sent to. The default is to use the value set for EMAIL
[edit] PSMON_FROM
From: line used for notifications of restart events. The default is to use psmon@hostname of the system
[edit] OSSEC configuration
[edit] OSSEC_ENABLED
Enable HIDS
Enable or Disable OSSEC HIDS
[edit] Notification
[edit] OSSEC_NOTIFY
Email notification
Configure OSSEC to send alert notifications over email or not. Default is yes.
[edit] OSSEC_EMAIL
Email to
Email address to send all OSSEC alert notifications
[edit] OSSEC_SMTP_SERVER
Mail Server
SMTP server to send OSSEC alert notifications.
[edit] OSSEC_FROM
From: line used for OSSEC alert notifications
[edit] HIDS_EMAIL_ALERT_LEVEL
Email Alert Level
This controls the minimum level an alert will need to be in order to activate an email event. Some events will be sent that are lower levels than this, for example 1002 which is the suspicious event alert. You can disable specific over rides in the rule manager.
[Default: 7]
[edit] OSSEC_MAX_MSG
Max messages per hour
Maximum number of email messages OSSEC will send per hour. Multiple alerts will be sent in digest mode (a single email) once per hour if the value is set to 1. To receive emails more frequently, you must increase the value between 1 and 9999. If you use a value outside of this range, the maild service will fail and you will not receive email alerts.
[edit] Database Settings
[edit] OSSEC_USE_MYSQL
Database support
OSSEC_USE_MYSQL: Configure OSSEC to store events in mysql
Default: yes
[edit] OSSEC_DATABASE_SERVER
Database Server
IP or hostname of OSSEC database server. Note OSSEC only uses tcp sockets. Network access is required
Remote mysql servers are not currently supported (but they may work).
[edit] OSSEC_DATABASE
Database Name
Name of OSSEC database
[edit] OSSEC_DATABASE_USERNAME
Database Username
Name of OSSEC database user
[edit] OSSEC_DATABASE_PASSWORD
Database Password
Password for OSSEC database user
[edit] General Settings
[edit] OSSEC_ACTIVE_RESPONSE
Active Response
Enable/Disable Active response mode. Setting this to yes will enable active firewall blocks when OSSEC detects and attack
[edit] OSSEC_SHUN_ENABLE_TIMEOUT
Active Response: Enable timeout
Enable/Disable expiration of active response firewall blocks. Setting this to yes will expire blocks after a fixed interval defined in OSSEC_SHUN_TIME. Setting this to no will make all blocks permanent (not recommended).
[edit] HIDS_IPSET_DROP
This will configure the system to use the ipset instead of iptables. This is newer, faster and less memory intensive method of shunning and is highly recommended on systems that support it.
Note: Virtuzzo and OpenVZ are not known to support ipset. Enabling this option on those platforms may break shunning and other aspects of the firewall.
[edit] OSSEC_SHUN_TIME
Active Response: Shun Time
This configuration setting defines the number of seconds to maintain an active response block.
Default: 600 seconds (10 minutes).
[edit] HIDS_SHUN_MULTIPLIER
Active Response: Shun Multiplier
Enable a block time exponential multiplier for repeat offenders based on the Shun Time setting.
To disable this functionality, set the value to "0".
This feature will multiple the shun time by the HIDS_SHUN_MULTIPLE value for any successive attacks from the same IP. For the first attack from an IP, the shun period will always be the setting OSSEC_SHUN_TIME. For the second, and successive attacks from an IP the Shun Time for that IP will be multipled by the HIDS_SHUN_MULTIPLER number for each successive attack from that IP. That value will then be multipled for the next attack and so on. This causes repeat attackers to be blocked for longer and longer periods based on this setting.
Note: This is exponential, not linear. The shun time for an attack is calculated by multiplying the previous shun time by the multipler. This means the value will not increase linearly to the base Shun Time, but rather the shun time will increase exponentially with each attack.
For example:
If the shun time is configured to 600 seconds, and HIDS_SHUN_MULTIPLE is set to "3". The shun times would be:
- First attack: 600 seconds
- Second attack: 1800 seconds
- Third attack: 5400 seconds
- Forth and any following attacks: 16200 seconds
The current system does not increase the shun time past the forth attack.
This period is valid for as long as the OSSEC Daemon is running, once OSSEC is restarted, all of this data will be lost/reset and the counter returns to the lowest value (in this example 600 seconds) and the process starts over.
[edit] HIDS_LOG_ALERT_LEVEL
Log Alert Level
This controls the minimum level (1-15) an alert will need to be in order to activate an log event. This controls what events are both inserted into the database, and logged. Any event below this level will neither be logged, nor inserted into the database.
[Default: 1]
[edit] HIDS_CLEAN_DIFF
Number of Days to retain File Diff data
HIDS_CLEAN_DIFF: This controls the number of days the File Integrity manager will retain (diff format) changes to files in this directory /var/ossec/queue/diff/. [Default: 60]
Note: Removal of old events occurs nightly. Therefore, if you change this to a lower setting, the older events will be removed within 24 hours of the change.
[edit] Internal settings
Note: Do not change these settings unless you know what you are doing. Changing these settings can cause the HIDS to fail to perform correctly.
[edit] HIDS_analysisd_default_timeframe
Analysisd: Rule Timeframe
Analysisd default rule timeframe in seconds.
Default: 360
[edit] Analysisd: Stats maxdiff
HIDS_analysisd_stats_maxdiff: Analysisd stats maximum diff.
[edit] Analysisd: Stats mindiff
HIDS_analysisd_stats_mindiff: Analysisd stats minimum diff.
[edit] Analysisd: Stats percentdiff
HIDS_analysisd_stats_percent_diff: Analysisd stats percentage (how much to differ from average)
[edit] Analysisd: FTS list size
HIDS_analysisd_fts_list_size: Analysisd FTS list size.
[edit] Analysisd: FTS min size
HIDS_analysisd_fts_min_size_for_str: Analysisd FTS minimum string size.
[edit] Analysisd: enable firewall.log
HIDS_analysisd_log_fw: Analysisd Enable the firewall log (at logs/firewall/firewall.log)
[edit] Logcollector: file loop timeout
HIDS_logcollector_loop_timeout: Logcollector file loop timeout (check every 2 seconds for file changes)
[edit] Logcollector: open attempts
HIDS_logcollector_open_attempts: Logcollector number of attempts to open a log file.
[edit] Logcollector: remote commands
HIDS_logcollector_remote_commands: Logcollector - If it should accept remote commands from the manager
[edit] Remoted: receive counter flush
HIDS_remoted_recv_counter_flush: Remoted counter io flush.
[edit] Remoted: compression averages printout
HIDS_remoted_comp_average_printout: Remoted compression averages printout.
[edit] Remoted: verify message id
HIDS_remoted_verify_msg_id: Verify msg id (set to 0 to disable it)
[edit] Maild: strict checking
HIDS_maild_strict_checking: Maild strict checking (0=disabled, 1=enabled)
[edit] Maild: group alerts
HIDS_maild_groupping: Maild grouping (0=disabled, 1=enabled) Groups alerts within the same e-mail. And yes we know its spelled wrong.
[edit] Maild: Full subject
HIDS_maild_full_subject: Maild full subject (0=disabled, 1=enabled)
[edit] Maild: display geoip data
HIDS_maild_geoip: Maild display GeoIP data (0=disabled, 1=enabled)
[edit] Monitord: Wait period before compress/sign
HIDS_monitord_day_wait: Monitord day_wait. Amount of seconds to wait before compressing/signing the files.
=====Monitord: Compress files
HIDS_monitord_compress: Monitord compress. (0=do not compress, 1=compress)
[edit] Monitord: Sign files
HIDS_monitord_sign: Monitord sign. (0=do not sign, 1=sign)
[edit] Monitord: Monitor Agents
HIDS_monitord_monitor_agents: Monitord monitor_agents. (0=do not monitor, 1=monitor)
[edit] Syscheck: Sleep after checksum
HIDS_syscheck_sleep: Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. The default is to sleep 2 seconds after reading 15 files.
[edit] Syscheck: Sleep after checksum 2
HIDS_syscheck_sleep_after: Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. The default is to sleep 2 seconds after reading 15 files.
[edit] DBD: Max database reconnect attempts
HIDS_dbd_reconnect_attempts: Database - maximum number of reconnect attempts
[edit] OSSEC_MODE
Operating mode for OSSEC, can be configured as either 'server' or 'client'. When in client mode you will need to set up the OSSEC key from the command line.
[edit] OSSEC_SERVER
IP address of OSSEC server, when this node is configured to be an OSSEC client. Leave this blank if OSSEC_MODE is set to server.
[edit] Mod_security configuration
Please see the ASL WAF page for documentation on these settings.
[edit] PHP configuration
These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by ASL. This option exists for ASL to manage these functions and settings.
Note: If you want ASL to manage these settings do not change them manually in php.ini, and do not use third party tools to manage these settings.
Important Note: When php functions are disabled, and an application tries to use them, Apache will ONLY log that in the domains error_log file. It will not log this in the global error_log. Therefore, if you have a PHP application that does not work correctly after changing these settings, please check the effected domains error_log file. This is the only place that errors involving disabling functions will be logged or reported. They will not show up in the security events window.
[edit] PHP_CHECKS
Enforce PHP Security policy
Enable/Disable PHP check enforcement mode. Default: No.
If this is set to "no", ASL will not be configured to manage any PHP settings, and rest of the PHP settings will have no effect. To enable, or disable PHP functions, this must be set to "yes".
Note: Setting this to no will still test for vulnerabilities, but will neither fix them, nor make any changes to your PHP configuration.
[edit] PHP_SAFE_MODE
Enable Safe Mode
Enable/Disable PHP Safe_Mode
Note: PHP 5.3 and later has deprecated this feature.
[edit] PHP_REGISTER_GLOBALS
Enable/Disable register_globals.
[edit] PHP_URL_FOPEN
Enable/Disable url_fopen
Please see this page for information on this function and a serious vulnerability that can be created by allowing this function in PHP:
https://www.atomicorp.com/wiki/index.php/Vuln_php_allow_url_fopen
[edit] PHP_URL_INCLUDE
Enable/Disable URL includes
[edit] Expose PHP
PHP_EXPOSE_PHP: Enable/Disable expose_php [Default: no]
[edit] Display Errors
PHP_DISPLAY_ERRORS: Enable/Disable display_errors [Default: no]
[edit] Add X-PHP-Originating-Script to mail() events
PHP_MAIL_XHEADER: Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes]
[edit] ALLOW_curl_exec
Enable/Disable the curl_exec() function
[edit] ALLOW_curl_multi_exec
Enable/Disable the curl_multi_exec() function
[edit] ALLOW_dl
Enable/Disable the dl() function
[edit] Allow Function: escapeshellcmd
ALLOW_escapeshellcmd: Enable/Disable the escapeshellcmd() function
[edit] Allow Function: exec()
ALLOW_exec: Enable/Disable the exec() function
[edit] Allow Function: ftp_exec()
ALLOW_ftp_exec: Enable/Disable the ftp_exec() function
[edit] Allow Function: fsockopen()
ALLOW_fsockopen: Enable/Disable the fsockopen() function
[edit] Allow Function: ini_set()
ALLOW_fsockopen: Enable/Disable the fsockopen() function
[edit] Allow Function: leak()
ALLOW_leak: Enable/Disable the leak() function
[edit] Allow Function: passthru()
ALLOW_passthru: Enable/Disable the passthru() function
[edit] Allow Function: pcntl_exec()
ALLOW_pcntl_exec: Enable/Disable the pcntl_exec() function
[edit] Allow Function: pfsockopen()
ALLOW_pfsockopen: Enable/Disable the pfsockopen() function
[edit] Allow Function: phpinfo()
ALLOW_phpinfo: Enable/Disable the phpinfo() function
[edit] Allow Function: popen()
ALLOW_popen: Enable/Disable the popen() function
[edit] Allow Function: posix_kill()
ALLOW_posix_kill: Enable/Disable the posix_kill() function
[edit] Allow Function: mkfifo()
ALLOW_posix_mkfifo: Enable/Disable the mkfifo() function
[edit] Allow Function: posix_setpgid()
ALLOW_posix_setpgid: Enable/Disable the setpgid() function
[edit] Allow Function: setsid()
ALLOW_posix_setsid: Enable/Disable the setsid() function
[edit] Allow Function: setuid()
ALLOW_posix_setuid: Enable/Disable the setuid() function
[edit] Allow Function: proc_close()
ALLOW_proc_close: Enable/Disable the proc_close() function
[edit] Allow Function: proc_get_status()
ALLOW_proc_get_status: Enable/Disable the proc_get_status() function
[edit] Allow Function: proc_nice()
ALLOW_proc_nice: Enable/Disable the proc_nice() function
[edit] Allow Function: proc_open()
ALLOW_proc_open: Enable/Disable the proc_open() function
[edit] Allow Function: proc_terminate()
ALLOW_proc_terminate: Enable/Disable the proc_terminate() function
[edit] Allow Function: shell_exec()
ALLOW_shell_exec: Enable/Disable the shell_exec() function
[edit] Allow Function: show_source()
ALLOW_show_source: Enable/Disable the show_sourc() function
[edit] Allow Function: system()
ALLOW_system: Enable/Disable the system() function
[edit] SSH daemon configuration
Also, see the SSH debugging page in case you can't log into your ASL server via SSH.
Note: This does not import existing settings from SSH. The purpose of these settings to enforce the sshd configuration settings, based on these settings. Therefore if you change sshd settings, and they do not match what is set in ASL, ASL will set them to the settings defined in ASL. The use of third party products to change these settings is not supported.
[edit] SSH_PROTOCOL
Note: Do not change this setting unless you know what you are doing.
SSH supports several legacy protocols (1 and 1.5), along with the current SSH protocol, 2. 1 and 1.5 have fundamental weakenesses that can cause SSH sessions with those protocols to be compromised, therefore we recommend you leave the protocol setting of "2".
Default: 2
[edit] Custom Port
CUSTOM_SSH_PORT: Use a custom ssh port. [Default: no]
[edit] SSH_PORT
This will tell SSH to change its default port of 22 to a different port. If you set this to "no", that will tell SSH to use the default port of 22. For example, if you wanted to change SSHs port to "2222" you would enter "2222" in this field.
Default: no
Note: This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for ASL to manage this function, if you do not change this option to a port number ASL will not make any changes to this option in sshd.
[edit] SSH_STRICTMODE
This tells SSH to check the ownership and permissions on ssh public key files. This prevents a user from accidentally setting the permissions on the file so that other users can add their keys to another users key file. We highly recommend you enable strict modes.
Default: yes
[edit] SSH_IGNORE_RHOSTS
This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled.
Default: yes
[edit] SSH_PUBKEY
This setting tells SSH to allow the use of public keys, instead of passwords, for authentication. Public keys are more secure than passwords, provided that the public key itself has a strong password. Keys can provide a cheap two factor authentication system (what you have, and what you know).
Default: yes
[edit] SSH_ROOTLOGINS
This setting tells SSH to allow root logins. If you set this to yes, root will be allowed to ssh in, if you set this to no, root will not be allowed to ssh in. We recommend you set this to "no".
Default: yes
Note: ASL will only disable root logins if you have defined a valid ADMIN_USER, and ASL reports that it has confirmed the user is both valid and can log in. Please see this option:
https://www.atomicorp.com/wiki/index.php/ASL_Configuration#ADMIN_USERS
[edit] SSH_PASSWORD_AUTH
This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. Please ensure you have so via the ADMIN_USERS option.
Default: yes
Options:
Yes - Allows password authentication
No - Does not allow password authentication, but ASL will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, ASL will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system.
Override - Does not allow password authentication, but will NOT check to make sure at least one valid ADMIN_USER exists with keys installed. Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and ASL will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).
[edit] SSH_PRIV_SEPARATION
This ensures that SSH runs with privilege separation.
Default: Yes.
[edit] SSH_GSSAPI_AUTH
Default: No.
[edit] SSH_GSSAPI_CLEANUP
Default: No.
[edit] SSH_BANNER
ASL can configure SSH to display a banner to users when they log in. This tells SSH what file to use for the banner. ASL comes with a standard banner you can use that is provided in the /etc/asl/banner file.
Default: /etc/asl/banner
[edit] SSH_USEDNS
SSH_USEDNS: Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is “yes”.
Default: yes
[edit] SSH_ALLOWAGENTFORWARDING
Default: no
This setting configures SSH to allow agent forwarding. SSH has an optional credential agent that be used to store a private key, and can respond to servers requestions for key based authentication without asking a user for a password. This method can be forwarded to other systems by the client, allowing that system to query the users keys as well should the user attempt to connect to ssh from that server to another system.
This can present a security risk if the server is not completely trusted, as malicious processes can authenticate as the user over this channel and ssh into other systems.
[edit] SSH_X11FORWARDING
Default: no
This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine.
This can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop.
[edit] SSH_ALLOWTCPFORWARDING
Default: no
This setting configures SSH to allow port forwarding from a client. This will allow a client to "tunnel" to a port on the server over an SSH connection.
This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked.
[edit] Rkhunter settings
[edit] RKHUNTER_ENABLED
Enable/Disable nightly rkhunter scanning
[edit] RKHUNTER_EMAIL
Email address to send rkhunter alerts
[edit] Denial of Service
[edit] Web DoS module
MODEV_ENABLED: Enable/Disable mod_evasive (DoS protection)
Also, see the Mod evasive page for important documentation about configuring the DOS protection system for Apache.
[edit] Hash Table size
MODEV_DOSHashTableSize: The hash table size defines the number of top-level nodes for each child's hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space.
[edit] Threshold: Same Page count
MODEV_DOSPageCount: Threshhold for the number of requests for the same page (or URI) per page interval.
[edit] Threshold: Site count
MODEV_DOSSiteCount: Threshhold for the total number of requests for any object by the same client on the same listener per site interval.
[edit] Threshold: Same Page interval
MODEV_DOSPageInterval: Interval for the page count threshhold. [Default: 2]
[edit] Threshold: Site count
MODEV_DOSSiteInterval: Interval for the site count threshhold. [Default: 2]
[edit] Block period
MODEV_DOSBlockingPeriod: Number of seconds to block a client IP. Clients will be returned a 403 error.
[edit] Web App Inventory
[edit] APPINV_CRON
Interval to run the web application inventory engine. Default is daily.
[edit] MySQL Security Settings
[edit] Enforce: Mysql security policy
MYSQL_CHECKS: Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes]
[edit] Disable: local-infile
MYSQL_DISABLE_LOAD_DATA: Enable/Disable mysql local-infile [Default: yes]
[edit] Log: enable mysql error log
MYSQL_ENABLE_LOG_ERRORS: Enable/Disable mysql /var/log/mysqld.log error log [Default: yes]
[edit] Log: enable log warnings
MYSQL_ENABLE_LOG_WARNINGS: Enable/Disable mysql log warnings [Default: yes]
[edit] Disable: symbolic links
MYSQL_DISABLE_SYMBOLIC_LINKS: Enable/Disable mysql symbolic links[Default: yes]
[edit] Performance: Query Cache
MYSQL_QUERY_CACHE: Mysql query cache settings [Default: 32m]
Note: This must be in multiples of 32, for example 64, 128, etc.
[edit] Plesk Security Settings
[edit] Plesk Update policy
FW_PLESK_UPDATES: Enable/Disable Plesk keyserver update firewall policy. Default:[no]
This setting allows the plesk update process to bypass any firewall rules you may add to the system.
[edit] PSA_DISABLE_CRONTAB
This setting will disable the ability to manage cron jobs in Plesk.
Default: No. Which means that you can manage cron jobs in Plesk.