ASL FAQ

From Atomicorp Wiki
Jump to: navigation, search

Atomic Secured Linux Frequently Asked Questions

Contents

[edit] General Support Questions

[edit] How can I buy an Atomic Secured Linux (ASL) license?

To purchase a license for ASL, just visit the Atomic Secured Linux page and click the Buy Now icon, or click on this link.

[edit] Can I try Atomic Secured Linux (ASL) before I purchase it?

Absolutely! We offer a free, no risk and no obligation 10 day trial. Just click here to get your trial license now!

[edit] What is the benefit of Subscribing to ASL?

A: Peace of mind knowing that a team of security experts will work tirelessly to ensure that you have a security solution that will protect your system, and rapid support for all your security needs.

Access to the best Linux security product available, that includes a full SIM with a stand alone web gui, a fully integrated web application firewall, event correlation, intelligent log reduction and alerting, a built in vulnerability scanner with automatic vulnerability repair, virtual patching, compliance monitoring, self healing, anti-spam protection, anti-malware protection, upload malware protection (Web and FTP), realtime malware protection, automatic redaction, a secure and hardened kernel, Stack Protection, Heap Protection, a Role Based Access Control system and many many more features!

And most importantly, full support. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, with drivers, etc. We focus on building software such as ASL that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the world, special defenses against kernel module rootkits, cutting edge countermeasures against the latest threats and more!

With ASL, you wont have to do it all yourself, we're here to help you.

[edit] What is the SLA for critical security or support issues in ASL?

If there is a security issue with ASL, in general we will release a fix within 24 hours of the issue being reported to us.

[edit] What is included with the support , what is your approx response time?

[edit] Standard Support

Email based support for Atomic Secured Linux is the same business day (EST).

Standard support accounts includes one support portal account and support for one email contact.

[edit] Extended Support

For extended support contract customers, the response time is dictated in the support contract. Extended support customers also enjoy support for multiple contacts, multiple login accounts for the support portal, and phone support.

[edit] What are your normal support hours?

Support is provided 24 hours a day.

[edit] Do you offer phone support?

Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.

Phone support is not available without an existing extended support contract.

[edit] Help! I need help!

See the ASL Support page for instructions on contacting support, opening a case and other tools you can use to get assistance.

[edit] I have a false positive, how do report it?

Solution:

Send the false positive to “support@atomicorp.com” or press the “Report False Positive” button in the ASL GUI. Fps are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

You can also follow the Reporting False Positives procedure. That provides detailed instructions about how to report a false positive if you can not use the GUI, or if you choose to report it from the command line.

[edit] MODSEC version is not current. False reporting has been disabled

This means your modsecurity rules are not up to date. Before reporting a false positive, make sure your rules are up to date. To do this, either click on the "Update" button in the ASL web console, or run the command "aum -u" from the command line as root. Its possible your issue has already been addressed, and if not, just update your rules and ASL will let you report the false positive. We'll then get right on it and get you a fix ASAP!

[edit] How can I give atomicorp support access to my system?

Answer:

To provide us with access, please follow the process below. Do not send us your root password to log into your system. We do not need it, and we will delete it if you send it to us (we do this for your protection). Just follow the process below, which will provide us with secure access without the need to know your root password.

Step 1) Do not send us your root password to log into your system. We do not need it

As part of our security policies we will not use passwords to log into your system, and we will not store passwords in our support system. Our policy requires our support engineers to delete this information if you send it to us. Just follow the process below, that will install cryptographically strong keys that we will use to authenticate to your system instead of using a password. This will protect you as we wont have your root password, and no one will be able to steal it from us to access your system.

Step 2) Become root on your system

Type this command:

su -

This will ask for the root password for your system, type in your root users password.

Step 3)Run the command below, as the root user to install out SSH public keys, which will allow us to log into your system securely

wget -q -O - https://updates.atomicorp.com/installers/key |bash

Note: You must have a version of wget installed that supports HTTPS.

If you do not see any output from this command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget

If you've done this before, and we've asked you to do this again please run the key installer again. We change our keys regularly for security reasons, so its vital you have the latest keys installed on your system. We wont be able to login in otherwise.

Step 4) (Optional) Add to AllowUsers in sshd_config

If you use ASLs admin user feature, or use sshds AllowUsers feature make sure you add the "atomic" user to the allowed users. If our tool does not add the user "atomic" that is because you allow root logins, and the tool will simply add our keys to the root account.

Step 5) Configure your firewall to allow access

If you need to open firewall access, please see the email sent with the IPs we will be logging in from.

Step 6) If this is for a new install, please follow the additional instructions in that email. We may need additional information.

If this is for an installation, please make sure you follow the installation emails instructions.

Step 7) Send us the IP address and SSH port for the system

And finally, remember to send an email to support AT atomicorp DOT com with the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.

If you have sent this information to us in the past, please make sure you send it with any new request. As part of our procedures, our support team must confirm the IP address for each request before logging into any system as an important safeguard to ensure we are accessing the correct system, and have permission to do so.

[edit] Can I just set up access myself

Yes, although as an internal policy we do not allow our support engineers to use customer passwords. That prevents your passwords from being recorded in our systems, preventing any accidental exposure of those passwords. We recommend you use the the process above, but if you are able to setup ssh key based access yourself, you can download our keys from the URL below:

https://www.atomicorp.com/authorized_keys

[edit] How can I verify the integrity of the ssh keys?

The installer will download the keys over a TLS encrypted channel. Each member of our support team has a unique key, we do not use shared keys or credentials. Therefore, you will see a number of keys downloaded.

You can check the integrity of the authorized_keys file, by downloading this file:

https://www.atomicorp.com/authorized_keys

And its SHA512 message digest file:

https://www.atomicorp.com/authorized_keys.sha512

[edit] Can I set a password for the atomic account?

Yes. We do not use passwords to log into the system, we use SSH keys only. By default, SSH will not allow password authentication to accounts without passwords (it will require SSH keys instead). So unless you have configured your system to allow empty passwords, it is not necessary to do this.

However, if you do this, you will need to let us know what the password is so that we can use sudo.

[edit] How can I remove atomicorp access to my system?

If you followed the process above, just remove the "atomic" user when you are finished, or if you allow root ssh login access then you will need to remove our ssh keys from the /root/.ssh directory. The script above will not provide us with any passwords to your system, it will simply install our keys as the "atomic" user (or if you allow root access, as the "root" user). Removal of those keys will also remove our access to the system.

[edit] Wheres the ASL Web GUI?

You can access it on your system at this URL (change www.example.com to either your systems name or IP address)

https://www.example.com:30000

Make sure your firewall is configured to allow access to the TCP port 30000.

[edit] Does ASL have any PHP dependencies?

No. ASL uses its own PHP libraries which are installed in /var/asl and have nothing to do with the systems PHP libraries.

The ASL PHP libraries rpm packages will start with the name "asl-". Do not change the ASL PHP rpms, they are only used by ASL.

[edit] Does ASL install PHP on my system?

No. ASL will not install, replace, upgrade, change or remove PHP on your system.

[edit] Does ASL replace PHP on my system?

No. ASL will not replace, install, upgrade, change or remove PHP on your system.

[edit] What are the asl-php rpms?

ASL has its own, independent PHP engine that is only used by ASL web console daemon, tortixd, to power the ASL web console. ASL does not use your operating systems PHP installation, and ASLs independent PHP engine is not used by your web server, web applications or Operating system. ASL will not remove, replace, modify or upgrade or otherwise change your existing PHP installation. The asl-php RPMs are a completely separate independent isolated PHP engine that is not used by your operating system, or web server (apache, nginx, litespeed or any other web server), nor will they have any effect on any other application on your system, including any web or PHP applications.

These rpms will not and do not have any effect on your operating systems and are only installed in /var/asl and are only used by ASL.

The ASL PHP libraries rpm packages will always start with the name "asl", for example:

asl-php-cli-5.4.17-15.el6.art.x86_64
asl-php-5.4.17-15.el6.art.x86_64
asl-php-process-5.4.17-15.el6.art.x86_64
asl-php-gd-5.4.17-15.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-common-5.4.17-15.el6.art.x86_64
asl-php-mysqlnd-5.4.17-15.el6.art.x86_64
asl-php-pdo-5.4.17-15.el6.art.x86_64

Do not change, remove, configure, block the installation or upgrade of, or otherwise modify the ASL PHP rpms or their configuration files, they are only used by ASL for its web console.

If you are having problems with your operating systems PHP, webservers PHP handler, webservers PHP applications or other PHP applications: ASL did not install, upgrade, replace, configure or remove any part of your systems or web servers PHP installation. Contact your PHP vendor for assistance.

[edit] My system has experienced a kernel panic.

Solution:

We have documented several issues that may cause kernel panics on the wiki along with solutions in the Kernel_Panic article.

[edit] What should I do if I believe a system has been compromised?

Answer:

First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissable. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

If you want to find out what happened and just clean up, please continue with this checklist.


First, start with the simple case - the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases:

Compromised System: FTP

If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article:

Compromised System

In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You'd be surprised at how often we see that happen.

If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.


[edit] Do you have pre-defined access policies , or do we have to configure these policies?

A: Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.

[edit] How long are major releases supported?

ASL major releases (3.x, 4.x, 5.x) are supported for three (3) months after a new major release is made available. For example, when ASL 4.0 was released on March 19th, 2014, ASL 3.x was scheduled for End of Life (EOL) on June 19th, 2014.

Life Cycle

[edit] License questions

[edit] How can I upgrade a trial?

Just log into the license manager using the same credentials you used to setup your trial and purchase a license. You don't need to do anything else. The system will automatically convert your system from a trial to a full license, and you won't have to reinstall or install anything.

You can access the license manager at the URL below:

https://atomicorp.com/amember/member

[edit] VPS licenses

[edit] Different machines with a VPS license pack

Question: Do the VPS licenses need to be used on one physical machine or can the VPS boxes be located on different physical machines in different locations?

They can be located on diferent physical machines in different locations, or on the same machine.

[edit] Purchasing additional licenses

Question: If we use more than 5 licenses, do we have to add additional licenses 5 at a time, or can we add just 1 at a time after we purchase the initial 5?

You can add single licenses through the license manager.

[edit] Do VPS licenses include support for the kernel?

VPS licenses do not include support for the kernel. If you want to use the secure ASL kernel, then you must purchase a full ASL license.

[edit] Reverse Proxying

Can I use ASL as a reverse proxy for my other servers?

Yes. However, you must purchase a reverse proxy license for this to work in ASL.

If you wish to use ASL as a reverse proxy for other servers, please contact us for support and a license.

[edit] Atomic Secured Linux Compatibility Questions

[edit] Linux Distributions

[edit] What Linux distributions do you support?

As of September 2017, ASL v5.5 is officially supported with the following Linux distributions:

  • Centos 6
  • Centos 7
  • Redhat Enterprise Linux 6
  • Redhat Enterprise Linux 7
  • CloudLinux 6
  • CloudLinux 7
  • Amazon EC2 (We support RHEL and Centos on EC2, we do not support AMI and other customized distributions)

Beta versions are unsupported. (If you are looking for documentation for the newest release of ASL, AP v.6, please see this link for documentation: https://docs.atomicorp.com/AED/Atomic_Secured_Linux.html )

For other platforms, please see our rules only product at the URL below. The rules only product will protection your web applications from attack. More information is available at the URL below:

https://www.atomicorp.com/amember/cart/index/search?q=rules

Note: ASL requires software package management, which all of the supported operating systems provide. If package management has been disabled on your system, you will not be able to install ASL. Older versions of these distributions are not supported.

Please note that when an operating system or distribution is no longer supported by the vendor we also no longer support that operating system unless you have an extended support contract from us, for that platform. Please contact sales@atomicorp.com if you need an extended support contract.

[edit] Is ASL compatible with AWS instances?

Absolutely. ASL is fully supported on AWS, including the secure kernel.

[edit] What database servers do you support?

Please see this article:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#Database

[edit] ASL does not support my version of my operating system

We support versions of operating systems per the list above, and of those we only support operating systems which are still supported by the OS vendor.

We do this because of the serious security issues associated with running an operating system that is no longer supported, as well as the problems associated with lack of bug fixes for platforms that have been abandoned by their Vendors. For example, if a serious vulnerability were to be discovered in openssh and there was no patch for your system, ASL may not be able to protect your system adequately. Some vulnerabilities are beyond even our capabilities to defend against. We are always looking out for your security - and unsupported OSes are a serious risk to operate

For newer versions of operating systems we work as fast as possible to support these new distributions.

[edit] Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?

Yes, only through extended support contracts. If you do not have an extended support contract there is no support. Please contact sales@atomicorp.com and we can put together a proposal for your project and price out ongoing support for your custom configuration.

[edit] What browsers does the ASL GUI work with?

Supported browsers are:

Browser Minimum Version Required
Firefox 3.5
Internet Explorer 8.0
Safari 5.1.7
Opera 11.50
Chrome 30

[edit] Databases

Please see the Supported MySQL versions article.

[edit] Control Panels

[edit] Does ASL require a control panel?

No, ASL does not require any control panel product (Plesk, Cpanel, etc.). You can use ASL with, or without a control panel. If you do use a control panel, ASL works with all major control panels, and the specific list of supported configurations is provided below.

[edit] Plesk

[edit] Does ASL work with Plesk?

Absolutely! Atomicorp was founded by two Plesk founders. You won't find a security company that knows more about Plesk, or cares more about making security products that work with Control Panels like Plesk. ASL works with all Plesk versions from 9 and the way up to the latest version of Plesk, 12.

[edit] Can you use ASL without plesk?

Answer:

Yes, ASL uses its own GUI and does not require any control panel to work.

[edit] Will I lose any functionality in Plesk if I use ASL?

No. ASL will only add new functionality to your system.

[edit] If predefined will your policy fit into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?

Atomicorp was founded by Plesk founders. ASL is designed to integrate in that environment and with other control panels too.

[edit] Directadmin

Yes. ASL works with and is supported with Directadmin.

Note: If you are not using the systems RPMs, and are using a custom built Apache, then you will need to use the currently beta version of ASL for custom Apache environments. You can read more about it here:

https://www.atomicorp.com/forums/viewtopic.php?f=21&t=4828

When you have a custom non-rpm managed Apache install use the installer in the link above.

[edit] Virtualmin

ASL works with Virtualmin and is a supported configuration. Please see the Virtualmin page for any notes on using ASL with this product.

[edit] CPanel

ASL works with CPanel and is a supported configuration. Please see the Cpanel page for any notes on using ASL with this product.

[edit] Interworx

ASL works with Interworx and is a supported configuration. Please see the Interworx page for any notes on using ASL with this product.

[edit] Virtualization Technology

Please see this article for the up to date chart of supported Virtualization technologies: ASL 3.0 Virtualization Notes

[edit] Web Servers

[edit] Apache

Please see the URL below for the current list of supported versions of Apache:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#Apache

[edit] LiteSpeed

Yes, Litespeed is supported with ASL. Please see the Litespeed article for details.

[edit] nginx

ASL is supported with Nginx. Please see the Nginx wiki article for detailed information on Nginx WAF configuration requirements.

[edit] Web Applications

ASL works with any web application.

[edit] Third Party Firewalls

Is ASL supported with third party firewalls installed on the server?

Please see the ASL pre-requisities page:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#firewalls

[edit] PHP libraries

[edit] IonCube

ASL works with IonCube.

Please see the PHP segfaults if you experience a segfault with Ioncube loaded. This simply means that Ioncube is misconfigured to operate in a highly insecure manner, and this article provides instructions about how to fix this vulnerability in your system.

[edit] Zend Optimizer

ASL works with Zend Optimizer.

Please see the PHP segfaults if you experience a segfault with Ioncube loaded. This simply means that Ioncube is misconfigured to operate in a highly insecure manner, and this article provides instructions about how to fix this vulnerability in your system.

[edit] General Compatibility questions

[edit] Is IPv6 supported?

Not at this time.

Additionally, ASL does not load any network ipv6 modules by default, therefore if you must use IPv6 you will need to ensure the modules are loaded on boot before S99 (when ASL locks the kernel).

Again, if you must use IPv6, please know that IPv6 is not supported with ASL at this time.

[edit] Does ASL work with X11/Xorg?

Yes, ASL works with X. To configure ASL with X, please see the X with ASL article.

[edit] Is ASL compatible with ConfigServer

ASL does not support any of the ConfigServer products, and CSF (ConfigServer Firewall) in particular is known to cause major compatibility issues on a server running ASL. ASL is a complete stand-alone security product, which includes a powerful firewall, and you do not need to run any additional security software, including CSF, in conjunction with ASL.

[edit] Does ASL support ipset?

Yes, ASL supports ipset as of version 4.0 of ASL. To enable it, just set "FW_ENABLE_IPSET" to "yes" in the configuration screen.

[edit] Installation Questions

[edit] General Installation Questions

[edit] Is ASL easy to install?

ASL was designed to be easy to install and use. You just run one command and the ASL installer will walk you through questions to configure itself for your unique needs. Just follow the instructions on the ASL installation page.

If you have any questions, please contact us. We're always happy to help our customers.

[edit] Is ASL safe to install?

Yes. ASL was designed for high SLA environments and comes with robust support for a company that understands the needs of high SLA environments. ASL has numerous fail safes built into it to make it both easy to install and safe to use. For example, if ASL detects that your kernel has an error on boot, it will reboot the system into the last known working kernel. This a feature no Linux distribution includes, so installing ASL will actually make sure your system more stable and more reliable.

ASL is also easy to uninstall, and is designed to work with your existing operating system and not replace any core components.

[edit] Will ASL replace core components of my system?

No. ASL will install additional software on your system, and will not replace anything, including the kernel.

[edit] Does ASL need to be installed on a system before Plesk/Cpanel/etc. is installed?

No, ASL can be installed on a system that already has Plesk, Cpanel or any other control panel installed. ASL does not require a bare system, and is designed to be installed into already operating systems that have been configured for use, and have third party software already installed. ASL is an enhancement and can be installed on any supported Linux system.

[edit] Does installing ASL require any downtime?

No, ASL does not require you to take your system down. It is designed to be installed on running systems. You will want to reboot the system into the secure kernel, but you can do that any time. ASL will operate normally without the secure kernel, and does not require it to function, however without the secure kernel you will still be vulnerable to the same kernel level weaknesses and vulnerabilities that exist in all non-ASL kernels. Therefore, we recommend that you run the secure kernel, which will require a reboot.

[edit] I just purchased an installation from you, what now?

In order for us to conduct your installation, we will need you to open up a case with Support with the following information:

1) Confirmation, from you, that the system meets all the minimum requirements for ASL:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites

Please be sure to read the entire article, as this may include that you make certain updates to the configuration of your system. We are not permitted to make these changes to your system.

2) Access to the system

Please follow this process at the link below to provide us with access:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_give_atomicorp_support_access_to_my_system.3F

If you have done this in the past, please follow the process again as we do regularly change our SSH keys for security reasons, and the keys on your system may no longer be valid.

3) The IP address and SSH port for the system.

As part of our procedures, we must confirm the IP address for each request as an important safeguard to ensure we accessing the correct system, and have your permission to access the system.

4) The mysql root (or admin) password for the system.

If you are using Plesk or CPanel we generally can perform the install without this information, in most cases ASL can find this information from the control panel. In some cases though this information may not be available from the control panel, so please provide this information just in case this is the case for your system.

If we run into a condition where the mysql root (or admin) credentials are not available, we will not be able to perform the installation. So please provide them just in case.

5) Your Atomicorp License Manager Credentials

We need the username, and password you used to setup your account with us.

6) If you have specific IPs you would like whitelisted, please provide us with the list, with a single space between each IP (example: x.x.x.x y.y.y.y z.z.z.z). Please note, ASL only supports IPv4 addresses at this time.

7) We will attempt to install the product. In the event we encounter difficulties due to unusual software/hardware configurations, we will attempt to contact you for further information. Due to our high customer volume, timely response is necessary (within 30 minutes), or we reserve the right to reschedule the installation.

[edit] CS4 and ASL

It is OK to install CS4 with ASL?

Answer: Just say "no" when it asks if you want to download and install clamd when you run the installation script. ASL already provides clamd.

[edit] Does ASL works with php sites running under fast_cgi ?

Yes, ASL works with systems using fcgi, suphp, and itk. It also works just fine with systems that use none of these. ASL integrates fully and safely into Apache.

[edit] Is mod_ruid2 supported?

Partially, when using ASL. If you are using a third party modsecurity build, this is not supported as it will not contain the necessary patches to make mod_ruid2 work correctly with mod_security.

If you are using the latest version of ASL, you will be able to use mod_ruid2 provided you do not enable any rules that use mod_security's DBM system. This includes the advanced rules, and the search engine protection rules. Specifically, mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system.

Therefore, you can not use these types of rules with mod_ruid2.

For third party builds, you will also encounter these issues, which will make mod_ruid2 fail to work correctly at all:

1) Under heavy load mod_uid2 when used with mod_security can cause a crash. Specifically, mod_ruid2 can cause an AcceptMutex to be held by another UID, and this will cause Apache to crash.

2) mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its log, audit and DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system. Storing the logs as the user of the apache context can be insecure, as it can makes it possible for an attacker to delete or modify the logs preventing security tools from using these logs to make decisions about possible attacks and compromises of the system. In general, logs that contain security information should not be stored as the user carrying out the attack for this reason. Modifying logs is a well known method for covering up attacks and compromises.

[edit] Does ASL works with php sites running under suphp?

Yes, ASL works with systems using suphp, fcgi, and itk. It also works just fine with systems that use none of these. ASL integrates fully and safely into Apache.

[edit] How easy is it with ASL to debug and use modsecurity?

Very easy. ASL includes an easy to use web based graphical interface that allows you to view alerts, modify rules, and report false positives all with one click. We typically can resolve a false positive in less than one hour when reported through the ASL Web interface.

[edit] If I face problems with the installation/setup of ASL do you provide support?

Absolutely! We fully support all our products. ASL licenses come with email and web based support, using an easy to use case and bug management system that is associated with your account. You can log in through our support portal directly from the atomicorp website, or via email. Phone support is also available with an extended support contract.

[edit] What are the minimum system requirement for ASL?

If all of the ASL security features are turned on, we recommend that your system have a minimum of 1GB of RAM. ASL includes advanced web application and antispam security features that do best with this minimum requirement.

Our servers run without issue with 2GB of RAM on Dual Core P4s or single core AMD 64bit CPUs.

[edit] I also had previously installed rkhunter and chkrootkit, should I have uninstalled those prior to installing ASL?

If you installed these via the package management system in your OS no. If you installed these via source, you should remove them.

[edit] What is the performance impact of using ASL on a system with 700-1000 domains per server?

A: The secure kernel operates with around a 3-5% of additional overhead on Intel processors. AMD processors implement the features we emulate on Intel processsors in hardware, so there is no additional overhead.

[edit] Is there an install log for ASL

Yes, the ASL installation will generate this log file:

/tmp/tortix-install.log

[edit] What are testing channels for?

Answer:

For the ASL channels:

Beta releases.

Please keep in mind that testing channels are not supported.

For the Free Atomic Channels:

This is for software that may be of beta quality, but has not be evaluated for security or stability issues. It may also contain rpms that are experimental or buggy and are parked here to allow other researchers to experiment with this software.

Please keep in mind that the atomic channels are not supported. The Atomic repository provides free software.

[edit] What are bleeding channels for?

Answer:

Alpha and less releases. You shouldn't use bleeding code unless you are prepared to roll up your sleeves and debug the builds. They are also not supported.

[edit] Installation Errors

Please see the ASL error messages page.

[edit] HTTP_Error_401:_Authorization_Required_Trying_other_mirror.

Please see this article:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#HTTP_request_sent.2C_awaiting_response..._401_Authorization_Required

[edit] "How to" installation questions

[edit] How do I install ASL?

Just follow the instructions on the ASL installation page.

[edit] How can I reinstall ASL?

The cleanest way to reinstall ASL is to first uninstall it, then run the installer again. The process is:

Step 1) Run this command as root (do not use sudo, you must be root to run this command):

/var/asl/lib/uninstall

Step 2) Then install ASL fresh by following the instructions on the ASL installation page.

[edit] How can I disable ASL?

Step 1) Disable mod_security

mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled

Step 2) Disable mod_evasive

mv /etc/httpd/conf.d/mod_evasive.conf /etc/httpd/conf.d/mod_evasive.conf.disabled


Step 3) Disable mod_sed

mv /etc/httpd/conf.d/00mod_sed.conf /etc/httpd/conf.d/00mod_sed.conf.disabled

Step 4) Disable OSSEC

/etc/init.d/ossec stop

Step 5) Disable clamd

/etc/init.d/clamd stop

Step 6) Restart apache

(Use your method of choice, this is just an example)

/etc/init.d/httpd restart

Step 7) Remove the hardened proftp

 yum remove psa-proftpd-1.3.2a-1.el5.art

Step 8) Boot into a non-ASL Kernel

Configure your system to boot into a non-ASL kernel.

Step 9) Reboot

 reboot

Also, its important to recognize that ASL is a threat manager that repairs vulnerabilities on your system. Disabling ASL will not undo any vulnerability repairs you have instructed ASL to fix. If you want to undo a vulnerability repair in ASL, do not uninstall ASL. Simply change the action in the ASL GUI and run ASL in Fix mode to undo the repair.

[edit] How do I remove or uninstall ASL?

Answer for ASL 4.x - 5.x:

Just run this command as root:

 /var/asl/lib/uninstall

Do not use any other method to uninstall ASL.

Note: Because the ASL uninstaller is just that, an uninstaller, it is also designed to remove the the ASL kernel. Before you reboot, you must check to make sure you have a working non-ASL kernel installed on the system before you reboot, or you will not be able to reboot your system.

ASL will not remove any non-ASL kernels, ever. It wont remove existing kernels on install, or during uninstall. It also wont install or upgrade non-ASL kernels. So for most users this isn't as issue, however if you have removed your non-ASL kernels or do not have a working non-ASL kernel on your system, then you wont be able to boot your system. Please contact your OS vendor for assistance with re-installing their kernel if you have removed it.

If you have an incomplete installation, and are missing the uninstaller, you can also download and locally run (as root) the uninstaller from this URL: https://updates.atomicorp.com/installer/uninstall

[edit] How do I upgrade from asl-lite?

asl-lite was a free unsupported rule updater tool (it has been discontinued, and has been replaced with aum.

To install ASL on a system that had asl-lite installed you will need to remove asl-lite, and the asl-lite configuration directory:

Step 1)

If your system is package managed, then asl-lite should be installed via yum. To uninstall asl-lite run this command as root:

yum remove asl-lite

If your system is not package managed, then you will need to manually remove asl-lite yourself.

Step 2)

Remove the asl-lite configuration directory:

rm -rf /etc/asl

Step 3)

You will also need to remove your manual installation of modsecurity and its configuration files. As this is a process that is unique for every user, its not possible to provide precise directions for doing this. In general, you will want to remove the modifications you made to your apache configuration to enable modsecurity.

If you run into any issues upgrading to ASL, please contact support.

[edit] SSH

[edit] How can I enable password based authentication?

Step 1) Log into ASL

Step 2) Click on the "Configuration" tab

Step 3) Select "ASL Configuration"

Step 4) Scroll down to "SSH daemon configuration"

Step 5) Change SSH_PASSWORD_AUTH to "yes"

Step 6) Click the update button

[edit] How can I migrate ASL to a new server?

Regarding your ASL license you don't need to do anything special. The licensing manager will allow you an additional install on one (1) test or development server, so from a licensing point of view - you don't need to do anything special.

Regarding migration, we recommend you install ASL on the new system and run through the entire configuration process. If you want the ASL configuration to use your other systems configuration then just copy over the /etc/asl/config file to your new system to migrate your settings. Doublecheck them manually to make sure you have everything setup for your needs, if you copy over your config your basically telling the new server to be completely identical to the old one and that may not be exactly right for you.

Once you copy over the config and have everything setup as you want then run this command as root:

asl -s -f

[edit] Updates and Upgrading ASL

[edit] Signatures & Modules window

The Signatures & Modules window lists the state of all ASL components, such as if they are active, inactive or have updates waiting.

Green: Component is active and up to date.

Yellow: Component is active, but updates are available such as rule, signature or software updates. To force an update just click the "Updates Available" link, or you can wait for ASL to install the updates automatically based on your configuration. (Please see the FAQ below on configuring automatic updates, ASL is configured by default to automatically update all its components).

Red: Component is inactive, either because it has been disabled, or is not installed. For example, if the system is not using the ASL kernel the "Kernel Protection" will show as red. Or if a component has been uninstalled or otherwise removed, such as if mod_security was removed from the system WAF will show as red. ASL looks at the actual condition of the system and is reporting its state in this window. This is a "fail safe" to ensure that the actual state of the system is reported to the user, even if the configuration may be set to one state ASL will independently check the system to see if it really is in this state.

[edit] Will ASL automatically update the rules and signatures

Yes, by default it will do this daily. ASL will update all the rules and signatures available automatically. Occasionally you may see ASL report that updates are available. ASL will install these updates for you at the next scheduled interval you have configured for your system. Or you can manually update these by clicking the "Updates Available" link.

[edit] Will ASL automatically update itself?

By default, ASL will also automatically keep itself up to date (the core components and the rules). To check this setting, log into the ASL GUI, click on the Configuration Tab and then Click on "ASL Configuration". Scroll down to UPDATE_TYPE and check to make sure it is set to "all".

You are recommended to check the forums to see if an update to ASL has been released, and if there are any special upgrade instructions you will need to follow for that release.

[edit] How can I set the update interval?

Log into the ASL GUI, click on the Configuration Tab and then Click on "ASL Configuration". Scroll down to AUTOMATIC_UPDATES. You can set updates to "none", "hourly" and "daily". The default is "daily".

[edit] How can I set ASL to only update the rules and not ASL itself?

If you only want ASL to keep its rules and signatures up to date, but not to automatically upgrade ASL, log into the ASL GUI, click on the Configuration Tab and then Click on "ASL Configuration". Scroll down to UPDATE_TYPE. Then set UPDATE_TYPE to "rules only".

[edit] Process to upgrade ASL

Please see the Upgrading_ASL article.

[edit] Firewalls and Upgrades/Updates

To allow ASL to download updates, please ensure that any firewall you use allows outbound connections to the following hosts on TCP port 443:

  • www.atomicorp.com
  • www2.atomicorp.com
  • www3.atomicorp.com
  • www4.atomicorp.com
  • www5.atomicorp.com
  • www6.atomicorp.com
  • www7.atomicorp.com
  • www8.atomicorp.com
  • updates.atomicorp.com

Important Note: Atomicorps server pool grows to accommodate increasing demand. As a result, the IP addresses often change, and because these IP addresses can change we do not publish a list of IPs. Doing so can cause problems for any sites that may have hard coded them. Be sure to monitor this FAQ as it contains the currently valid list of hosts.

You will also need to make sure that you allow DNS queries outbound, as ASL will lookup the list of current update servers to download updates from.

Please see the ASL firewall documentation page for information about configuring the ASL firewall. By default, ASL will not block anything outbound, so if your server is having problems connecting out this is either because you are blocking the port through the ASL firewall, you have another firewall that is doing this (either on the server, or up stream) or you are experiencing network connectivity issues.

[edit] Unable to connect to update servers

This can happen for a number of reasons due to configuration and network issues on your server, on your local network or upstream. This list includes the most common reasons, but is not a complete list. Please contact your network provider with connectivity issues, and your OS provider for OS configuration assistance.

1) DNS not correctly configured on your system

If you do not have DNS correctly configured on your system, updates will fail. One simple way to test this is to run this command:

nslookup www.atomicorp.com

If you do not get a response, then you do not have DNS correctly configured on your system. Please contact your OS vendor for assistance with configuring DNS on your system.

2) No network connectivity

Check to make sure your system has network connectivity. We know this sounds fairly obvious, but we've had cases where the issues was the systems network was either not started, or was misconfigured so it wasnt properly connected a network.

3) Routing misconfigured

Check to make sure you can connect to our servers. Run this command as root on the server:

openssl s_client -host www.atomicorp.com -port 443

If you can connect to our servers you will see output similar to this:

CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287 verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Virginia, businessCategory = Private Organization, serialNumber = 0697126-1, C = US, ST = Virginia, L = Chantilly, O = ATOMI CORP., CN = www.atomicorp.com verify return:1

If you do not see this, then you are not connecting to our servers and either you have a routing problem, or a firewall problem (see #4 below).

4) Firewall blocking connections

Check to make sure its not your firewall thats blocking the connection. The simplest way to do this is to temporary disable your firewall:

1) If you are using the ASL firewall, run this command:

/etc/init.d/asl-firewall stop

2) If you are using some third party firewall the command below may disable it, but check with your firewall vendor for assistance with disabling your firewall:

/etc/init.d/iptables stop

Note: To re-enable either of these change the command "stop" to "start".

5) Upstream router or firewall blocking connections

If its none of these, then someone may be blocking your connections upstream. Please contact your network provider for assistance.

[edit] Password Reset Questions

[edit] License Manager

[edit] Where is the license manager

Its on the main website, under the Support tab. You can also find it at the URL below:

https://www.atomicorp.com/amember/login/index

[edit] How can I reset my license manager password?

To reset your license manager password, please follow this process:

Step 1) please visit this page to reset the license manager password

License Manager

Step 2) now change your license manager password in ASL

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#PASSWORD

Remember to update your license manager password in ASL. If you do not do this, ASL will no longer be able to download updates!

[edit] How can I reset my support portal account password?

To reset your password, to log into the license manager, please visit this page:

Support Portal Reset

[edit] How can I update my license manager password in ASL?

Your license manager username and password are used to log into the Atomicorp servers to download updates. These are not to be confused with your ASL GUI username and password, which is used to log into your ASL GUI.

If you change your license manager password, you will need to change those credentials in ASL as well, otherwise ASL wont be able to download updates!

Your license manager username and password credentials are only used by ASL itself to log into the Atomicorp servers to securely download updates for your system.

If you need to change your GUI password, do not follow this procedure. If you need to change your ASL GUI credentials please see the #How_can_I_reset_my_ASL_GUI_password.28s.29.3F section.

This process is only to change the internal credentials used by ASL to log into the Atomicorp servers.

Step 1) Log into the ASL GUI

Step 2) Click on Configuration

Step 3) Click on ASL Configuration

Step 4) In the "Authentication Information" section, check to make sure the USERNAME and PASSWORD variables are set to your license manager credentials. Those are the credentials you use to log into the license manager:

https://atomicorp.com/amember

If you do not know what those credentials are, you can reset them at the URL above.

Step 5) Then click the "Update" button to update your configuration.

[edit] ASL GUI

[edit] How can I reset my ASL GUI password(s)?

Just run this command as root:

/var/asl/bin/asl-web-passwd <your user name>

For example, if your username was "jdoe", run this command as root:

/var/asl/bin/asl-web-passwd jdoe

Note: Your ASL GUI username and password are only used to log into your ASL installation. These are not to be confused with your License Manager credentials, which are used by ASL itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.

[edit] How can I create new accounts in the ASL GUI ?

Just run this command as root:

/var/asl/bin/asl-web-useradd <new user name>

For example, if your wanted to create the username "jdoe", run this command as root:

/var/asl/bin/asl-web-useradd jdoe

Note: Your ASL GUI username and password are only used to log into your ASL installation. These are not to be confused with your License Manager credentials, which are used by ASL itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.

[edit] What is the default username and password for ASL Web?

The default username and password are your license manager credentials, that you created when you signed up for a license. We recommend you change this password to something unique that you will remember.

You can also generate usernames and passwords by running this command as root:

 /var/asl/bin/asl-web-setup

And you can also create and configure user accounts from inside the ASL GUI.

[edit] How can I change the port tortixd listens on?

Manually change the port number on this line:

Listen 30000

In this file:

/var/asl/etc/httpd/conf.d/ssl.conf

Note: This is an advanced feature, and is not supported.

[edit] Using ASL

Please see the Using ASL page.

[edit] Troubleshooting

See the ASL_Troubleshooting article.

[edit] Error Messages

Please see the ASL error messages page.

[edit] Other Questions

[edit] Does ASL modify /etc/hosts.deny?

Yes, as part of active response (when enabled) ASL will automatically add attackers IPs to /etc/hosts.deny. ASL will only add deny entries. It will not and can not add allow entries. If ASL is configured to expire shuns it will also automatically remove these IPs once the shun period has passed.

[edit] Does ASL modify /etc/hosts.allow?

No.

[edit] I want to have greylisting.

Those are all freely available from the atomic repository. They are not part of ASL and not supported through an ASL license. If you need support for these packages contact sales@atomicorp.com and we can put together a custom support package for you.

Install ClamAV and SpamAssassin:

yum install clamd spamassassin

Edit required_hits in /etc/mail/spamassassin/local.cf if you want to change the default tagging threshold (default is 5).

Install qmail-scanner (integrates virus and spam filters with Plesk's qmail):

yum install qmail-scanner

Edit SA_DELETE in /etc/qmail-scanner.ini if you want to delete mail (at SpamAssassin's required_hits + qmail-scanner's SA_DELETE).

I also recommend adding Pyzor, Razor and DCC to SpamAssassin:

yum install pyzor razor-agents dcc

If you want to add greylisting:

yum install qgreylist

Start clamd and spamassassin:

service clamd start

service spamassassin start

Reconfigure qmail-scanner to make sure it uses all your custom settings:

qmail-scanner-reconfigure

Make sure clamd and spamassassin are started at boot time (maybe they are enabled by default, I'm not sure):

chkconfig --level 345 clamd on

chkconfig --level 345 spamassassin on

[edit] Atomic Scanner

How do you view/find/install the extra modules/areas for statistics reporting? I only seem to have Dashboard/Inventory/Block List/Configuration/Support views in the Plesk (8.6.0) options. e.g. Atomic Scanner.

Solution:

Atomic Scanner is a separate project which is not available in the stable repository yet and is not currently supported. You can install the atomic-scanner package from the testing repository.

[edit] vmware-tools will not compile

On older Linux distributions, such as EL5 and Centos 5, VMWare(TM) has compiled its product using an older compiler. ASL uses the a newer and up to date Linux kernel, and these newer kernels must be compiled using modern compilers. For example, certain features in the kernel require a newer compiler to build and work correctly, such as the new KERNEXEC protections which can only be built using a modern compiler. Older compilers do not support the plugin structure this, and other newer features in the kernel require.

When VMWares module compiler script tries to compile the VMWare modules against one of these modern kernels it may fail if VMWare has used an older compiler for their product. Their script expects the system to have the same version of compiler installed as was used to compile the kernel. Older versions of RHEL and Centos, versions 4 and 5 do not include these newer compilers. So the system will have a modern kernel installed, but not the corresponding compiler use to build it.

Solutions (in order of ease and least impact to system):

Option 1) Use VMWares offical open-vm-tools

VMWare also makes available a package called "open-vm-tools" that will build and work correctly with a newer kernel, using an older and different compiler. You can download the source code from this site:

http://open-vm-tools.sourceforge.net/

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

Option 2) Upgrade your compiler

If you wish to use vmware-tools instead, and not VMWares open-vm-tools, then you must upgrade your system to the same version of the compiler used to compile the kernel. Unfortunately, neither Redhat not Centos provide modern compilers for RHEL 5 and Centos 5. To upgrade your compiler on these older platforms may require heavy modification to your system, as other components will need to be upgraded as well (tool chains for example) and this can have adverse effects on the system. Upgrading your compiler is beyond the scope of support Atomicorp can provide for VMWares product. Contact VMWare for assistance or uses vmwares open-vm-tools (option 1) which provides the same functionality.

You can read more about VMWares open machine tools at the URL below:

http://open-vm-tools.sourceforge.net/

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

Option 3) Use our RPM of open-vm-tools

We provide, as a courtesy, the open source open-vm-tools (VMWares official open source vmware tools package) in the ASL repository as an RPM for currently supported platforms. This package is not supported by Atomicorp.

You can install that with:

yum install --enablerepo=tortix-kernel open-vm-tools

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

[edit] /usr/bin/vmware-config-tools.pl

Please see the article above if VMWare's tools will not compile on an older system.

If VMWare tools will compile, but you get an error from VMWares tools that it can not find kernel headers, you simply need to install them. Run this command as root to install the kernel source and headers:

yum -y install kernel-headers kernel-devel

If you have previously installed both, and VMWare is complaining that it can not find the source for the kernel, you simply need to upgrade the kernel-devel package. Run this command as root to do this:

yum -y upgrade kernel-headers kernel-devel

If your system does not install anything with either of these commands, check to make sure a third party has not excluded kernel updates from being installed on your system. You can read more about this in the kernel wiki article.

[edit] What is included in the open-vm-tools?

Please see the projects official FAQ:

http://open-vm-tools.sourceforge.net/faq.php

[edit] Why does Linux report that all memory is in use?

Note: This FAQ article is not about ASL, it is about all Linux based systems. This characteristic of Linux based systems is universal to all Linux systems, not just systems running ASL.

Memory is almost infinitely faster than reading from a hard disk, so modern high performance operating systems, such as Linux, will cache things into memory if they are read from disk. Over time, you should see a Linux system (via some tools) report an almost 100% "memory utilization" regardless of much memory is actually needed by a process or how much memory is installed in the system. This can be a little strange to users that are new to Linux and come from operating systems that do not cache (such as Windows), however this is normal and is good for the system as actually makes it much faster. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

Why Linux does this

Hard drives are slow. Even the fastest hard drive is never even close to the speed of RAM. If hard drives were fast, we wouldnt need RAM. So we load programs into memory. As memory has gotten cheaper, and performance demands have increased, operating system vendors have increased the use of RAM over reading from hard drives to improve performance. One way they do this is by caching "reads" from the hard drive (they cache other things too). In the case of caches reads, the operating system will store, temporarily, information it has been asked to read from the hard drive into memory. This makes it much faster the next time the operating system wants to "read" that information, it doesnt have to go back to the hard drive to get it, it can get it from memory. Which results in a huge performance increase.

Caching is different from process utilization. Actual memory in use by processes, or process utilization, which will be discussed more below is different from caching. Modern operating systems will use memory for processes (actual use), and also to "cache" things that they have accessed from disk. Most users are familiar with process utilization, which is what may cause them to think that Linux is "using up all their memory". When in reality the amount of memory in use by the processed by be considerably less than the memory in use.

It is the later use of memory, caching, that typically "uses" up the memory on the system and creates this illusion that all memory is in use. This memory is actually not "in use", or prevented from being used by other processes on the system. Its really "free memory", for the moment a process needs this memory the cached information is dropped and made available to the application. So in reality, the system is "using" considerably less memory that it may appear to be using because its making use of memory, temporarily, thats not actually in use. Its really a very clever enhancement, and something all operating system vendors are implementing. As memory has continued to get cheaper, some products don't even have hard drives anymore, and just use RAM. Smart Phones for example, and even some modern tablets just use memory.

So, to determine how much memory is actually being used by your processes (as opposed to all memory being used by processes and the cache), you will need to use a tool that can tell you how much memory is cached, and how much is actually being used by your programs. Once such tool is "free". The application "top" which is popular for looking at memory usage is not a good tool for this as it will incorrectly report that more memory is in use than is actually being used by processes.

Here is an example for how to use the "free" tool:

free -m

             total       used       free     shared    buffers     cached
Mem:         12002      10199       1803          0        573       8185
-/+ buffers/cache:       1440      10562
Swap:        14015          0      14015

In this example the total amount of memory in use is 10GB, however 8GB of that is cached. So the system isn't using 10GB of memory. Of the 12GB of memory on the system, just slightly under 10GB is actually free (1.8 GB isnt used at all, and 8GB is cached).

This is very typical of a Linux based system, in that its really using much less memory that some tools report, because of this use of cached reads.

Remember that cached memory is always available to any program that needs it. So the memory is not "used", its just being temporarily taken advantage of because nothing else is using it to make the system faster. Linux will just make use of the memory available on the system to cache information until any program requests it, at which time that cached data is dropped and the memory is made available to the application.

[edit] How can I find out what process is using swap?

Swapping in Linux is handled by the kernel, all Linux kernels will pull things out of memory and write them to the disk swap based on need depending on how much memory you have, swappiness setting on the system, and so on. Therefore, its not possible to find out which process is using swap, processes dont use swap, the kernel will write memory pages as needed to swap, processes dont control this (although a process could request memory that is not "swapped" out to disk). Linux will also use swap and memory to cache file reads, over time all Linux kernels will use 100% of memory to cache as much as possible. Memory is infinitely faster than RAM, so this is how modern high performance operating systems work. You should see near 100% memory utilization on all modern Linux kernels over time, regardless of much memory is actually needed by a process. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

If you have additional questions about Linux swap you may want to ask your Operating System vendor.

[edit] How are malware domains aged out?

The actual algorithm is sensitive information and we can't go into the specifics as that would give the bad guys an advantage to game the system. The short answer is infected domains are aged out depending on the extent to which the domain is still serving malware (more on this in a moment, this is actually pretty difficult to prove that a domain is not serving malware), if its been seen in other malware, past experience with the domain, IP range, or network and the sophistication of the malware. Some sites are long term sources of malware, and act as "clearing houses" for attackers, others may simply be victims of a compromise that clean up their systems the same day, and others may be negligent operators that don't care. For this reason the process varies depending on a number of characteristics.

Its important to remember that all Internet based malware scans are incomplete, regardless of the technology used, the system itself is not being scanned, merely publicly discoverable resources. Attackers can hide malware in orhpaned URLs, they may use authentication to hide the malware from all crawlers, the malware may behave differently if connected to via a crawler or browser, it may require a special cookie to reveal itself, they may encrypt or obfuscate it and they may simply take the malware or domain down for a few days or weeks in hopes of being delisted by simple scanners.

For this reason we do not use a naive algorithm that simply removes malicious domains based on simplistic criteria. Our first priority is to help our customers protect their systems, if a domain has been serving malware its a good idea to treat it with kid gloves. If you know the domain is safe, you can always whitelist that domain.

The best way to delist a domain thats on our malware lists is to contact politely us. If you need our help, just ask. If we can get in contact with the domain owner we can determine more clearly if the domain is no longer infected, otherwise domains are aged out based on the criteria described above.

[edit] How are malware domains added?

They are collected from our honeypots.

[edit] Do you use third party malware domain lists?

No, but we do share our information with other projects.

You can use the google safebrowsing lists with clamav which is an excellent third party malware list. ASL enables this by default in clamav. False positives on the google lists should be reported to google.

[edit] How are spam domains added?

They are collected from our honeypots.

[edit] How are spam domains aged out?

The actual algorithm is sensitive information and we can't go into the specifics as that would give the bad guys an advantage to game the system. The short answer is spam domains are aged out depending on the extent to which the domain is still serving spam and the nature of the spam thats served, past experience with the domain, IP range, or network and the sophistication of the spamming attack captured on the honeyports. Some sites, networks and IPs are long term sources and hosts of spam, others may simply be victims of a compromise or some form of multi-system spamming attack that clean up their systems the same day, and others may be negligent operators that don't care. For this reason the process varies depending on a number of characteristics.

For this reason we do not use a naive algorithm that simply removes spam domains based on simplistic criteria. Therefore, our first priority is to help our customers protect their systems, if a domain has been used as part of a spamming attack, and is actually serving up spam (we don't block so called "joe job" spams) its a good idea to treat the domain a a spam source.

The best way to delist a domain is to contact us. If we can get in contact with the domain we can determine more clearly if the domain is no longer part of a spamming operation, otherwise domains are aged out based on the criteria described above.

[edit] Do you use third party spam domain lists?

No, but we do use other sources, we do however share our information with other projects.

[edit] Both atomic and asl yum channels are enabled, is this normal?

That depends, ASL does not need the atomic channel and will not install nor enable this channel. If you have the atomic channel enabled on your system then someone enabled this yum channel. You do not need it for ASL. In general its perfectly safety to run both channels (we do).

The atomic yum channel is our open source yum repository. All the software in the atomic yum repository is not supported and provided as is, with no warranty. If you have issues with software in the open source atomic channel please post your questions in the General Help forums:

https://www.atomicorp.com/forums/viewforum.php?f=1&sid=56518c30b96faf5235e2f4ef5e902d11

Software in asl channels is fully supported. If you require assistance with ASL software please send a support request to support@atomicorp.com.

[edit] What are the IPs ASL will use to update itself?

You will want to allow access to www0 thru www6.atomicorp.com. The IPs for these hosts may change in the future.


[edit] I can't upload files via web

Check and make sure you haven't run out of drivespace. This may seem like an obvious and simple problem that one wouldn't easily overlook, but we've had a number of cases where users setup /tmp partitions and filled them up. If you fill up your /tmp partition apache won't let you upload anything! Thats not an ASL issue, thats Apache and its right - theres no place to put the file.

ASL will log this event, but since ASL isn't designed to report when you run out of drive space it will detect this as a pretty major error and a broken connection with your HTTP session. Which will look like this:

[Fri Oct 01 17:33:21 2010] [error] [client xxx.xxx.xxx.xxx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "38"] [id "340152"] [msg "Request Body Parsing Failed. Multipart parsing error: Multipart: writing to "/tmp/20101001-173321-8ZuEbMzo8r8AABWjEW8AAAAe-file-NvPOwz" failed: check your application or client for errors, this is not a false positive."] [severity "NOTICE"] Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_PROCESSOR_ERROR" required. [hostname "www.example.com"] [uri "/horde/imp/compose.php"] [unique_id "8ZuEbMzo8r8AABWjEW8AAAAe"]

This would means that you ran out of drive space in /tmp.

Solution:

Free up some drive space.

[edit] Do you have pre-defined access policies , or do we have to configure these policies?

Answer:

Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.

[edit] Does ASL include SELinux?

Yes. SELinux is available in the ASL kernel.

ASL also includes a powerful self-learning Role Based Access Control (RBAC) System designed by the grsecurity project that is superior to SELinux. This RBAC was designed, and our company provides funding to the grsecurity project to account for weaknesses in SELinux, so we recommend you use the RBAC system in ASL if you need the same capabilities as SELinux.

However, if you wish to use just SELinux ASL will work with SELinux just fine.

[edit] If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?

A: TPE would automatically prevent an untrusted user, such as apache, from executing commands owned by apache. It would log to syslog, an example entry follows:
Nov 11 14:53:10 server4 kernel: grsec: From 10.249.64.1: denied untrusted exec of /tmp/w00t by apache [uid/eid: 48/48] /home/httpd/vhosts/testhost.atomicorp.com/httpdocs/modules/phpBB/index.php

[edit] Apache files

[edit] I'm seeing files owned by apache in /tmp

If you see files with names like this:

tmp/dos-218.254.50.104

That are very small, and only contain an integer for example the contents of the file tmp/dos-218.254.50.104 are "2671" or some other number, then you can ignore these files. These are locking files used by the web DOS protection system in ASL.

If you see files with names like this:

tmp/20120314-104701--CliB38AAAEAAEehOeMAAAAA-file-Y6rewB

These are temporary files generated by apache as a user uploads a file, via apache, to the system. Generally apache will clean up these files with a few seconds once the file is scanned by the WAF, but if you see them accumulating on your system you may have MODSEC_KEEPFILES set to "on". This means that the ASL WAF will keep any files it has been asked to scan, regardless if the files are allowed to be uploaded to the system or not.

[edit] Everything Else

[edit] Why do they call it Europe?

Because its a beautiful name. And its local, to some of us. (this is also why if you look carefully in ASL you'll see we consider 127.0.0.0/8 to be in the EU. Its an Easter Egg. And no, ASL wont block 127.0.0.1 if you block the EU, we always whitelist localhost.).

Yes, we have a sense of humor too, and we hope this FAQ has been helpful, but if you still require assistance after reading this FAQ please don't hesitate to contact support. We're here to help, and hopefully to put a smile on your face as well.

Copyright 2016, Atomicorp

Personal tools