Difference between revisions of "Upgrading ASL"
m (→Manual Upgrade if you do not have have automatic upgrades configured) |
(→Upgrading) |
||
Line 40: | Line 40: | ||
'''Step 2)''' | '''Step 2)''' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
/var/asl/bin/asl -s -f | /var/asl/bin/asl -s -f | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Automatic Upgrade === | === Automatic Upgrade === |
Revision as of 13:21, 14 January 2013
Contents |
General Upgrade instructions
This section applies to all upgrades.
Run commands as the root user
When upgrading ASL, run all upgrade commands as the root user. Do not use sudo to run these commands.
Pre-requisites
Always check to make sure that your system meets the pre-requisites for ASL before upgrading. You can access the latest requirements for ASL on the ASL prerequisites page.
Updates
Ensure that your system has all of your OS vendors updates installed. ASL is tested against the latest versions of vendors OSes, and may require updated software from your vendor to work correctly and securely.
Release Notes
Each release includes Release Notes. We highly recommend you review the release notes before upgrading.
Test Environment
We recommend that you test all ASL upgrades on a test system before deploying an ASL update into a production environment. For this reason, all ASL licensees come with a free QA and development licensee so you can test out all ASL updates.
Version Specific Upgrade Instructions
ASL 3.2
Release Notes
Please see the Atomic_Secured_Linux#ASL_3.2_Release_Notes page.
Upgrading
ASL 3.2 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:
Step 1)
/var/asl/bin/aum -uf
Step 2)
/var/asl/bin/asl -s -f
Automatic Upgrade
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.
Notes for 3.2 Upgrades
Cpanel
Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.
Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.
Version Check
In addition to the release notes referenced above, you can check to see if you are running 3.2 by running this command as root:
asl -v
You should see an output similar to this:
ASL Version 3.2.1-0.10.el5.art: CentOS 6 (SUPPORTED)
The "Centos 6" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.2, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.
If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:
yum clean all
And then try the upgrade again.
ASL 3.0
ASL 3.0 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:
Automatic Upgrade
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.
Force an upgrade if you have automatic upgrades configured
Force update step 1
Run this command as root:
asl -uf
Force update step 2
Set the new security policy, by running this command as root:
asl -s -f
This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.
Please see the release notes, which include additional information when upgrading from 2.2 to 3.0:
Atomic_Secured_Linux#ASL_3.0_Release_Notes
Manual Upgrade if you do not have have automatic upgrades configured
If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.
To upgrade manually you will then need to run these commands (run them as root):
Step 1) yum upgrade asl asl-web mod_security kernel
Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".
Step 2) asl -uf
Step 3) asl -s -f
Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:
Atomic_Secured_Linux#ASL_3.0_Release_Notes
Notes for 3.0 Upgrades
In addition to the release notes referenced above, you can check to see if you are running 3.0 by running this command as root:
asl -v
You should see an output similar to this:
ASL Version 3.0: CentOS 5 (SUPPORTED)
The "Centos 5" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.0, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.
If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:
yum clean all
And then try the upgrade again.
ASL 2.2
ASL 2.2 uses the RPM package management system. You can upgrade ASL by using the following command:
yum upgrade
When you have completed upgrading any component of ASL you must run this command to finish configuring your system:
asl -s -f
This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time even if you have not upgraded any ASL components.
Automatic Upgrade system
Since version 2.1, ASL has the ability to automatically update itself. This is configurable from the ASL GUI. The option in the GUI is: UPDATE_TYPE. There are three modes:
- all - This will configure ASL to automatically upgrade all of its components, including the rules. This is the most secure option.
- exclude-kernel - This will configure ASL to upgrade all of its components, including the rules, but will not upgrade the kernel. This is the second most secure option.
- rules-only - This option will configure ASL to only keep the rules up to date. This is the least secure option.
You can also configure the frequency at which ASL checks for updates by configuring the AUTOMATIC_UPDATES setting in the GUI. You can configure ASL to check for updates:
- daily
- hourly
- none
We recommend that users test all upgrades on a test system before deploying to a production system.