Difference between revisions of "ASL prerequisites"
m (→PHP) |
m (→OS Updates and patches) |
||
Line 30: | Line 30: | ||
ASL will not install on a system that is missing vendors updates, and will generate an alert during installation if vendor updates are missing. You must have you system patched and up to date to install ASL. | ASL will not install on a system that is missing vendors updates, and will generate an alert during installation if vendor updates are missing. You must have you system patched and up to date to install ASL. | ||
+ | |||
+ | ==== Third Party modifications to the OS ==== | ||
+ | |||
+ | Third Party modifications to the operating system (OS) are not supported. | ||
=== Hardware === | === Hardware === |
Revision as of 16:32, 28 June 2013
Contents |
Introduction
ASL is a powerful security suite that will be analyzing actions of your system in real time. For it to work correctly it will need a properly tuned system with reasonable resources. This document outlines the requirements for ASL to function, and recommendations for it perform optimally.
Requirements
Client
ASL is accessed and managed through a dedicated web console via your web browser. Please see the following FAQ for a list of browsers that ASL is currently supported:
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#What_browsers_does_the_ASL_GUI_work_with.3F
ASL also includes a limited number of command line features.
Server
Operating system
ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to work correctly.
Supported Operating Systems
A listed of supported operating systems is provided at this url:
https://www.atomicorp.com/wiki/index.php/ASL_FAQ#What_Linux_distributions_do_you_support.3F
OS Updates and patches
ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to install and work correctly.
ASL will not install on a system that is missing vendors updates, and will generate an alert during installation if vendor updates are missing. You must have you system patched and up to date to install ASL.
Third Party modifications to the OS
Third Party modifications to the operating system (OS) are not supported.
Hardware
Memory
ASL requires at least 1 GB of memory. 2 GB of memory is highly recommend to make use of all of ASLs features.
CPU
ASL does not require a 64bit CPU, however the use of 64Bit CPUs is highly recommended.
File systems
POSIX ACL support
Your /var parition must be using a filesystem that supports POSIX ACLs to use T-WAF in ASL. The T-WAF is only used optionally to protect remote web services you configure, and non-Apache web services on the local system, such as other webservers (NGINX, LiteSpeed, etc.). Apache is protected with a special module, and does not require the T-WAF.
File System | ASL kernel ACL support |
---|---|
ext2 | yes |
ext3 | yes |
ext4 | yes |
btrfs | yes |
jffs2 | yes |
tmpfs | yes |
nfs exported | yes |
See the FAQ linked to below for additional information on POSIX ACLs in Linux:
ASL disk space requirements
Minimum free disk space requirements per partition:
Directory | Minimum Free Space Required |
---|---|
/var | 5GB+ (see note below) |
/usr | 500 MB |
/tmp | 10 MB (see note below) |
/etc | 100 MB |
/boot | 70 MB (see note below) |
ASL will log and record security events on the system. The amount of space required for this will vary depending on the amount of events that occur on your system. ASL will record all of its events in the /var partition. Therefore, you should have adequate free space available in the /var partition for your system. We recommend at least 5GB of space in this partition, but this is a minimum. You should allocate more space if you intend to keep logs for extended periods of time. You may need to increase this depending on the amount of events that occur on your system and the archive period you have set in your ASL Configuration.
ASL components will be installed in the /boot, /usr, /etc and /var partitions. A minimum of 100MB of free space is required to install ASL, and additional space is required in /var as described above.
Third Party yum repositories
You must disable any third party yum repositories you have enabled on your system. ASL is tested and supported with standard installations of the supported OSes, and not with any third party repositories enabled.
Database
Supported databases
ASL is supported with MySQL from Redhat and Centos.
Supported versions
ASL is supported with the official version of MySQL provided by Redhat, Centos and Atomicorp for that platform and distribution.
ASL is not tested or supported with other mysql builds or versions provided by other Vendors.
MySQL Configuration
When using mysql, querying caching must be enabled. The following setting in mysql must be set for ASL to perform correctly. Failure to set this will result in significant performance impact to ASL, and the system.
query_cache_size=32m
This information is provided as a courtesy, to add this setting to mysql please look for this section:
[mysqld]
in your /etc/my.cnf file.
In this section you will want to add the query_cache configuration setting. For example:
query_cache_size=32m
And then restart mysqld.
If you are not comfortable with configuring mysql, please contact a qualified MySQL administrator for assistance. And in all cases, we recommend you make a backup of any configuration file before you change it.
MySQL tuning
ASL is tested with a standard MySQL configuration with query_caching enabled, as described above. If you have made additional changes to the configuration of MySQL these may be sub-optimal for ASL. Please consult a qualified MySQL expert for assistance with MySQL performance issues if you have made additional changes to the configuration of MySQL and experience performance issues.
Additional
VPS
VPS systems, that is virtual private servers using Virtuzzo or OpenVZ will not have their own kernel (a VPS shares the hosts kernel). Therefore, there is no free space requirement on a VPS for /boot as the kernel will not be installed.
CPanel
If you have CPanel installed, you must have mod_uniqueid installed for mod_security to work correctly. Please contact CPanel for support if you are not sure how to enable this in CPanel.
Support software
wget
To install and use ASL you must have a working copy of wget installed on your system, with working HTTPS support. All of the supported OSes above include HTTPS support in wget. However some third party products and hosting companies have been known to replace wget with crippled versions that do not support HTTPS. ASL will not install or work correctly if your system has been crippled in this manner.
To test if your wget supports HTTPS you can run this command:
wget https://www.atomicorp.com/test-file.html
If your wget supports SSL it will download the file test-file.html, and if you examine the contents of the file you will see this sentence:
If you can read this, your test worked.
If you do not see this sentence, then your wget likely does not support SSL. If you see an error like this:
HTTPS support not compiled in.
Your wget does not support SSL. This means someone has crippled your system and replaced the wget from your OS vendor with a crippled version of wget. They may have also replaced other critical parts of your OS with damaged and crippled software and your system will not be able to install and use ASL.
Third Party Software
OSSEC
Do not install OSSEC from third party sources. ASL will replace and manage OSSEC on your system. ASL is not supported with third party sources for OSSEC.
If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.
rkhunter
Do not install rkhunter from third party sources. ASL will replace and manage rkhunter on your system. ASL is not supported with third party sources for rkhunter.
If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.
clamav
Do not install clamav from third party sources. ASL will replace and manage clamav on your system. ASL is not supported with third party sources for clamav.
If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.
modsecurity
Do not install modsecurity using any third party tools. If you have done this in the past, remove modsecurity from your system.
ASL is also not supported with third party software that manipulates modsecurity. If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.
firewalls
ASL is not supported with any third party software that manipulates or manages the Linux firewall, iptables or ipset. This includes third party firewall management tools, such as CSF, APF, Parallels Firewall tools, and any other firewall management tools. ASL includes a powerful firewall and kernel enhancements to the Linux firewall system (netfilter) that these tools do not support.
If you have any third party software of this nature installed you will need to uninstall this third party software before you install ASL, or if you can uninstall it you must disable any firewall features in these products. You also can not use third party firewall tools to change the firewall on the system, for example fwbuilder. Only the use of ASL firewall manager is supported with ASL.
Apache
ASL currently supports Apache 2.0 and 2.2.
PHP
The only versions of PHP currently supported by ASL are: Our version, your OS Vendors' version, as well as cPanels' version made through EasyApache.
PERL
The only versions of PERL currently supported by ASL are: Our version and your OS Vendors' version.
Recommendations
Memory
4 GB of memory is recommended for sites with high volume of events and/or domains.
CPU
Multiple 64Bit CPUs are highly recommended for systems with high volume events and/or domains.
Database
Query caching
When using mysql, querying caching must be enabled. Larger query caches will result in greater performance, however this must be tuned to the capabilities of the system. Larger query caches also require more memory, so to increase this setting you will need at least 2GB of RAM and preferably 4GB of RAM or more.
For example, on a system with 2GB of RAM the query cache should be set to 128M.
query_cache_size=96m
For systems with 4GB of RAM, or more, a large query cache can be used:
query_cache_size=128m
You can try larger cache sizes, but we find that 128m is generally as high as you need to go. High values may be counter productive.
Dedicated I/O channel
For systems with high volumes of events we recommend you move your mysql databases to their own I/O channel separate from your web sites and/or other file system intensive operations. This will give the database its own dedicated I/O channel to the database files. Databases can be quite large, and the ASL events database will grow over time based on the archive settings you have configured in your ASL Configuration. Therefore, a faster way of reading these databases will improve performance on the system.
mysql tuning
If you are using mysql, we highly recommend you tune it with a professionals help. mysql is a wonderful and powerful database server, but it is not tuned in its default configuration and will perform very poorly as a result. Even if mysql appears to be performing well for you, if you are using the default settings your database server is operating much slower than it needs to be.
You can use the excellent tool mysqltuner to help with this, however this tool will just provide recommendations and an experts assistance should be consulted before making any changes to your mysql configuration, and to make the best use of the recommendations mysqltuner may provide.
To install mysqltuner, please run this command as root:
yum install mysqltuner
And to run it, just run this command:
mysqltuner
More information is available about mysqltuner at this website:
Disk Space
ASL will keep records as long as you desire. As a result, you should monitor your database and /var partitions drive usage and prepare accordingly to add more space based on event volume for your system. If you run out of space in the /var directory, the ASL web console will not work, and other parts of ASL may fail as well.
Please see the https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#ASL_disk_space_requirements notes above for minimum free space requirements.
ASL will also record other events, such as file changes and software updates in a special monitoring system, this data is also stored in /var. Please see the ASL FAQ for further details about tuning this system should you wish to use less drive space for this.
/tmp
Your operating system uses /tmp to process temporary files. For long term use of ASL, and the operating system, /tmp should be as large as necessary for your OS. The actual amount of space needed in your /tmp partition will vary substantially depending on what you are doing with your OS.
ASL needs some amount of free space in /tmp for installation, and may need to use /tmp as part of ongoing activities. However, this partition is primarly used by your OS, not ASL, and a full /tmp partition may result in very adverse effects by your OS. Please contact your OS vendor for assistance with sizing you /tmp partition to meet your OSes needs.
Test Server
Each ASL license lets you install ASL on a product server, a QA server and a test server. We recommend, as do all software companies, that you always test ASL and ASL upgrades on a test machine before making any changes to your production environment. We test our products heavily before putting out an updates, but no software company can account for every possible condition, configuration or environment so you should test upgrade on non-production machines before putting them into production.