|
|
(30 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | == '''Features in ASL 2.2''' == | + | = Introduction = |
| | | |
| + | Atomic Secured Linux(tm), or "ASL" for short, is a Unified Security Suite addon for Linux(tm) systems designed to protect servers against zero day threats. Unlike other expensive security "solutions" that pretend to achieve security through signature-based detection, known-vulnerability patching and other reactive methods, Atomic Secured Linux(tm) provides real proactive security. The only solution that protects both your applications and operating system, Atomic Secured Linux is essential for public-facing servers and shared-hosting environments. |
| | | |
− | * Web Application Firewall
| + | And Atomic Secured Linux (ASL) is uniquely designed for beginners and experts alike. You just install ASL onto your existing system and it does the work for you, plus you can try it for free! |
| | | |
− | * Realtime Malware Protection
| + | ASL works by proactively immunizing the system against whole classes of vulnerabilities, and combines security at all layers, from the firewall, to your applications and services, and all the way down to the kernel to provide the most complete multi-spectrum protection solution available for Linux servers today. It helps to ensure that your system is secure and also compliant with commercial and government security standards. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in todays complex systems and applications, such as cloud and web hosting environments, multiuser systems, CRM's, ERPs, forums, shopping carts, Content Management systems, custom applications and more. |
| | | |
− | * Hardened kernel with grsecurity
| + | == '''Features in ASL''' == |
| | | |
− | * Self Learning Least Privilege Role Based Access Control System | + | * Web Application Firewall with Realtime Atomicorp/Gotroot.com rules |
| | | |
− | * System Hardening tools | + | * Highspeed Stateful firewall |
| | | |
− | * firewall enhancements | + | * Attack Chain Disruption to prevent zero day attacks |
| | | |
− | * stand Alone GUI | + | * Network based Intrusion Prevention System |
| | | |
− | * Malware uploader scanner (Web and FTP) | + | * Host Based Intrusion Prevention for event monitoring, file system integrity checking, and rootkit protection |
| | | |
− | * ssh brute force attack detection | + | * Web Based Security Information Manager and Unified Threat Manager |
| | | |
− | * Just In Time Patching system: Automatic security rules to protect unpatched systems | + | * Vulnerability scanner and vulnerability repair and elimination system |
| | | |
− | * web application layer firewall | + | * Realtime Malware Protection |
| | | |
− | * ossec for event monitoring, file system integrity checking, and rootkit detection | + | * Hardened secure kernel to protect against rootkits |
− |
| + | |
− | * rootkit detection and preventing, including kernel level rootkits
| + | |
| | | |
− | * process monitoring watchdog, to ensure security services are always running | + | * Self Healing system for system, database and application errors |
| | | |
− | * Web Application inventory module | + | * Self Learning Least Privilege Role Based Access Control System |
| | | |
− | * SSH configuration validation | + | * System Hardening tools |
| | | |
− | * General security hardening (unnecessary services, etc) | + | * Stand Alone secure web GUI |
| | | |
− | * PHP configuration, checks for dangerous settings | + | * Malware uploader scanner |
| | | |
− | * Apache configuration checks | + | * Brute force attack detection (Control Panels, FTP, SSH, Web applications, SMTP, POP, IMAP and more!) |
| | | |
− | * Rule updater for Mod_security, GRsecurity, and the Application Inventory system | + | * Just In Time Patching system: Automatic security rules to protect unpatched systems, and unpatched web applications. |
| | | |
− | * custom code for system hardening | + | * Rootkit detection and prevention, including kernel level rootkits |
| | | |
− | * Special ClamAV rules | + | * Process monitoring watchdog, to ensure critical and security services are always running |
| | | |
− | == Using ASL 2.2 ==
| + | * Web Application inventory module |
| | | |
− | == '''Installing ASL''' ==
| + | * Systems configuration validation (SSH, PHP and more) |
| | | |
− | [http://www.atomicorp.com/wiki/index.php/ASL_installation Installation Page]
| + | * General security hardening (unnecessary services, etc) |
| | | |
| + | * PHP configuration, checks and fixes dangerous settings |
| | | |
− | == '''Quickstart Command Line Documentation''' ==
| + | * Apache configuration checks and fixes |
| | | |
− | 1) Help
| + | * DOS protection system |
− | Atomic Secured Linux
| + | |
− | Usage: asl [options]
| + | |
| | | |
− | -bl --blacklist <value> Add <ip> to Blacklist.
| + | * Rule updater for Mod_security, GRsecurity, HIDS, Self Healing and the Application Inventory system |
− | -c --config Configure ASL settings.
| + | |
− | -ck --check Show list of updates.
| + | |
− | -dr --disable-rule <value> Disable modsec rule by signature ID.
| + | |
− | -dbl --domain-blacklist <value> Add <domain> to spam blacklist.
| + | |
− | -er --enable-rule <value> Re-enable modsec rule by signature
| + | |
− | ID.
| + | |
− | -f --fix Fix and Repair mode.
| + | |
− | -l --list List ASL modules.
| + | |
− | -m --module <value> Run a specific module.
| + | |
− | -mbl --malware-blacklist <value> Add <domain> to malware blacklist.
| + | |
− | -nc --nocolor Disable Color.
| + | |
− | -pc --permissions-check Check/Fix permissions on ASL
| + | |
− | dirs/files.
| + | |
− | --reload-firewall Reload Firewall rules.
| + | |
− | --remove-blacklist <value> Remove <ip> from Blacklist.
| + | |
− | --remove-domain-blacklist <value> Remove <domain> from spam Blacklist.
| + | |
− | --remove-malware-blacklist <value> Remove <domain> from malware
| + | |
− | Blacklist.
| + | |
− | --remove-whitelist <value> Remove <ip> from Whitelist.
| + | |
− | --report-false-positive <value> Report false positive on <path>.
| + | |
− | -r --return Prompt to continue.
| + | |
− | -s --scan Scan mode.
| + | |
− | --show-alert <value> Show alert using <path>.
| + | |
− | -t --terse Terse mode used for reporting
| + | |
− | -ub --unblock <value> Unblock <ip> from active response
| + | |
− | system. | + | |
− | -u --update Update rules and signatures.
| + | |
− | -v --version Show version.
| + | |
− | -wl --whitelist <value> Add <ip> to whitelist.
| + | |
| | | |
| + | * Custom code for system hardening |
| | | |
− | 2) Update the rules and signatures databases
| + | * Special ClamAV rules |
| | | |
− | asl -u
| + | = Downloading ASL = |
| | | |
− | 2) Run a vulnerability scan
| + | == '''How can I get a copy of ASL?''' == |
| | | |
− | asl -s
| + | Please visit the [https://atomicorp.com/features/ Atomic Secured Linux product page]. |
| | | |
− | 3) Run a vulnerability scan, and fix vulnerabilities
| + | == '''Can I try it out first?''' == |
| | | |
− | asl -s -f | + | Absolutely! Just sign up for a [https://atomicorp.com/amember/signup/index/c/oMzRCoqd no risk and no obligation free 10 day trial here]. |
| | | |
− | '''Basic Configuration''' | + | == '''Where is the ASL FAQ?''' == |
| | | |
− | ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does: | + | [[ASL FAQ]] - Atomic Secured Linux Frequently Asked Questions (FAQ) |
− |
| + | |
− | # Authentication information
| + | |
− | CONFIGURED=yes # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog
| + | |
− | USERNAME="USERNAME"
| + | |
− | PASSWORD="PASSWORD"
| + | |
− | UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/" # where the rule updater will grab updates
| + | |
− | ASLHOME="/var/asl" # internal variable, dont modify
| + | |
| | | |
− | # ASL general config
| |
− | NOTIFY=yes # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications
| |
− | EMAIL="scott@atomicrocketturtle.com" # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app.
| |
− | ADMIN_USERS="SOMEUSER" # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace.
| |
− | # list of hosts separated by whitespace
| |
− | IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12" # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc)
| |
− | # webserver, custom
| |
− | SYSTEM_TYPE="webserver" # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
| |
| | | |
− | # Kernel config
| + | = '''Installing ASL''' = |
− | # Disable module_loading after the system has booted
| + | |
− | VSERVER=no # probably will be deprecated
| + | |
− | ALLOW_kmod_loading=no # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
| + | |
| | | |
− | # PSMOD config
| + | [http://www.atomicorp.com/wiki/index.php/ASL_installation Installation Page] |
− | PSMON_ENABLED=yes # Turn PSMON and its checks On or Off
| + | |
− | PSMON_EMAIL="$EMAIL" # who to email PSMON alerts to
| + | |
− | PSMON_FROM="psmon@$HOSTNAME" # From: line for PSMON
| + | |
| | | |
− | # OSSEC config
| |
− | OSSEC_ENABLED=yes # Enable OSSEC
| |
− | OSSEC_MODE="server" # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system.
| |
− | OSSEC_EMAIL="$EMAIL" # Where OSSEC email alerts go
| |
− | OSSEC_SMTP_SERVER="localhost" # System ossec sends email through
| |
− | OSSEC_FROM="ossec@$HOSTNAME" # From line for OSSEC alerts
| |
− | OSSEC_SHUN_ENABLE_TIMEOUT=yes # Enables expiration of OSSEC shunning events (see IP_WHITELIST above)
| |
− | OSSEC_SHUN_TIME="600" # Time a shunned host will remain on the blacklist (10 minutes)
| |
| | | |
− | # MODSECURITY config
| + | == Configuration == |
− | MODSEC_ENABLED=yes # Turn MOD_SECURITY and its checks on/off
| + | |
− | MODSEC_SERVERSIG="Apache" # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks
| + | |
− | MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored
| + | |
− | MODSEC_KEEPFILES="RelevantOnly" # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not.
| + | |
− | MODSEC_LOG404=no # not used yet. Application default is to log 404 errors in mod_security logs.
| + | |
− | MODSEC_LOGTYPE="Serial" # Serial or Concurrent. Serial sets modsecurity to log all events to one log file.
| + | |
− | MODSEC_LOGFILE="modsec_audit.log" # The log file for above.
| + | |
− | MODSEC_LOGELEMENT="ABIFHZ" # Elements of an event that will be logged
| + | |
− | #A = audit log header (mandatory)
| + | |
− | #B = request headers
| + | |
− | #I = request body, except when multipart/form-data encoding is used
| + | |
− | #F = final response headers
| + | |
− | #H = audit log trailer
| + | |
− | #Z = final boundary (mandatory)
| + | |
− | MODSEC_REQMEMLIMIT="131072" # Maximum size of the request body to keep in memory, higher value requires more server memory, lower can impact disk I/O
| + | |
− | MODSEC_DEBUGLOG=yes # not used yet (on by default: modsec_debug.log)
| + | |
− | MODSEC_DATADIR="/var/asl/data/msa" # top level dir used for mod_security internals. Must be read/write by the apache user
| + | |
− | MODSEC_TMPDIR="/tmp" # Directory where temporary files are created
| + | |
| | | |
− | # Rule configuration starts here
| + | ASL can be configured through the ASL GUI. Please see the [[ASL Configuration]] page for documentation. |
− | MODSEC_RULES_POLICY=on # enable/disable the HTTP Policy rules
| + | |
− | MODSEC_RULES_ROBOTS=on # enable/disable the Bad Robot ruls
| + | |
− | MODSEC_RULES_GENERIC=on # enable/disable generic attack rules
| + | |
− | MODSEC_RULES_TROJAN=on # enable/disable trojan detection rules
| + | |
− | MODSEC_RULES_OUTBOUND=off # enable/disable outbound rules (recommend this OFF for PSA environments)
| + | |
− | MODSEC_RULES_MARKETING=off # enable/disable marketing tracking rules (google, msn, yahoo bots)
| + | |
− | MODSEC_RULES_LOCAL=on # enable/disable local rules
| + | |
− | | + | |
− | | + | |
− | | + | |
− | | + | |
− | # PHP Functions
| + | |
− | PHP_CHECKS=yes # (yes/no) enable/disable php checks
| + | |
− | PHP_SAFE_MODE=yes # (yes/no) enable safe_mode checks. Turning safe_mode off exposes you to a number of threats, including remote file inclusion
| + | |
− | ALLOW_dl=no # (yes/no) disables the dl() function. dl() would allow an attacker to load their own extension into php. | + | |
− | ALLOW_exec=no # (yes/no) disables exec() function. exec() allows an attacker to execute shell commands through php
| + | |
− | ALLOW_leak=no # (yes/no) disables leak() function.
| + | |
− | ALLOW_passthru=no # (yes/no) disable passthru(). This function allows an attacker to execute shell commands through php
| + | |
− | ALLOW_pfsockopen=no # (yes/no) This function allows an attacker to open sockets, useful for spamming, remote inclusion, etc.
| + | |
− | ALLOW_phpinfo=yes # (yes/no) recon attack. Allowed by default in psa environments. phpinfo can expose internal information used by attackers
| + | |
− | ALLOW_popen=no # (yes/no) process open, allows attacker to execute commands on a system
| + | |
− | ALLOW_posix_kill=no # (yes/no) kill processes owned by the apache user
| + | |
− | ALLOW_posix_mkfifo=no # (yes/no) creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes
| + | |
− | ALLOW_posix_setpgid=no # (yes/no) Set process group id for job control
| + | |
− | ALLOW_posix_setsid=no # (yes/no) Make the current process a session leader
| + | |
− | ALLOW_posix_setuid=no # (yes/no) Set the UID of the current process. (Apache would have to run as root for this to work anyway)
| + | |
− | ALLOW_proc_close=no # Close a process opened by proc_open()
| + | |
− | ALLOW_proc_get_status=no # Get information about a process opened by proc_open()
| + | |
− | ALLOW_proc_nice=no # change nice level on process opened by proc_open
| + | |
− | ALLOW_proc_open=no # execute commands
| + | |
− | ALLOW_proc_terminate=no # kill processes started by proc_open()
| + | |
− | ALLOW_shell_exec=no # execute shell commands
| + | |
− | ALLOW_show_source=no # Alias of highlight_file(), lets you view a php file. Exposes passwords, vulnerability recon, etc.
| + | |
− | ALLOW_system=no # execute shell commands
| + | |
− | | + | |
− | # Denyhosts settings
| + | |
− | # uses EMAIL for notifications
| + | |
− | DENYHOSTS_ENABLED=yes
| + | |
− | DENYHOSTS_EMAIL="$EMAIL"
| + | |
− | DENYHOSTS_FROM="denyhosts@$HOSTNAME"
| + | |
− | DENYHOSTS_SYSLOG=yes
| + | |
− | DENYHOSTS_SHUN_TIME="4w"
| + | |
− | | + | |
− | # SSH
| + | |
− | ALLOW_ssh_proto1=no
| + | |
− | ALLOW_root_logins=no
| + | |
− | DISABLE_strict_mode=no
| + | |
− | DISABLE_ignore_rhosts=no
| + | |
− | DISABLE_pubkey_authentication=no
| + | |
− | ALLOW_password_authentication=no
| + | |
− | DISABLE_privilege_separation=no
| + | |
− | | + | |
− | # Rkhunter settings
| + | |
− | RKHUNTER_ENABLED=yes
| + | |
− | RKHUNTER_EMAIL=$EMAIL
| + | |
| | | |
| == '''Reporting False Positives''' == | | == '''Reporting False Positives''' == |
| | | |
− | If ASL blocks something it shouldn't you can report a False Positive to our support team by simply clicking the "False Positive" button in the GUI. If you have setup a support portal account your False Positive will be added to your account for review. If you have ASL configured to send alerts to one of the email addresses associated with your account then you will see your False Positives show up in real time in the support portal. If not, then a member of our support team will have to manually associate your reports with your account.
| + | See the [[Reporting False Positives]] page for details. |
− | | + | |
− | If you can not use the GUI to report a false positive, you can report false positives from the command line. For example, if you have an event like this in your audit_log:
| + | |
− | | + | |
− | [modsecurity] [client 1.2.3.4] [domain yourdomain.com] [403] [/20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa] [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "224"] [id "340026"] [rev "49"] [msg "Atomicorp.com WAF Rules: PHP Injection attempt in URI"] [data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required.
| + | |
− | | + | |
− | The fourth variable, [/20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa], is the unique token for the event. You can report it with this command:
| + | |
− | | + | |
− | asl --report-false-positive /20091115/20091115-1635/20091115-163542-rM-wwlKl8i4AACHwQ70AAAAa
| + | |
− | | + | |
− | == Application Inventory ==
| + | |
− | | + | |
− | The application inventory module is designed to identify applications installed on the system by analysing it's source code. It can be a very CPU intense operation and is configured by default to run once per day. ASL supports configuring the Application Inventory to run either Daily, Weekly, or with the following setting in /etc/asl/config
| + | |
− | | + | |
− | APPINV_CRON="daily"
| + | |
− | | + | |
− | Valid settings for this field are:
| + | |
− | | + | |
− | "daily"
| + | |
− | | + | |
− | "weekly"
| + | |
− | | + | |
− | "off"
| + | |
− | | + | |
− | Changing this setting in /etc/asl/config does *NOT* require a policy update with "asl -s -f".
| + | |
| | | |
| == ASL Web GUI Password Reset == | | == ASL Web GUI Password Reset == |
Line 251: |
Line 95: |
| To reset your password, run this command: | | To reset your password, run this command: |
| | | |
− | /var/asl/bin/asl-web-passwd your_user_name | + | /var/asl/bin/asl-web-passwd your_user_name |
− | | + | |
− | | + | |
− | == Mod_Security: Re-Enabling Rules ==
| + | |
− | | + | |
− | ASL supports the ability to disable rules through the web and command line interface. Once a rule has been disabled, it can be re-enabled by running the following:
| + | |
− | | + | |
− | asl --enable-rule <rule id>
| + | |
− | | + | |
− | example:
| + | |
− | | + | |
− | asl --enable-rule 123456
| + | |
− | | + | |
− | A full list of currently disabled rules is available in /etc/asl/disabled_signatures
| + | |
− | | + | |
− | == ASL inside a VPS ==
| + | |
− | | + | |
− | All of the features of ASL work inside a VPS except the ASL kernel (this is not to be confused with a Virtual Machine, the ASL kernel works just fine in a VM). VPS' do not have their own kernel. A VPS is an abstration of the single kernel running on the host system. If you are using a VPS on a server that is not running ASL you will see several important kernel vulnerabilities reported in your system. These vulnerabilities are real, and they can not be fixed from inside a VPS.
| + | |
− | | + | |
− | To eliminate these vulnerabilities in a VPS the host server must be running ASL as well.
| + | |
− | | + | |
− | VPS's will also see "hidden processes" reported by ASL. This is also expected as the rootkit detection capabilities of ASL are seeing hidden processes from other VPS' running on the system. Therefore VPS customers that do not wish to get these alerts will need to turn rootkit checks off inside their VPS's. To do this modify this file:
| + | |
− | | + | |
− | just modify this file:
| + | |
− | | + | |
− | /var/ossec/etc/ossec.conf
| + | |
− | | + | |
− | Search for this:
| + | |
− | | + | |
− | <rootcheck>
| + | |
− | | + | |
− | you should see something like this:
| + | |
− | | + | |
− | <rootcheck>
| + | |
− | <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
| + | |
− | <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
| + | |
− | </rootcheck>
| + | |
− | | + | |
− | Check that to this:
| + | |
− | | + | |
− | <rootcheck>
| + | |
− | <disabled>yes</disabled>
| + | |
− | </rootcheck>
| + | |
− | | + | |
− | You will also want to disable the hidden process checks in the VPS that are performed by rkhunter:
| + | |
− | | + | |
− | You want to edit this file:
| + | |
− | | + | |
− | /etc/rkhunter.conf
| + | |
− | | + | |
− | Look for this line:
| + | |
− | | + | |
− | ENABLE_TESTS="all"
| + | |
− | | + | |
− | Change it to:
| + | |
− | | + | |
− | #ENABLE_TESTS="all"
| + | |
− | | + | |
− | Then look for this line:
| + | |
− | | + | |
− | #DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"
| + | |
− | | + | |
− | And change it to:
| + | |
− | | + | |
− | DISABLE_TESTS="hidden_procs"
| + | |
− | | + | |
− | | + | |
− | It is recommended that you not disabled these checks on the host server.
| + | |
| | | |
− | If you are not on a VPS, then reports of hidden process means you do in fact have hidden processes. That means your system was compromised at some point in the past, and ASL has detected that a rootkit is installed.
| + | Note: This utility is only valid post-installation. |
Atomic Secured Linux(tm), or "ASL" for short, is a Unified Security Suite addon for Linux(tm) systems designed to protect servers against zero day threats. Unlike other expensive security "solutions" that pretend to achieve security through signature-based detection, known-vulnerability patching and other reactive methods, Atomic Secured Linux(tm) provides real proactive security. The only solution that protects both your applications and operating system, Atomic Secured Linux is essential for public-facing servers and shared-hosting environments.
And Atomic Secured Linux (ASL) is uniquely designed for beginners and experts alike. You just install ASL onto your existing system and it does the work for you, plus you can try it for free!
ASL works by proactively immunizing the system against whole classes of vulnerabilities, and combines security at all layers, from the firewall, to your applications and services, and all the way down to the kernel to provide the most complete multi-spectrum protection solution available for Linux servers today. It helps to ensure that your system is secure and also compliant with commercial and government security standards. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in todays complex systems and applications, such as cloud and web hosting environments, multiuser systems, CRM's, ERPs, forums, shopping carts, Content Management systems, custom applications and more.
Note: This utility is only valid post-installation.