Difference between revisions of "ASL Configuration"
(→Data Paths) |
(→Post Installation Configuration) |
||
Line 49: | Line 49: | ||
=== General Settings === | === General Settings === | ||
+ | |||
+ | ==== NOTIFY ==== | ||
+ | |||
+ | Determines if ASL will notify by email or not. Set this to yes if you want ASL to email you, and no if you do not. | ||
+ | |||
+ | ==== EMAIL ==== | ||
+ | |||
+ | Default email address used to send alerts to. This is also set during installation. | ||
+ | |||
+ | ==== HOSTNAME ==== | ||
+ | |||
+ | Hostname for the system. This is also set during installation. | ||
+ | |||
+ | ==== ADMIN_USERS ==== | ||
+ | |||
+ | Defines administrative users allowed to SSH to the system. If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. | ||
+ | |||
+ | ==== SYSTEM_TYPE ==== | ||
+ | |||
+ | Defines a basic services policy for the system. Currently webserver and custom are the only supported policies. | ||
+ | |||
+ | Setting the profile to "webserver" will configure ASL to disable the following services: portmap nfs nfslock rpcidmapd cups gpm xfs pcscd mcstrans kdump isdn hplip hidd messagebus haldaemon gpm bluetooth avahi-daemon autofs apmd. | ||
+ | |||
+ | If this is set to custom, no services will be automatically disabled. | ||
+ | |||
+ | ==== AUTOMATIC_UPDATES ==== | ||
+ | |||
+ | Configures the update frequency for ASL to download and install updates, such as new rules and signatures | ||
+ | |||
+ | NOTE: Updates can be run manually from the command line with asl -u. | ||
+ | |||
+ | This does not automatically patches on the system by design. If a software update is available you should follow your normal patch management procedure. See "UPDATE_TYPE" below for one exception to this. | ||
+ | |||
+ | ==== UPDATE_TYPE ==== | ||
+ | |||
+ | Configures the behavior of the AUTOMATIC_UPDATE event. There are three options: | ||
+ | |||
+ | All: This will install all ASL software, rule and signatures updates (this will not upgrade the kernel). | ||
+ | |||
+ | Exclude-kernel: This will install all ASL software, rule and signatures updates but not upgrade the kernel. | ||
+ | |||
+ | rules-only: This will exclude all software updates, yum package updates and kernel updates and will only install rule and signature updates. | ||
+ | |||
+ | All is the recommended setting. Some rule and signature updates will not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected. | ||
+ | |||
+ | ==== RESTART_APACHE ==== | ||
+ | |||
+ | Sets the restart policy for actions involving the web server. Updates to the WAF, mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting has three options: | ||
+ | |||
+ | Yes: Restart apache when needed. | ||
+ | |||
+ | Graceful: Use the "graceful" method which tries to wait for all clients to finish being served before restarting Apache. If apache has a stuck thread or worker Graceful may not complete. | ||
+ | |||
+ | No: Do not restart apache. | ||
+ | |||
+ | Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF. | ||
+ | |||
+ | ==== ASL_USER ==== | ||
+ | |||
+ | Sets the user to run ASL web activity under. This can be either "tortix" for use with ASL-Web, or "psaadm" for use with the Plesk ASL module. Note: this setting has been deprecated. | ||
+ | |||
+ | ==== FEED_TYPE ==== | ||
+ | |||
+ | This setting allows you to toggle between different WAF feeds. Currently this is only used by ASL Lite, and supports the Real-Time and 90-day delayed feeds. ASL Users should not change this setting. | ||
+ | |||
+ | ==== COMPLIANCE ==== | ||
+ | |||
+ | This a new and UNSUPPORTED feature. If you use this, we welcome your feedback but it is unsupported. | ||
+ | |||
+ | This enables a compliance module based on one of 5 standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp that you use any of these. It should only be used if you are required by a 3rd party regulator. | ||
+ | |||
+ | These compliance standards are very generic, and will break things on your system. These are not Atomicorp standards, so if you enable them be prepared to fix things. | ||
=== Firewall Configuration === | === Firewall Configuration === | ||
Line 55: | Line 127: | ||
=== Kernel configuration === | === Kernel configuration === | ||
+ | |||
+ | If you are not using the ASL [[Kernel]] these settings will have no effect. | ||
+ | |||
+ | === ALLOW_kmod_loading === | ||
+ | |||
+ | === ENABLE_TPE === | ||
+ | |||
+ | === TPE_GROUP_POLICY === | ||
+ | |||
+ | === TPE_UNTRUSTED_USERS === | ||
+ | |||
+ | === TPE_TRUSTED_USERS === | ||
+ | |||
+ | === DISABLE_PRIVILEGED_IO === | ||
+ | |||
+ | === AUDIT_MOUNT === | ||
+ | |||
+ | === AUDIT_CHDIR === | ||
+ | |||
+ | === AUDIT_PTRACE === | ||
+ | |||
+ | === AUDIT_TEXTREL === | ||
+ | |||
+ | === CHROOT_CAPS === | ||
+ | |||
+ | === CHROOT_DENY_CHMOD === | ||
+ | |||
+ | === CHROOT_DENY_CHROOT === | ||
+ | |||
+ | === CHROOT_DENY_FCHDIR === | ||
+ | |||
+ | === CHROOT_DENY_MKNOD === | ||
+ | |||
+ | === CHROOT_DENY_MOUNT === | ||
+ | |||
+ | === CHROOT_DENY_PIVOT === | ||
+ | |||
+ | === CHROOT_DENY_SHMAT === | ||
+ | |||
+ | === CHROOT_DENY_SYSCTL === | ||
+ | |||
+ | === CHROOT_DENY_UNIX === | ||
+ | |||
+ | === CHROOT_ENFORCE_CHDIR === | ||
+ | |||
+ | === CHROOT_ENFORCE_CHDIR === | ||
+ | |||
+ | === CHROOT_EXECLOG === | ||
+ | |||
+ | === CHROOT_FINDTASK === | ||
+ | |||
+ | === CHROOT_RESTRICT_NICE === | ||
+ | |||
+ | === EXEC_LOGGING === | ||
+ | |||
+ | === EXEC_LOG_USERS === | ||
+ | |||
+ | === DMESG === | ||
+ | |||
+ | === EXECVE_LIMITING === | ||
+ | |||
+ | === FIFO_RESTRICTIONS === | ||
+ | |||
+ | === FORKFAIL_LOGGING === | ||
+ | |||
+ | === HARDEN_PTRACE === | ||
+ | |||
+ | === IP_BLACKHOLE === | ||
+ | |||
+ | === LASTACK_RETRIES === | ||
+ | |||
+ | === LINKING_RESTRICTIONS === | ||
+ | |||
+ | === RESOURCE_LOGGING === | ||
+ | |||
+ | === ROMOUNT_PROTECT === | ||
+ | |||
+ | === RWXMAP_LOGGING === | ||
+ | |||
+ | === SIGNAL_LOGGING === | ||
+ | |||
+ | === SOCKET_ALL === | ||
+ | |||
+ | === SOCKET_USERS === | ||
+ | |||
+ | === SOCKET_CLIENT === | ||
+ | |||
+ | === SOCKET_CLIENT_USERS === | ||
+ | |||
+ | === SOCKET_SERVER === | ||
+ | |||
+ | === SOCKET_SERVER_USERS === | ||
+ | |||
+ | === TIMECHANGE_LOGGING === | ||
=== ClamAV configuration === | === ClamAV configuration === | ||
Also, see the [[anti virus]] page for important documentation about configuring the Real Time Antimalware system in ASL. | Also, see the [[anti virus]] page for important documentation about configuring the Real Time Antimalware system in ASL. | ||
+ | |||
+ | === CLAMAV_ENABLED === | ||
+ | |||
+ | === CLAMAV_ENABLE_DAZUKO === | ||
+ | |||
+ | === CLAMAV_TCPADDRESS === | ||
+ | |||
+ | === CLAMAV_SCANONACCESS === | ||
+ | |||
+ | === CLAMAV_SCANONOPEN === | ||
+ | |||
+ | === CLAMAV_SCANONEXEC === | ||
+ | |||
+ | === CLAMAV_SCANONCLOSE === | ||
+ | |||
+ | === CLAMAV_CLAMUKO_MAXFILESIZE === | ||
=== PSMON configuration === | === PSMON configuration === | ||
+ | |||
+ | === PSMON_ENABLED === | ||
+ | |||
+ | === PSMON_NOTIFY === | ||
+ | |||
+ | === PSMON_EMAIL === | ||
+ | |||
+ | === PSMON_FROM === | ||
=== OSSEC configuration === | === OSSEC configuration === | ||
+ | |||
+ | === OSSEC_ENABLED === | ||
+ | |||
+ | === OSSEC_NOTIFY === | ||
+ | |||
+ | === OSSEC_MODE === | ||
+ | |||
+ | === OSSEC_USE_MYSQL === | ||
+ | |||
+ | === OSSEC_DATABASE_SERVER === | ||
+ | |||
+ | === OSSEC_DATABASE === | ||
+ | |||
+ | === OSSEC_DATABASE_USERNAME === | ||
+ | |||
+ | === OSSEC_DATABASE_PASSWORD === | ||
+ | |||
+ | === OSSEC_SERVER === | ||
+ | |||
+ | === OSSEC_EMAIL === | ||
+ | |||
+ | === OSSEC_SMTP_SERVER === | ||
+ | |||
+ | === OSSEC_FROM === | ||
+ | |||
+ | === OSSEC_MAX_MSG === | ||
+ | |||
+ | === OSSEC_ACTIVE_RESPONSE === | ||
+ | |||
+ | === OSSEC_SHUN_ENABLE_TIMEOUT === | ||
+ | |||
+ | === OSSEC_SHUN_TIME === | ||
+ | |||
+ | === HIDS_SHUN_MULTIPLIER === | ||
+ | |||
+ | === HIDS_EMAIL_ALERT_LEVEL === | ||
+ | |||
=== Mod_security configuration === | === Mod_security configuration === | ||
Line 81: | Line 308: | ||
=== Plesk Security Settings === | === Plesk Security Settings === | ||
− | |||
− | |||
=== | === |
Revision as of 17:32, 20 June 2012
Introduction
ASL is configured to a secure set of defaults upon installation. Most users do not need to change these settings.
Installation
ASL Installation settings are documented on the ASL installation page, please see that page for installation configuration options.
Post Installation Configuration
You can access the ASL configuration settings by following this process:
Step 1) Log into the ASL GUI
Step 2) Click on the Configuration tab
Step 3) Select "ASL Configuration"
This will pull up all the ASL Configuration options, which are broken into classes and are documented below or links are provided to the specific documentation pages for those options.
Authentication Information
ASL Web Settings
In addition to the settings below, also, please see the ASL Web Settings page for documentation about configuring the ASL GUI itself.
ASL_DB_RETENTION
Period alert data is considered to be live before being moved into an archive table. Once this limit is reached, ASL will move the events into the database archive table.
The format for this field is an integer follow by "days" "weeks" "months" or "years". For example, if you want to archive events after 3 months, you would change this field to:
3 months
The default is 7 days. After 7 days, events are archived.
This value is ignored if ASL_DB_ARCHIVE is set to "no" below.
ASL_DB_ARCHIVE
ASL will store old data in monthly archive table if this is set to 'yes', or simply delete past retention data if it is set to 'no' once the ASL_DB_RETENTION period is reached for the data.
Data Paths
PATH_RSS
URL to the Atomicorp Security Bulletins RSS feed.
General Settings
NOTIFY
Determines if ASL will notify by email or not. Set this to yes if you want ASL to email you, and no if you do not.
Default email address used to send alerts to. This is also set during installation.
HOSTNAME
Hostname for the system. This is also set during installation.
ADMIN_USERS
Defines administrative users allowed to SSH to the system. If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled.
SYSTEM_TYPE
Defines a basic services policy for the system. Currently webserver and custom are the only supported policies.
Setting the profile to "webserver" will configure ASL to disable the following services: portmap nfs nfslock rpcidmapd cups gpm xfs pcscd mcstrans kdump isdn hplip hidd messagebus haldaemon gpm bluetooth avahi-daemon autofs apmd.
If this is set to custom, no services will be automatically disabled.
AUTOMATIC_UPDATES
Configures the update frequency for ASL to download and install updates, such as new rules and signatures
NOTE: Updates can be run manually from the command line with asl -u.
This does not automatically patches on the system by design. If a software update is available you should follow your normal patch management procedure. See "UPDATE_TYPE" below for one exception to this.
UPDATE_TYPE
Configures the behavior of the AUTOMATIC_UPDATE event. There are three options:
All: This will install all ASL software, rule and signatures updates (this will not upgrade the kernel).
Exclude-kernel: This will install all ASL software, rule and signatures updates but not upgrade the kernel.
rules-only: This will exclude all software updates, yum package updates and kernel updates and will only install rule and signature updates.
All is the recommended setting. Some rule and signature updates will not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected.
RESTART_APACHE
Sets the restart policy for actions involving the web server. Updates to the WAF, mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting has three options:
Yes: Restart apache when needed.
Graceful: Use the "graceful" method which tries to wait for all clients to finish being served before restarting Apache. If apache has a stuck thread or worker Graceful may not complete.
No: Do not restart apache.
Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.
ASL_USER
Sets the user to run ASL web activity under. This can be either "tortix" for use with ASL-Web, or "psaadm" for use with the Plesk ASL module. Note: this setting has been deprecated.
FEED_TYPE
This setting allows you to toggle between different WAF feeds. Currently this is only used by ASL Lite, and supports the Real-Time and 90-day delayed feeds. ASL Users should not change this setting.
COMPLIANCE
This a new and UNSUPPORTED feature. If you use this, we welcome your feedback but it is unsupported.
This enables a compliance module based on one of 5 standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp that you use any of these. It should only be used if you are required by a 3rd party regulator.
These compliance standards are very generic, and will break things on your system. These are not Atomicorp standards, so if you enable them be prepared to fix things.
Firewall Configuration
Please see the ASL firewall page for documentation on these settings.
Kernel configuration
If you are not using the ASL Kernel these settings will have no effect.
ALLOW_kmod_loading
ENABLE_TPE
TPE_GROUP_POLICY
TPE_UNTRUSTED_USERS
TPE_TRUSTED_USERS
DISABLE_PRIVILEGED_IO
AUDIT_MOUNT
AUDIT_CHDIR
AUDIT_PTRACE
AUDIT_TEXTREL
CHROOT_CAPS
CHROOT_DENY_CHMOD
CHROOT_DENY_CHROOT
CHROOT_DENY_FCHDIR
CHROOT_DENY_MKNOD
CHROOT_DENY_MOUNT
CHROOT_DENY_PIVOT
CHROOT_DENY_SHMAT
CHROOT_DENY_SYSCTL
CHROOT_DENY_UNIX
CHROOT_ENFORCE_CHDIR
CHROOT_ENFORCE_CHDIR
CHROOT_EXECLOG
CHROOT_FINDTASK
CHROOT_RESTRICT_NICE
EXEC_LOGGING
EXEC_LOG_USERS
DMESG
EXECVE_LIMITING
FIFO_RESTRICTIONS
FORKFAIL_LOGGING
HARDEN_PTRACE
IP_BLACKHOLE
LASTACK_RETRIES
LINKING_RESTRICTIONS
RESOURCE_LOGGING
ROMOUNT_PROTECT
RWXMAP_LOGGING
SIGNAL_LOGGING
SOCKET_ALL
SOCKET_USERS
SOCKET_CLIENT
SOCKET_CLIENT_USERS
SOCKET_SERVER
SOCKET_SERVER_USERS
TIMECHANGE_LOGGING
ClamAV configuration
Also, see the anti virus page for important documentation about configuring the Real Time Antimalware system in ASL.
CLAMAV_ENABLED
CLAMAV_ENABLE_DAZUKO
CLAMAV_TCPADDRESS
CLAMAV_SCANONACCESS
CLAMAV_SCANONOPEN
CLAMAV_SCANONEXEC
CLAMAV_SCANONCLOSE
CLAMAV_CLAMUKO_MAXFILESIZE
PSMON configuration
PSMON_ENABLED
PSMON_NOTIFY
PSMON_EMAIL
PSMON_FROM
OSSEC configuration
OSSEC_ENABLED
OSSEC_NOTIFY
OSSEC_MODE
OSSEC_USE_MYSQL
OSSEC_DATABASE_SERVER
OSSEC_DATABASE
OSSEC_DATABASE_USERNAME
OSSEC_DATABASE_PASSWORD
OSSEC_SERVER
OSSEC_EMAIL
OSSEC_SMTP_SERVER
OSSEC_FROM
OSSEC_MAX_MSG
OSSEC_ACTIVE_RESPONSE
OSSEC_SHUN_ENABLE_TIMEOUT
OSSEC_SHUN_TIME
HIDS_SHUN_MULTIPLIER
HIDS_EMAIL_ALERT_LEVEL
Mod_security configuration
Please see the ASL WAF page for documentation on these settings.
PHP configuration
SSH daemon configuration
Rkhunter settings
Mod_evasive
Also, see the Mod evasive page for important documentation about configuring the DOS protection system for Apache.