Difference between revisions of "ASL Configuration"

From Atomicorp Wiki
Jump to: navigation, search
(SSH daemon configuration)
m
Line 131: Line 131:
  
 
=== ALLOW_kmod_loading ===  
 
=== ALLOW_kmod_loading ===  
 +
 +
The default configuration for ASL is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by "locking" the kernel and preventing any additional changes to the kernel once it has been configured.
 +
 +
Setting this flag to "yes" and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot.  We do not recommend you set this to "yes", as a properly configured server should not require the kernel to dynamically modified.  A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and have been used to compromise Linux systems. 
 +
 +
The secure and recommended setting is "no".  Do not allow kernel module loading.
  
 
=== ENABLE_TPE ===
 
=== ENABLE_TPE ===
 +
 +
Trusted Path Execution(TPE) will allow you to choose a gid to add to the supplementary groups of users you want to mark as "untrusted" or "trusted". These users will not be able to execute any files that are not in root-owned directories writable only by root.
  
 
=== TPE_GROUP_POLICY ===
 
=== TPE_GROUP_POLICY ===
 +
 +
The TPE group policy indicates the mode to enforce on the system. These are "trusted", which is an Unless Allow, Deny configuration where only users in the "trusted" group can execute commands that are not owned by the root user. It is the more aggressive and constricted mode. The default "untrusted" mode is an Unless Deny, Allow policy where the TPE security controls only apply to users in the "untrusted" group.
  
 
=== TPE_UNTRUSTED_USERS ===
 
=== TPE_UNTRUSTED_USERS ===
 +
 +
Users in this group will have the TPE policy applied if the system is configured to operate in "untrusted" mode.  The root user is automatically trusted.
  
 
=== TPE_TRUSTED_USERS ===
 
=== TPE_TRUSTED_USERS ===
 +
 +
Users in this group will NOT have the TPE policy applied if the system is configured to operate in the "trusted" mode.  Setting the policy to "trusted" means that only users in this list are trusted, all other users are considered untrusted.  The root user is automatically trusted.
  
 
=== DISABLE_PRIVILEGED_IO ===
 
=== DISABLE_PRIVILEGED_IO ===
 +
 +
If you say yes here, all ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel.  This is generally safe to set to "yes".  Very few applications require that this be set to "no".
 +
 +
Some programs may need this access to operate properly, the most notable of which are XFree86 and hwclock.
 +
 +
hwclock is remedied by having RTC support in the the ASL kernel, so real-time clock support is enabled if this option is enabled, to ensure that hwclock operates correctly.
 +
 +
XFree86 still will not operate correctly with this option enabled, so DO NOT CHOOSE YES IF YOU USE XFree86.
  
 
=== AUDIT_MOUNT ===
 
=== AUDIT_MOUNT ===
 +
 +
Log all mount() and umount() actions.
  
 
=== AUDIT_CHDIR ===
 
=== AUDIT_CHDIR ===
 +
 +
Log all chdir() calls, or every time an application or user changes their directory. This is a high volume setting, and is disabled by default.
  
 
=== AUDIT_PTRACE ===
 
=== AUDIT_PTRACE ===
 +
 +
Log all attempts to attach to a process via ptrace().
  
 
=== AUDIT_TEXTREL ===
 
=== AUDIT_TEXTREL ===
 +
 +
Log text relocations with the filename of the offending library or binary. This is a high volume setting, and is disabled by default.
  
 
=== CHROOT_CAPS ===
 
=== CHROOT_CAPS ===
 +
 +
When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, and changing the system time.
  
 
=== CHROOT_DENY_CHMOD ===
 
=== CHROOT_DENY_CHMOD ===
 +
 +
When enabled, processes inside a chroot will not be able to chmod or fchmod files to make them have suid or sgid bits.
  
 
=== CHROOT_DENY_CHROOT ===
 
=== CHROOT_DENY_CHROOT ===
 +
 +
When enabled, processes inside a chroot will not be able to chroot again outside the chroot.
  
 
=== CHROOT_DENY_FCHDIR ===
 
=== CHROOT_DENY_FCHDIR ===
 +
 +
When enabled, a well-known method of breaking chroots by fchdir'ing to a file descriptor of the chrooting process that points to a directory outside the filesystem will be stopped.
  
 
=== CHROOT_DENY_MKNOD ===
 
=== CHROOT_DENY_MKNOD ===
 +
 +
When enabled, processes inside a chroot will not be allowed to mknod.
  
 
=== CHROOT_DENY_MOUNT ===
 
=== CHROOT_DENY_MOUNT ===
 +
 +
When enabled, processes inside a chroot will not be able to mount or remount.
  
 
=== CHROOT_DENY_PIVOT ===
 
=== CHROOT_DENY_PIVOT ===
 +
 +
When enabled, processes inside root will not be able to use pivot_root().
  
 
=== CHROOT_DENY_SHMAT ===
 
=== CHROOT_DENY_SHMAT ===
 +
 +
When enabled, processes inside a chroot will not be able to attach to shared memory segments that were created outside of the chroot jail.
  
 
=== CHROOT_DENY_SYSCTL ===
 
=== CHROOT_DENY_SYSCTL ===
 +
 +
When enabled, an attacker in a chroot will not be able to write to sysctl entries, either by sysctl(2) or through a /proc interface.
  
 
=== CHROOT_DENY_UNIX ===
 
=== CHROOT_DENY_UNIX ===
 +
 +
When enabled, processes inside a chroot will not be able to connect to abstract (meaning not belonging to a filesystem) Unix domain sockets that were bound outside of a chroot.
  
 
=== CHROOT_ENFORCE_CHDIR ===
 
=== CHROOT_ENFORCE_CHDIR ===
 +
 +
When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.
  
 
=== CHROOT_ENFORCE_CHDIR ===
 
=== CHROOT_ENFORCE_CHDIR ===
 +
 +
When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.
  
 
=== CHROOT_EXECLOG ===
 
=== CHROOT_EXECLOG ===
 +
 +
When enabled, all executions inside a chroot jail will be logged to syslog. This is a high volume setting and is disabled by default.
  
 
=== CHROOT_FINDTASK ===
 
=== CHROOT_FINDTASK ===
 +
 +
When enabled, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, getsid, or view any process outside of the chroot.
  
 
=== CHROOT_RESTRICT_NICE ===
 
=== CHROOT_RESTRICT_NICE ===
 +
 +
When enabled, processes inside a chroot will not be able to raise the priority of processes in the chroot, or alter the priority of processes outside the chroot.
  
 
=== EXEC_LOGGING ===
 
=== EXEC_LOGGING ===
 +
 +
When enabled, all execve() calls for users in the group execlog (1007) will be logged (since the other exec*() calls are frontends to execve(), all execution will be logged). This is a high volume setting and is disabled by default.
  
 
=== EXEC_LOG_USERS ===
 
=== EXEC_LOG_USERS ===
 +
 +
Users in the group execlog will have all execve() actions logged to syslog if EXEC_LOGGING is enabled. This is a high volume setting, and is disabled by default.
  
 
=== DMESG ===
 
=== DMESG ===
 +
 +
When enabled, non-root users will not be able to use dmesg(8) to view up to the last 4kb of messages in the kernel's log buffer.
  
 
=== EXECVE_LIMITING ===
 
=== EXECVE_LIMITING ===
 +
 +
When enabled, users with a resource limit on processes will have the value checked during execve() calls.
  
 
=== FIFO_RESTRICTIONS ===
 
=== FIFO_RESTRICTIONS ===

Revision as of 12:50, 29 June 2012

Contents

Introduction

ASL is configured to a secure set of defaults upon installation. Most users do not need to change these settings.

Installation

ASL Installation settings are documented on the ASL installation page, please see that page for installation configuration options.

Post Installation Configuration

You can access the ASL configuration settings by following this process:

Step 1) Log into the ASL GUI

Step 2) Click on the Configuration tab

Step 3) Select "ASL Configuration"

This will pull up all the ASL Configuration options, which are broken into classes and are documented below or links are provided to the specific documentation pages for those options.

Authentication Information

ASL Web Settings

In addition to the settings below, also, please see the ASL Web Settings page for documentation about configuring the ASL GUI itself.

ASL_DB_RETENTION

Period alert data is considered to be live before being moved into an archive table. Once this limit is reached, ASL will move the events into the database archive table.

The format for this field is an integer follow by "days" "weeks" "months" or "years". For example, if you want to archive events after 3 months, you would change this field to:

3 months

The default is 7 days. After 7 days, events are archived.

This value is ignored if ASL_DB_ARCHIVE is set to "no" below.


ASL_DB_ARCHIVE

ASL will store old data in monthly archive table if this is set to 'yes', or simply delete past retention data if it is set to 'no' once the ASL_DB_RETENTION period is reached for the data.

Data Paths

PATH_RSS

URL to the Atomicorp Security Bulletins RSS feed.

General Settings

NOTIFY

Determines if ASL will notify by email or not. Set this to yes if you want ASL to email you, and no if you do not.

EMAIL

Default email address used to send alerts to. This is also set during installation.

HOSTNAME

Hostname for the system. This is also set during installation.

ADMIN_USERS

Defines administrative users allowed to SSH to the system. If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled.

SYSTEM_TYPE

Defines a basic services policy for the system. Currently webserver and custom are the only supported policies.

Setting the profile to "webserver" will configure ASL to disable the following services: portmap nfs nfslock rpcidmapd cups gpm xfs pcscd mcstrans kdump isdn hplip hidd messagebus haldaemon gpm bluetooth avahi-daemon autofs apmd.

If this is set to custom, no services will be automatically disabled.

AUTOMATIC_UPDATES

Configures the update frequency for ASL to download and install updates, such as new rules and signatures

NOTE: Updates can be run manually from the command line with asl -u.

This does not automatically patches on the system by design. If a software update is available you should follow your normal patch management procedure. See "UPDATE_TYPE" below for one exception to this.

UPDATE_TYPE

Configures the behavior of the AUTOMATIC_UPDATE event. There are three options:

All: This will install all ASL software, rule and signatures updates (this will not upgrade the kernel).

Exclude-kernel: This will install all ASL software, rule and signatures updates but not upgrade the kernel.

rules-only: This will exclude all software updates, yum package updates and kernel updates and will only install rule and signature updates.

All is the recommended setting. Some rule and signature updates will not work without ASL updates, so if you set this to "rules only" be sure to regularly check your system for any software updates for ASL to be fully protected.

RESTART_APACHE

Sets the restart policy for actions involving the web server. Updates to the WAF, mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting has three options:

Yes: Restart apache when needed.

Graceful: Use the "graceful" method which tries to wait for all clients to finish being served before restarting Apache. If apache has a stuck thread or worker Graceful may not complete.

No: Do not restart apache.

Note: If you set this to "No", updates that require apache restarts will not be applied, such as new WAF rules. If you set this to "No" you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.

ASL_USER

Sets the user to run ASL web activity under. This can be either "tortix" for use with ASL-Web, or "psaadm" for use with the Plesk ASL module. Note: this setting has been deprecated.

FEED_TYPE

This setting allows you to toggle between different WAF feeds. Currently this is only used by ASL Lite, and supports the Real-Time and 90-day delayed feeds. ASL Users should not change this setting.

COMPLIANCE

This a new and UNSUPPORTED feature. If you use this, we welcome your feedback but it is unsupported.

This enables a compliance module based on one of 5 standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp that you use any of these. It should only be used if you are required by a 3rd party regulator.

These compliance standards are very generic, and will break things on your system. These are not Atomicorp standards, so if you enable them be prepared to fix things.

Firewall Configuration

Please see the ASL firewall page for documentation on these settings.

Kernel configuration

If you are not using the ASL Kernel these settings will have no effect.

ALLOW_kmod_loading

The default configuration for ASL is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by "locking" the kernel and preventing any additional changes to the kernel once it has been configured.

Setting this flag to "yes" and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to "yes", as a properly configured server should not require the kernel to dynamically modified. A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and have been used to compromise Linux systems.

The secure and recommended setting is "no". Do not allow kernel module loading.

ENABLE_TPE

Trusted Path Execution(TPE) will allow you to choose a gid to add to the supplementary groups of users you want to mark as "untrusted" or "trusted". These users will not be able to execute any files that are not in root-owned directories writable only by root.

TPE_GROUP_POLICY

The TPE group policy indicates the mode to enforce on the system. These are "trusted", which is an Unless Allow, Deny configuration where only users in the "trusted" group can execute commands that are not owned by the root user. It is the more aggressive and constricted mode. The default "untrusted" mode is an Unless Deny, Allow policy where the TPE security controls only apply to users in the "untrusted" group.

TPE_UNTRUSTED_USERS

Users in this group will have the TPE policy applied if the system is configured to operate in "untrusted" mode. The root user is automatically trusted.

TPE_TRUSTED_USERS

Users in this group will NOT have the TPE policy applied if the system is configured to operate in the "trusted" mode. Setting the policy to "trusted" means that only users in this list are trusted, all other users are considered untrusted. The root user is automatically trusted.

DISABLE_PRIVILEGED_IO

If you say yes here, all ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel. This is generally safe to set to "yes". Very few applications require that this be set to "no".

Some programs may need this access to operate properly, the most notable of which are XFree86 and hwclock.

hwclock is remedied by having RTC support in the the ASL kernel, so real-time clock support is enabled if this option is enabled, to ensure that hwclock operates correctly.

XFree86 still will not operate correctly with this option enabled, so DO NOT CHOOSE YES IF YOU USE XFree86.

AUDIT_MOUNT

Log all mount() and umount() actions.

AUDIT_CHDIR

Log all chdir() calls, or every time an application or user changes their directory. This is a high volume setting, and is disabled by default.

AUDIT_PTRACE

Log all attempts to attach to a process via ptrace().

AUDIT_TEXTREL

Log text relocations with the filename of the offending library or binary. This is a high volume setting, and is disabled by default.

CHROOT_CAPS

When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, and changing the system time.

CHROOT_DENY_CHMOD

When enabled, processes inside a chroot will not be able to chmod or fchmod files to make them have suid or sgid bits.

CHROOT_DENY_CHROOT

When enabled, processes inside a chroot will not be able to chroot again outside the chroot.

CHROOT_DENY_FCHDIR

When enabled, a well-known method of breaking chroots by fchdir'ing to a file descriptor of the chrooting process that points to a directory outside the filesystem will be stopped.

CHROOT_DENY_MKNOD

When enabled, processes inside a chroot will not be allowed to mknod.

CHROOT_DENY_MOUNT

When enabled, processes inside a chroot will not be able to mount or remount.

CHROOT_DENY_PIVOT

When enabled, processes inside root will not be able to use pivot_root().

CHROOT_DENY_SHMAT

When enabled, processes inside a chroot will not be able to attach to shared memory segments that were created outside of the chroot jail.

CHROOT_DENY_SYSCTL

When enabled, an attacker in a chroot will not be able to write to sysctl entries, either by sysctl(2) or through a /proc interface.

CHROOT_DENY_UNIX

When enabled, processes inside a chroot will not be able to connect to abstract (meaning not belonging to a filesystem) Unix domain sockets that were bound outside of a chroot.

CHROOT_ENFORCE_CHDIR

When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.

CHROOT_ENFORCE_CHDIR

When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.

CHROOT_EXECLOG

When enabled, all executions inside a chroot jail will be logged to syslog. This is a high volume setting and is disabled by default.

CHROOT_FINDTASK

When enabled, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, getsid, or view any process outside of the chroot.

CHROOT_RESTRICT_NICE

When enabled, processes inside a chroot will not be able to raise the priority of processes in the chroot, or alter the priority of processes outside the chroot.

EXEC_LOGGING

When enabled, all execve() calls for users in the group execlog (1007) will be logged (since the other exec*() calls are frontends to execve(), all execution will be logged). This is a high volume setting and is disabled by default.

EXEC_LOG_USERS

Users in the group execlog will have all execve() actions logged to syslog if EXEC_LOGGING is enabled. This is a high volume setting, and is disabled by default.

DMESG

When enabled, non-root users will not be able to use dmesg(8) to view up to the last 4kb of messages in the kernel's log buffer.

EXECVE_LIMITING

When enabled, users with a resource limit on processes will have the value checked during execve() calls.

FIFO_RESTRICTIONS

FORKFAIL_LOGGING

HARDEN_PTRACE

IP_BLACKHOLE

LASTACK_RETRIES

LINKING_RESTRICTIONS

RESOURCE_LOGGING

ROMOUNT_PROTECT

RWXMAP_LOGGING

SIGNAL_LOGGING

SOCKET_ALL

SOCKET_USERS

SOCKET_CLIENT

SOCKET_CLIENT_USERS

SOCKET_SERVER

SOCKET_SERVER_USERS

TIMECHANGE_LOGGING

ClamAV configuration

Also, see the anti virus page for important documentation about configuring the Real Time Antimalware system in ASL.

CLAMAV_ENABLED

CLAMAV_ENABLE_DAZUKO

CLAMAV_TCPADDRESS

CLAMAV_SCANONACCESS

CLAMAV_SCANONOPEN

CLAMAV_SCANONEXEC

CLAMAV_SCANONCLOSE

CLAMAV_CLAMUKO_MAXFILESIZE

PSMON configuration

PSMON_ENABLED

PSMON_NOTIFY

PSMON_EMAIL

PSMON_FROM

OSSEC configuration

OSSEC_ENABLED

OSSEC_NOTIFY

OSSEC_MODE

OSSEC_USE_MYSQL

OSSEC_DATABASE_SERVER

OSSEC_DATABASE

OSSEC_DATABASE_USERNAME

OSSEC_DATABASE_PASSWORD

OSSEC_SERVER

OSSEC_EMAIL

OSSEC_SMTP_SERVER

OSSEC_FROM

OSSEC_MAX_MSG

OSSEC_ACTIVE_RESPONSE

OSSEC_SHUN_ENABLE_TIMEOUT

OSSEC_SHUN_TIME

HIDS_SHUN_MULTIPLIER

HIDS_EMAIL_ALERT_LEVEL

Mod_security configuration

Please see the ASL WAF page for documentation on these settings.

PHP configuration

SSH daemon configuration

Also, see the SSH debugging page in case you can't log into your ASL server via SSH.

Rkhunter settings

Mod_evasive

Also, see the Mod evasive page for important documentation about configuring the DOS protection system for Apache.

Web App Inventory

Plesk Security Settings

Personal tools