Difference between revisions of "ASL"

From Atomicorp Wiki
Jump to: navigation, search
(New page: Using ASL 2.0 '''Quickstart Documentation''' 1) Update the signature database asl -u 2) Run a report asl -r 3) Read the App Inventory DB less /var/asl/data/webapp.db '''Configurat...)
 
Line 14: Line 14:
  
 
'''Configuration'''
 
'''Configuration'''
 +
 +
Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:
 +
 +
# Authentication information
 +
CONFIGURED=yes
 +
USERNAME="USERNAME"
 +
PASSWORD="PASSWORD"
 +
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"
 +
ASLHOME="/var/asl"
 +
 +
# ASL general config
 +
NOTIFY=yes
 +
EMAIL="scott@atomicrocketturtle.com"
 +
ADMIN_USERS="SOMEUSER"
 +
# list of hosts separated by whitespace
 +
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"   
 +
# webserver, custom
 +
SYSTEM_TYPE="webserver"
 +
 +
# Kernel config
 +
# Disable module_loading after the system has booted
 +
VSERVER=no
 +
ALLOW_kmod_loading=no
 +
 +
# PSMOD config
 +
PSMON_ENABLED=yes
 +
PSMON_EMAIL="$EMAIL"
 +
PSMON_FROM="psmon@$HOSTNAME"
 +
 +
# OSSEC config
 +
OSSEC_ENABLED=yes
 +
OSSEC_MODE="server"        # options are client, server, local
 +
OSSEC_EMAIL="$EMAIL"
 +
OSSEC_SMTP_SERVER="ac3.atomicorp.com"
 +
OSSEC_FROM="ossec@$HOSTNAME"
 +
OSSEC_SHUN_ENABLE_TIMEOUT=yes
 +
OSSEC_SHUN_TIME="600"
 +
 +
# MODSECURITY config
 +
MODSEC_ENABLED=yes
 +
MODSEC_SERVERSIG="Apache"
 +
MODSEC_UPLOADDIR="/var/asl/data/suspicious"
 +
MODSEC_KEEPFILES="RelevantOnly"
 +
MODSEC_LOG404=no # not used yet
 +
MODSEC_LOGTYPE="Serial"
 +
MODSEC_LOGFILE="modsec_audit.log"
 +
MODSEC_LOGELEMENT="ABIFHZ"
 +
MODSEC_REQMEMLIMIT="131072"
 +
MODSEC_DEBUGLOG=yes    # not used yet (on by default)
 +
MODSEC_DATADIR="/var/asl/data/msa"
 +
MODSEC_TMPDIR="/tmp"
 +
 +
MODSEC_RULES_POLICY=on    # havent enabled settings below this yet
 +
MODSEC_RULES_ROBOTS=on
 +
MODSEC_RULES_GENERIC=on
 +
MODSEC_RULES_TROJAN=on
 +
MODSEC_RULES_OUTBOUND=off
 +
MODSEC_RULES_MARKETING=off
 +
MODSEC_RULES_LOCAL=on
 +
 +
 +
 +
 +
# PHP Functions
 +
PHP_CHECKS=yes
 +
PHP_SAFE_MODE=yes
 +
ALLOW_dl=no
 +
ALLOW_exec=no
 +
ALLOW_leak=no
 +
ALLOW_passthru=no
 +
ALLOW_pfsockopen=no
 +
ALLOW_phpinfo=yes
 +
ALLOW_popen=no
 +
ALLOW_posix_kill=no
 +
ALLOW_posix_mkfifo=no
 +
ALLOW_posix_setpgid=no
 +
ALLOW_posix_setsid=no
 +
ALLOW_posix_setuid=no
 +
ALLOW_proc_close=no
 +
ALLOW_proc_get_status=no
 +
ALLOW_proc_nice=no
 +
ALLOW_proc_open=no
 +
ALLOW_proc_open=no
 +
ALLOW_proc_terminate=no
 +
ALLOW_shell_exec=no
 +
ALLOW_show_source=no
 +
ALLOW_system=no
 +
 +
# Denyhosts settings
 +
# uses EMAIL for notifications
 +
DENYHOSTS_ENABLED=yes
 +
DENYHOSTS_EMAIL="$EMAIL"
 +
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
 +
DENYHOSTS_SYSLOG=yes
 +
DENYHOSTS_SHUN_TIME="4w"
 +
 +
# SSH
 +
ALLOW_ssh_proto1=no
 +
ALLOW_root_logins=no
 +
DISABLE_strict_mode=no
 +
DISABLE_ignore_rhosts=no
 +
DISABLE_pubkey_authentication=no
 +
ALLOW_password_authentication=no
 +
DISABLE_privilege_separation=no
 +
 +
# Rkhunter settings
 +
RKHUNTER_ENABLED=yes
 +
RKHUNTER_EMAIL=$EMAIL

Revision as of 10:52, 5 April 2007

Using ASL 2.0

Quickstart Documentation

1) Update the signature database

asl -u

2) Run a report

asl -r

3) Read the App Inventory DB

less /var/asl/data/webapp.db


Configuration

Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:

# Authentication information
CONFIGURED=yes
USERNAME="USERNAME"
PASSWORD="PASSWORD"
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"
ASLHOME="/var/asl"
# ASL general config
NOTIFY=yes
EMAIL="scott@atomicrocketturtle.com"
ADMIN_USERS="SOMEUSER"
# list of hosts separated by whitespace
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"    
# webserver, custom
SYSTEM_TYPE="webserver" 
# Kernel config
# Disable module_loading after the system has booted
VSERVER=no
ALLOW_kmod_loading=no
# PSMOD config 
PSMON_ENABLED=yes
PSMON_EMAIL="$EMAIL"
PSMON_FROM="psmon@$HOSTNAME"
# OSSEC config
OSSEC_ENABLED=yes
OSSEC_MODE="server"         # options are client, server, local
OSSEC_EMAIL="$EMAIL"
OSSEC_SMTP_SERVER="ac3.atomicorp.com"
OSSEC_FROM="ossec@$HOSTNAME"
OSSEC_SHUN_ENABLE_TIMEOUT=yes
OSSEC_SHUN_TIME="600"
# MODSECURITY config
MODSEC_ENABLED=yes
MODSEC_SERVERSIG="Apache"
MODSEC_UPLOADDIR="/var/asl/data/suspicious"
MODSEC_KEEPFILES="RelevantOnly"
MODSEC_LOG404=no	# not used yet
MODSEC_LOGTYPE="Serial"
MODSEC_LOGFILE="modsec_audit.log"
MODSEC_LOGELEMENT="ABIFHZ"
MODSEC_REQMEMLIMIT="131072"
MODSEC_DEBUGLOG=yes     # not used yet (on by default)
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_TMPDIR="/tmp"
MODSEC_RULES_POLICY=on     # havent enabled settings below this yet
MODSEC_RULES_ROBOTS=on
MODSEC_RULES_GENERIC=on
MODSEC_RULES_TROJAN=on
MODSEC_RULES_OUTBOUND=off
MODSEC_RULES_MARKETING=off
MODSEC_RULES_LOCAL=on



# PHP Functions
PHP_CHECKS=yes
PHP_SAFE_MODE=yes
ALLOW_dl=no
ALLOW_exec=no
ALLOW_leak=no
ALLOW_passthru=no
ALLOW_pfsockopen=no
ALLOW_phpinfo=yes
ALLOW_popen=no
ALLOW_posix_kill=no
ALLOW_posix_mkfifo=no
ALLOW_posix_setpgid=no
ALLOW_posix_setsid=no
ALLOW_posix_setuid=no
ALLOW_proc_close=no
ALLOW_proc_get_status=no
ALLOW_proc_nice=no
ALLOW_proc_open=no
ALLOW_proc_open=no
ALLOW_proc_terminate=no
ALLOW_shell_exec=no
ALLOW_show_source=no
ALLOW_system=no
# Denyhosts settings
# uses EMAIL for notifications
DENYHOSTS_ENABLED=yes
DENYHOSTS_EMAIL="$EMAIL"
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
DENYHOSTS_SYSLOG=yes
DENYHOSTS_SHUN_TIME="4w"
# SSH
ALLOW_ssh_proto1=no 
ALLOW_root_logins=no
DISABLE_strict_mode=no
DISABLE_ignore_rhosts=no
DISABLE_pubkey_authentication=no
ALLOW_password_authentication=no
DISABLE_privilege_separation=no 
# Rkhunter settings
RKHUNTER_ENABLED=yes
RKHUNTER_EMAIL=$EMAIL
Personal tools