ASL

From Atomicorp Wiki
Revision as of 11:14, 5 April 2007 by Scott (Talk | contribs)

Jump to: navigation, search

Using ASL 2.0

Quickstart Documentation

1) Update the signature database 

asl -u

2) Run a report 

asl -r

3) Read the App Inventory DB 

less /var/asl/data/webapp.db


Configuration

Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does: 

# Authentication information
CONFIGURED=yes                                         # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog
USERNAME="USERNAME"                         
PASSWORD="PASSWORD"
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"  # where the rule updater will grab updates
ASLHOME="/var/asl"                                     # internal variable, dont modify

# ASL general config
NOTIFY=yes                             # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications
EMAIL="scott@atomicrocketturtle.com"   # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app.
ADMIN_USERS="SOMEUSER"                 # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace.
# list of hosts separated by whitespace
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"    # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc)
# webserver, custom
SYSTEM_TYPE="webserver"                # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.

# Kernel config
# Disable module_loading after the system has booted
VSERVER=no                             # probably will be deprecated
ALLOW_kmod_loading=no                  # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.

# PSMOD config 
PSMON_ENABLED=yes                      # Turn PSMON and its checks On or Off
PSMON_EMAIL="$EMAIL"                   # who to email PSMON alerts to
PSMON_FROM="psmon@$HOSTNAME"           # From: line for PSMON

# OSSEC config
OSSEC_ENABLED=yes                      # Enable OSSEC
OSSEC_MODE="server"                    # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system.
OSSEC_EMAIL="$EMAIL"                   # Where OSSEC email alerts go
OSSEC_SMTP_SERVER="localhost"          # System ossec sends email through
OSSEC_FROM="ossec@$HOSTNAME"           # From line for OSSEC alerts
OSSEC_SHUN_ENABLE_TIMEOUT=yes          # Enables expiration of OSSEC shunning events (see IP_WHITELIST above)
OSSEC_SHUN_TIME="600"                  # Time a shunned host will remain on the blacklist (10 minutes)

# MODSECURITY config
MODSEC_ENABLED=yes                     # Turn MOD_SECURITY and its checks on/off
MODSEC_SERVERSIG="Apache"              # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks
MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored
MODSEC_KEEPFILES="RelevantOnly"        # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not. 
MODSEC_LOG404=no	                # not used yet. Application default is to log 404 errors in mod_security logs. 
MODSEC_LOGTYPE="Serial"                # Serial or Concurrent. Serial sets modsecurity to log all events to one log file.
MODSEC_LOGFILE="modsec_audit.log"      # The log file for above.
MODSEC_LOGELEMENT="ABIFHZ"             # Elements of an event that will be logged
 #A = audit log header (mandatory)
 #B = request headers
 #I = request body, except when multipart/form-data encoding is used
 #F = final response headers
 #H = audit log trailer
 #Z = final boundary (mandatory)
MODSEC_REQMEMLIMIT="131072"
MODSEC_DEBUGLOG=yes     # not used yet (on by default)
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_TMPDIR="/tmp"

MODSEC_RULES_POLICY=on     # havent enabled settings below this yet
MODSEC_RULES_ROBOTS=on
MODSEC_RULES_GENERIC=on
MODSEC_RULES_TROJAN=on
MODSEC_RULES_OUTBOUND=off
MODSEC_RULES_MARKETING=off
MODSEC_RULES_LOCAL=on




# PHP Functions
PHP_CHECKS=yes
PHP_SAFE_MODE=yes
ALLOW_dl=no
ALLOW_exec=no
ALLOW_leak=no
ALLOW_passthru=no
ALLOW_pfsockopen=no
ALLOW_phpinfo=yes
ALLOW_popen=no
ALLOW_posix_kill=no
ALLOW_posix_mkfifo=no
ALLOW_posix_setpgid=no
ALLOW_posix_setsid=no
ALLOW_posix_setuid=no
ALLOW_proc_close=no
ALLOW_proc_get_status=no
ALLOW_proc_nice=no
ALLOW_proc_open=no
ALLOW_proc_open=no
ALLOW_proc_terminate=no
ALLOW_shell_exec=no
ALLOW_show_source=no
ALLOW_system=no

# Denyhosts settings
# uses EMAIL for notifications
DENYHOSTS_ENABLED=yes
DENYHOSTS_EMAIL="$EMAIL"
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
DENYHOSTS_SYSLOG=yes
DENYHOSTS_SHUN_TIME="4w"

# SSH
ALLOW_ssh_proto1=no 
ALLOW_root_logins=no
DISABLE_strict_mode=no
DISABLE_ignore_rhosts=no
DISABLE_pubkey_authentication=no
ALLOW_password_authentication=no
DISABLE_privilege_separation=no 

# Rkhunter settings
RKHUNTER_ENABLED=yes
RKHUNTER_EMAIL=$EMAIL
Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=ASL&oldid=27"
Personal tools