ASL prerequisites

From Atomicorp Wiki
Revision as of 12:09, 26 March 2014 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

Introduction

Atomic Secured Linux, or ASL for short, is a powerful security suite that will be analyzing actions of your system in real time. For it to work correctly it will need a properly tuned system with reasonable resources. This document outlines the requirements to install ASL, for ASL to function properly and recommendations for ASL to perform optimally.

Requirements

Client

ASL is accessed and managed through a dedicated web console via your web browser. Please see the following FAQ for a list of browsers that ASL is currently supported:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#What_browsers_does_the_ASL_GUI_work_with.3F

ASL also includes a limited number of command line features.

Server

Operating system

ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to work correctly.

Supported Operating Systems

A listed of supported operating systems is provided at this url:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#What_Linux_distributions_do_you_support.3F

OS Updates and patches

ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to install and work correctly.

ASL will not install on a system that is missing vendors updates, and will generate an alert during installation if vendor updates are missing. You must have you system patched and up to date to install ASL.

Third Party modifications to the OS

Third Party modifications to operating system (OS) files are not supported. For example, third party replacement of glibc would not be supported.

Hardware

Memory

ASL requires at least 1 GB of memory. 2 GB of memory is highly recommend to make use of all of ASLs features.

CPU

ASL does not require a 64bit CPU, however the use of 64Bit CPUs is highly recommended.

File systems

POSIX ACL support

Your /var parition must be using a filesystem that supports POSIX ACLs to use T-WAF in ASL. The T-WAF is only used optionally to protect remote web services you configure, and non-Apache web services on the local system, such as other webservers (NGINX, LiteSpeed, etc.). Apache is protected with a special module, and does not require the T-WAF.

File System ASL kernel ACL support
ext2 yes
ext3 yes
ext4 yes
XFS yes
btrfs yes
jffs2 yes
tmpfs yes
nfsv3 exported yes

Note: If you are not using the ASL kernel, this table may not be accurate for your third party kernel. Check with your third party kernel vendor for information regarding what filesystems they support POSIX ACLs with.

Other filesystems are not tested or supported with ACLs. In many cases, the file system itself (and not the kernel) simply does not support POSIX ACLs.

See the FAQ linked to below for additional information on POSIX ACLs in Linux:

POSIX ACL Troubleshooting

ASL disk space requirements

Minimum free disk space requirements per partition:

Directory Minimum Free Space Required
/var 5GB+ (see note below.)
/usr 500 MB
/tmp 10 MB (see note below.)
/etc 100 MB
/boot 30 MB (see note 1 and note 2 below.)

ASL will log and record security events on the system. The amount of space required for this will vary depending on the amount of events that occur on your system. ASL will record all of its events in the /var partition. Therefore, you should have adequate free space available in the /var partition for your system. We recommend at least 5GB of space in this partition, but this is a minimum. You should allocate more space if you intend to keep logs for extended periods of time. You may need to increase this depending on the amount of events that occur on your system and the archive period you have set in your ASL Configuration.

ASL components will be installed in the /boot, /usr, /etc and /var partitions. A minimum of 100MB of free space is required to install ASL, and additional space is required in /var as described above.

Third Party yum repositories

You must disable any third party yum repositories you have enabled on your system. ASL is tested and supported with standard installations of the supported OSes, and not with any third party repositories enabled.

Database

Supported databases

ASL is supported with the official versions of MySQL from Mysql.com, Redhat, Centos and Atomicorp.

Supported versions

ASL is supported with the official version of MySQL provided by these vendors for the version of the OS you are using:

  1. MySQL-server from Mysql.com
  2. Redhat
  3. Centos
  4. Atomicorp

ASL also works with the following versions of CPanels mysql rpms, where CPanel currently supports them for that OS and architecture:

  1. MySQL50
  2. MySQL51
  3. MySQL55

Note: CPanel does not follow package management or MySQL norms or standards. Unlike all other MySQL vendors and packagers, CPanel makes non-standard changes on a constant basis to their MySQL rpms as they change both these packages, and what the include. We encourage our customers to contact CPanel and ask them to stick with the MySQL standards, or to use MySQL from one of the vendors above.

ASL is not tested or supported with any other mysql builds or versions provided by other Vendors.

MySQL Configuration

When using mysql, querying caching must be enabled. The following setting in mysql must be set for ASL to perform correctly. Failure to set this will result in significant performance impact to ASL, and the system.

query_cache_size=32m

This information is provided as a courtesy, to add this setting to mysql please look for this section:

[mysqld]

in your /etc/my.cnf file.

In this section you will want to add the query_cache configuration setting. For example:

query_cache_size=32m

And then restart mysqld.

If you are not comfortable with configuring mysql, please contact a qualified MySQL administrator for assistance. And in all cases, we recommend you make a backup of any configuration file before you change it.

MySQL tuning

ASL is tested with a standard MySQL configuration with query_caching enabled, as described above. If you have made additional changes to the configuration of MySQL these may be sub-optimal for ASL. Please consult a qualified MySQL expert for assistance with MySQL performance issues if you have made additional changes to the configuration of MySQL and experience performance issues.

Additional

Disk Space

/boot

Warning: The 30MB minimum is just that, a minimum.

This the minimum free space necessary to install the ASL kernel (which currently uses approximately 15MB of disk space), and to provide some additional space for a possible upgrade of that kernel. When upgrading kernels ASL will attempt to retain the previous kernels installed on the system, in case there is a need to use older kernels. On systems where a lack of space exists in /boot it may not be possible to either install newer kernels, or keep older kernels. Redhat recommends that /boot be set to a minimum of 250MB to ensure there is adequate space to install and retain kernels.

If your system only has 30MB of space available, you should expect to run into issues in the future with disk space issues on /boot. At best you may only be able to install 2 kernels on your system. We highly recommend you increase the size of /boot to allow for additional kernels to be installed on your system, to provide you with both maximum flexibility as well as a fall back option to earlier kernels should you run into an issue with a different kernel.

VPS

VPS systems, that is virtual private servers using Virtuzzo or OpenVZ will not have their own kernel (a VPS shares the hosts kernel). Therefore, there is no free space requirement on a VPS for /boot as the kernel will not be installed.

CPanel

If you have CPanel installed, you must have mod_uniqueid installed for mod_security to work correctly. Please contact CPanel for support if you are not sure how to enable this in CPanel.

Support software

shell

ASL does include some shell scripts. These shell scripts are "bash" shell scripts. If the default shell on the system has been changed from bash to some other shell these scripts may not work correctly. Therefore, ASL is only supported on systems where bash is configured as the default shell.

wget

To install ASL you must have a working copy of wget installed on your system, with working HTTPS support (this means your version of wget supports SSL, which ASL uses to download all the software it needs securely). All of the supported OSes above include HTTPS support in wget. However some third party products and hosting companies have been known to replace wget with crippled versions that do not support HTTPS. ASL will not install correctly if your system has been crippled in this manner.

To test if your wget supports HTTPS you can run this command:

wget https://www.atomicorp.com/test-file.html

If your wget supports SSL it will download the file test-file.html, and if you examine the contents of the file you will see this sentence:

If you can read this, your test worked.

If you do not see this sentence, then your wget likely does not support SSL. If you see an error like this:

HTTPS support not compiled in.

Your wget does not support SSL. This means someone has crippled your system and replaced the wget from your OS vendor with a crippled version of wget. They may have also replaced other critical parts of your OS with damaged and crippled software and your system will not be able to install and use ASL.

This means your system can not securely download software, which is a serious vulnerability. You will need to contact the parties that have crippled your system for a solution to replace the crippled version of wget they have installed on your system with a non-crippled version that supports SSL.

Third Party Software

OSSEC

Do not install OSSEC from third party sources. ASL will replace and manage OSSEC on your system. ASL is not supported with third party sources for OSSEC.

If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.

rkhunter

Do not install rkhunter from third party sources. ASL will manage rkhunter on your system. ASL is not supported with third party sources for rkhunter, and third party or worse parallel installs of rkhunter are known to break rkhunter and its databases.

If you have any third party software of this nature installed, and have issues using rkhunter or installing ASL, you will need to uninstall this third party software.

clamav

ASL will install clamav on your system with the latest version of clamav, and will manage clamav for you. ASL is not supported with third party sources for clamav. Do not install clamav from third party sources.

If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.

modsecurity

Do not install modsecurity using any third party tools. If you have done this in the past, remove modsecurity, disable its installation in your control panel (if you are using a control panel), remove any rules and third party add ons, and completely remove your modsecurity configuration from your system.

Note: Do not enable modsecurity in cpanel. This will cause cpanel to overwrite the enhanced modsecurity and will cause duplicate rules to be installed on your system.

ASL is not supported with any third party software that manipulates modsecurity. If you have any third party software of this nature installed, and have issues using or installing ASL, you must uninstall all third party software that installs, configures or manipulates modsecurity before you install ASL.

Note: if you are using Litespeed, you do not have modsecurity installed on your system. You may have a module from Litespeed that acts like modsecurity. You do not need that module, please remove it and follow the instructions in the Litespeed article to setup Litespeed with the T-WAF. Litespeeds must be protected with the T-WAF, as Litespeeds module does not support the full rule language and will leave your system open to attacks their module can not protect you from. The T-WAF will fully protect Litespeed.

firewalls

ASL is not supported with any third party software that manipulates or manages the Linux firewall, iptables or ipset. This includes third party firewall management tools, such as CSF, APF, Parallels Firewall tools, the iptables service (not the iptables command line tools, the service), and any other firewall management tools. ASL includes a powerful firewall and kernel enhancements to the Linux firewall system (netfilter) that these tools do not support. The use of third party firewall tools is also unnecessary and redundant.

If you have any third party software of this nature installed you will need to:

  1. uninstall this third party software before you install ASL, or if you can not uninstall it you must disable any firewall features in these products.
  2. remove all firewall rules implemented by these products

You also can not use third party firewall tools to change the firewall on the system, for example fwbuilder. Only the use of ASL firewall manager is supported with ASL.

If you installed ASL with any third product firewall installed you will need to remove it, and any firewall rules it has implemented on your system, and reinstall ASL.

iptables daemon

Disable the iptables service.

You will not need to run the iptables daemon service with ASL (the iptables command line tools are fine. Do not remove the iptables command line tools). Running the iptables service will cause conflicts. Please make sure you have disabled the iptables service on your system:

service stop iptables

chkconfig --del iptables

If you had this service enabled when you installed ASL, you will experience problems with your firewall. You will need to disable the service, as described above, and flush any remaining firewall rules. Please follow the process below:

Step 1) Disable iptables


service iptables stop

chkconfig --del iptables

Step 2) Stop the ASL firewall

service asl-firewall stop

Step 3) Flush any remaining firewall rules

rm /etc/asl/firewall/running.fw

Step 4) Restart the ASL firewall

service asl-firewall start

Apache

ASL is fully compatible with Apache 2.0 and 2.2. ASL will automatically install the WAF module into Apache for standard supported OS vendor Apache builds, and supported control panel builds.

Apache 2.4 is not currently supported.

PHP

The only versions of PHP currently supported by ASL are: Our version, your OS Vendors' version, as well as cPanels' version made through EasyApache.

PERL

The only versions of PERL currently supported by ASL are: Our version and your OS Vendors' official version.

Third part and source installs of PERL are not supported.

ConfigServer

ASL does not support any ConfigServer products. If you have these on your system, they will need to be uninstalled prior to your installation to ensure that ASL installs correctly, and works properly on your system. We have more information on the ConfigServer products located here: https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Is_ASL_compatible_with_ConfigServer

Recommendations

Memory

A minimum of 4 GB of memory is recommended for sites with high volume of events and/or domains.

CPU

Multiple 64Bit CPUs are highly recommended for systems with high volume events and/or domains.

Database

Query caching

When using mysql, querying caching must be enabled. Larger query caches will result in greater performance, however this must be tuned to the capabilities of the system. Larger query caches also require more memory, so to increase this setting you will need at least 2GB of RAM and preferably 4GB of RAM or more.

For example, on a system with 2GB of RAM the query cache should be set to 128M.

query_cache_size=96m

For systems with 4GB of RAM, or more, a large query cache can be used:

query_cache_size=128m

You can try larger cache sizes, but we find that 128m is generally as high as you need to go. High values may be counter productive.

Dedicated I/O channel

For systems with high volumes of events we recommend you move your mysql databases to their own I/O channel separate from your web sites and/or other file system intensive operations. This will give the database its own dedicated I/O channel to the database files. Databases can be quite large, and the ASL events database will grow over time based on the archive settings you have configured in your ASL Configuration. Therefore, a faster way of reading these databases will improve performance on the system.

mysql tuning

If you are using mysql, we highly recommend you tune it with a professionals help. mysql is a wonderful and powerful database server, but it is not tuned in its default configuration and will perform very poorly as a result. Even if mysql appears to be performing well for you, if you are using the default settings your database server is operating much slower than it needs to be.

You can use the excellent tool mysqltuner to help with this, however this tool will just provide recommendations and an experts assistance should be consulted before making any changes to your mysql configuration, and to make the best use of the recommendations mysqltuner may provide.

To install mysqltuner, please run this command as root:

yum install mysqltuner

And to run it, just run this command:

mysqltuner

More information is available about mysqltuner at this website:

http://www.mysqltuner.com/

Disk Space

ASL will keep records as long as you desire. As a result, you should monitor your database and /var partitions drive usage and prepare accordingly to add more space based on event volume for your system. If you run out of space in the /var directory, the ASL web console will not work, and other parts of ASL may fail as well.

Please see the https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#ASL_disk_space_requirements notes above for minimum free space requirements.

ASL will also record other events, such as file changes and software updates in a special monitoring system, this data is also stored in /var. Please see the ASL FAQ for further details about tuning this system should you wish to use less drive space for this.

/tmp

Your operating system uses /tmp to process temporary files. For long term use of ASL, and the operating system, /tmp should be as large as necessary for your OS. The actual amount of space needed in your /tmp partition will vary substantially depending on what you are doing with your OS.

ASL needs some amount of free space in /tmp for installation, and may need to use /tmp as part of ongoing activities. However, this partition is primarly used by your OS, not ASL, and a full /tmp partition may result in very adverse effects by your OS. Please contact your OS vendor for assistance with sizing you /tmp partition to meet your OSes needs.

Test Server

Each ASL license lets you install ASL on a product server, a QA server and a test server. We recommend, as do all software companies, that you always test ASL and ASL upgrades on a test machine before making any changes to your production environment. We test our products heavily before putting out an updates, but no software company can account for every possible condition, configuration or environment so you should test upgrade on non-production machines before putting them into production.

Personal tools