ASL installation
Before You Start
Please note: If you purchased an ASL-Lite/Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation if you purchased ASL (Full), then continue to the steps below.
ASL is designed to integrate with the operating system as shipped by the vendor (CentOS, RedHat, Scientific Linux, Oracle Linux, CloudLinux, Amazon EC2, etc.). Customized environments that deviate from the vendor designed standards, and packaging can use ASL Lite, or consult with our services group for a custom solution.
Dedicated systems will be using the ASL hardened kernel. For older distributions this can involve changes in the names of kernel modules involved with SATA, SCSI, and Network card modules.
Running the Automated installer
Installing ASL is as simple as running one command, and answering a few questions about your system. The rest is taken care of for you by ASL. No need to mess around with configuration files, installing rpms, compiling from source or setting up repos. Just run the installer as root and let us do the work for you.
wget -q -O - https://www.atomicorp.com/installers/asl |sh
If you prefer to use a standard HTTP connection run this command:
wget -q -O - http://www.atomicorp.com/installers/asl |sh
If you are using cpanel, please use this command instead:
wget -q -O - http://www.atomicorp.com/installers/cpanel/installer |sh
And thats it! Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system. Once the installation is complete you will need to reboot your system to boot into the new hardened kernel that comes with ASL. You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL system.
Changing your ASL password
You can change your ASL password via the License Manager at this URL:
https://www.atomicorp.com/amember/member.php
Post-Installation Quickstart/Configuration
Log into the GUI:
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
If you're a command line person you can also run or re-run many of ASL's features from the command line. Here are a few highlights:
1) Configure/Re-Configure ASL
asl -c
2) Scan the system for vulnerabilities, malware and other security issues.
asl -s
3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.
asl -s -f
4) Configure the ASL GUI
/var/asl/bin/asl-web-setup
5) Check to make sure you haven't locked yourself out of your system
Before you reboot your system and if you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, log in with a new session. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
6) Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to setup your support account:
https://www.atomicorp.com/portal
The support system uses the same username and password used to install ASL (your ASL username and password). Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
Testing the Kernel
Grub Users
1) Once the Atomic kernel is installed, determine which position the Atomic kernel has been installed.
Example:
[root@ac3 ~]# cat /etc/grub.conf
# grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/hda3 # initrd /initrd-version.img #boot=/dev/hda default=1 timeout=5 serial --unit=0 --speed=57600 terminal --timeout=5 serial console title CentOS (2.6.17-1.art) root (hd0,0) kernel /vmlinuz-2.6.17-1.art ro root=LABEL=/ console=ttyS0,57600n8 selinux=0 initrd /initrd-2.6.17-1.art.img title CentOS (2.6.9-34.0.2.ELsmp) root (hd0,0) kernel /vmlinuz-2.6.9-34.0.2.ELsmp ro root=LABEL=/ console=ttyS0,57600n8 initrd /initrd-2.6.9-34.0.2.ELsmp.img
Note the line: default=1, this indicates the kernel the system will boot by default, starting at position 0. Position 0 is "title CentOS (2.6.17-1.art)", and position 1 is "title CentOS (2.6.9-34.0.2.ELsmp)" in this example, indicating the system is configured to boot into the default CentOS kernel.
2) Type: grub
the following will be displayed:
GNU GRUB version 0.97 (640K lower / 3072K upper memory) [ Minimal BASH-like line editing is supported. For the first word, TAB lists possible command completions. Anywhere else TAB lists the possible completions of a device/filename.] grub>
3) At the grub prompt set the default kernel to 0, and to only boot once with the following:
grub> savedefault --default=0 --once
4) type: quit
5) reboot the system. If for some reason the kernel does not work with the Atomic kernel, or is otherwise non-responsive, powercycling the system will restore the system to the default kernel.
Lilo Users
1) The art kernel should be listed in /boot - for example:
/boot/vmlinuz-2.6.19-7.art
2) Create a symbolic link to this:
ln -s /boot/vmlinuz-2.6.19-7.art /boot/vmlinuz-art
3) edit /etc/lilo.conf to add a section for the art kernel. Eg:
image=/boot/vmlinuz-art label=lxart append="console=tty0 console=ttyS0,57600 panic=30"
4) Type: lilo to make the change permanent. Then to test that you can boot into the new kernel do
lilo -v -v lilo -R lxart shutdown -r now
5) When it's rebooted, doing a uname -r should show the new art kernel. Now you can make it permanent. Edit /etc/lilo.conf so that it has the line:
default=lxart
6) type lilo. Then reboot.
manual installation (Not Recommended or Supported)
This method of installation is not supported. If the automated installer is not working for your system please notify our support team and we will be happy to fix the issue for you.
1) vim /etc/yum.repos.d/asl.repo
2) add the following:
[asl-2.0] name=ASL 2.0 baseurl=http://USERNAME:PASSWORD@atomicorp.com/channels/asl-2.0/DISTRO/$releasever/$basearch
3) replace DISTRO with fedora, centos, redhat, and USERNAME/PASSWORD with your username and password from the signup page
4) yum install asl
5) asl -c
Special Installation: Ensim
If you get the following error message:
Error: Missing Dependency: libclamav.so.2 is needed by package perl-Mail-ClamAV
Grab the latest update of perl-Mail-ClamAV from Dag's RPMforge archive:
http://dag.wieers.com/rpm/packages/perl-Mail-ClamAV/
Upgrade with rpm -Uvh perl-Mail-ClamAV-0.21-*rpm --nodeps
Re-run the ASL installer.
ASL addon - Atomic Scanner
To install the ASL antispam scanner, just run this command as root:
yum --enablerepo=asl-2.0-testing install atomic-scanner
Atomic Addon - Yum GUI
This is an unsupported tool released to the ASL community. It is not part of ASL. If you run into bugs with it, please report them, however the tool is not supported as part of an ASL subscription.
To install, just run this command as root:
yum --enablerepo=asl-2.0-testing install atomic-yum
ASL Troubleshooting
Please see the ASL Troubleshooting article.
We also recommend you read the ASL FAQ.
SELinux
SELinux policies have been known to interfere with RPM updates. This is because SELinux policies are not always adjusted for modern platforms. This can manifest itself in mysterious failures in %pre and %post macros (confirmed on RHEL4).
ASL includes an advanced RBAC system that is more powerful and easier to use than SELinux and we recommend you use that instead of SELinux. However, if you wish to use SELinux ASL will work fine with SELinux, however you may need to adjust your SELinux policies for your systems specific needs.
If you encounter any issues with rpm installations on your system, and you are not qualified to adjust your SELinux policies that came with your operating system, we recommend you disable SELinux and use the built in RBAC in ASL.
To disable SELinux set:
selinux=0
in the kernel boot parameters for your system.
setenable 0, setenforce 0 and disabling SELinux with sysctl are not effective. To disable selinux you must boot with selinux=0 set for your system.
Known Kernel Module Name Changes
1and1 network card module name changes
Vmware SCSI emulation name changes
1and1 Checklist for /etc/modules.conf or /etc/modprobe.conf
Step 1) Enumerate hardware with /sbin/lspci
Step 2) Check network cards,
Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] was
alias eth0 8139too
change to
alias eth0 via-rhine
Step 3) Check SATA modules
<PENDING>