ASL

From Atomicorp Wiki
Revision as of 10:52, 5 April 2007 by Scott (Talk | contribs)

Jump to: navigation, search

Using ASL 2.0

Quickstart Documentation

1) Update the signature database 

asl -u

2) Run a report 

asl -r

3) Read the App Inventory DB 

less /var/asl/data/webapp.db


Configuration

Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does: 

# Authentication information
CONFIGURED=yes
USERNAME="USERNAME"
PASSWORD="PASSWORD"
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"
ASLHOME="/var/asl"

# ASL general config
NOTIFY=yes
EMAIL="scott@atomicrocketturtle.com"
ADMIN_USERS="SOMEUSER"
# list of hosts separated by whitespace
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"    
# webserver, custom
SYSTEM_TYPE="webserver" 

# Kernel config
# Disable module_loading after the system has booted
VSERVER=no
ALLOW_kmod_loading=no

# PSMOD config 
PSMON_ENABLED=yes
PSMON_EMAIL="$EMAIL"
PSMON_FROM="psmon@$HOSTNAME"

# OSSEC config
OSSEC_ENABLED=yes
OSSEC_MODE="server"         # options are client, server, local
OSSEC_EMAIL="$EMAIL"
OSSEC_SMTP_SERVER="ac3.atomicorp.com"
OSSEC_FROM="ossec@$HOSTNAME"
OSSEC_SHUN_ENABLE_TIMEOUT=yes
OSSEC_SHUN_TIME="600"

# MODSECURITY config
MODSEC_ENABLED=yes
MODSEC_SERVERSIG="Apache"
MODSEC_UPLOADDIR="/var/asl/data/suspicious"
MODSEC_KEEPFILES="RelevantOnly"
MODSEC_LOG404=no	# not used yet
MODSEC_LOGTYPE="Serial"
MODSEC_LOGFILE="modsec_audit.log"
MODSEC_LOGELEMENT="ABIFHZ"
MODSEC_REQMEMLIMIT="131072"
MODSEC_DEBUGLOG=yes     # not used yet (on by default)
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_TMPDIR="/tmp"

MODSEC_RULES_POLICY=on     # havent enabled settings below this yet
MODSEC_RULES_ROBOTS=on
MODSEC_RULES_GENERIC=on
MODSEC_RULES_TROJAN=on
MODSEC_RULES_OUTBOUND=off
MODSEC_RULES_MARKETING=off
MODSEC_RULES_LOCAL=on




# PHP Functions
PHP_CHECKS=yes
PHP_SAFE_MODE=yes
ALLOW_dl=no
ALLOW_exec=no
ALLOW_leak=no
ALLOW_passthru=no
ALLOW_pfsockopen=no
ALLOW_phpinfo=yes
ALLOW_popen=no
ALLOW_posix_kill=no
ALLOW_posix_mkfifo=no
ALLOW_posix_setpgid=no
ALLOW_posix_setsid=no
ALLOW_posix_setuid=no
ALLOW_proc_close=no
ALLOW_proc_get_status=no
ALLOW_proc_nice=no
ALLOW_proc_open=no
ALLOW_proc_open=no
ALLOW_proc_terminate=no
ALLOW_shell_exec=no
ALLOW_show_source=no
ALLOW_system=no

# Denyhosts settings
# uses EMAIL for notifications
DENYHOSTS_ENABLED=yes
DENYHOSTS_EMAIL="$EMAIL"
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
DENYHOSTS_SYSLOG=yes
DENYHOSTS_SHUN_TIME="4w"

# SSH
ALLOW_ssh_proto1=no 
ALLOW_root_logins=no
DISABLE_strict_mode=no
DISABLE_ignore_rhosts=no
DISABLE_pubkey_authentication=no
ALLOW_password_authentication=no
DISABLE_privilege_separation=no 

# Rkhunter settings
RKHUNTER_ENABLED=yes
RKHUNTER_EMAIL=$EMAIL
Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=ASL&oldid=26"
Personal tools