ASL
From Atomicorp Wiki
Using ASL 2.0
Quickstart Documentation
1) Update the signature database
asl -u
2) Run a report
asl -r
3) Read the App Inventory DB
less /var/asl/data/webapp.db
Configuration
Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:
# Authentication information CONFIGURED=yes # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog USERNAME="USERNAME" PASSWORD="PASSWORD" UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/" # where the rule updater will grab updates ASLHOME="/var/asl" # internal variable, dont modify
# ASL general config NOTIFY=yes # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications EMAIL="scott@atomicrocketturtle.com" # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app. ADMIN_USERS="SOMEUSER" # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace. # list of hosts separated by whitespace IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12" # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc) # webserver, custom SYSTEM_TYPE="webserver" # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
# Kernel config # Disable module_loading after the system has booted VSERVER=no # probably will be deprecated ALLOW_kmod_loading=no # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
# PSMOD config PSMON_ENABLED=yes # Turn PSMON and its checks On or Off PSMON_EMAIL="$EMAIL" # who to email PSMON alerts to PSMON_FROM="psmon@$HOSTNAME" # From: line for PSMON
# OSSEC config OSSEC_ENABLED=yes # Enable OSSEC OSSEC_MODE="server" # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system. OSSEC_EMAIL="$EMAIL" # Where OSSEC email alerts go OSSEC_SMTP_SERVER="localhost" # System ossec sends email through OSSEC_FROM="ossec@$HOSTNAME" # From line for OSSEC alerts OSSEC_SHUN_ENABLE_TIMEOUT=yes # Enables expiration of OSSEC shunning events (see IP_WHITELIST above) OSSEC_SHUN_TIME="600" # Time a shunned host will remain on the blacklist (10 minutes)
# MODSECURITY config MODSEC_ENABLED=yes # Turn MOD_SECURITY and its checks on/off MODSEC_SERVERSIG="Apache" # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored MODSEC_KEEPFILES="RelevantOnly" # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not. MODSEC_LOG404=no # not used yet. Application default is to log 404 errors in mod_security logs. MODSEC_LOGTYPE="Serial" # Serial or Concurrent. Serial sets modsecurity to log all events to one log file. MODSEC_LOGFILE="modsec_audit.log" # The log file for above. MODSEC_LOGELEMENT="ABIFHZ" # Elements of an event that will be logged #A = audit log header (mandatory) #B = request headers #I = request body, except when multipart/form-data encoding is used #F = final response headers #H = audit log trailer #Z = final boundary (mandatory) MODSEC_REQMEMLIMIT="131072" # Maximum size of the request body to keep in memory, higher value requires more server memory, lower can impact disk I/O MODSEC_DEBUGLOG=yes # not used yet (on by default: modsec_debug.log) MODSEC_DATADIR="/var/asl/data/msa" # top level dir used for mod_security internals. Must be read/write by the apache user MODSEC_TMPDIR="/tmp" # Directory where temporary files are created
# Rule configuration starts here MODSEC_RULES_POLICY=on # enable/disable the HTTP Policy rules MODSEC_RULES_ROBOTS=on # enable/disable the Bad Robot ruls MODSEC_RULES_GENERIC=on # enable/disable generic attack rules MODSEC_RULES_TROJAN=on # enable/disable trojan detection rules MODSEC_RULES_OUTBOUND=off # enable/disable outbound rules (recommend this OFF for PSA environments) MODSEC_RULES_MARKETING=off # enable/disable marketing tracking rules (google, msn, yahoo bots) MODSEC_RULES_LOCAL=on # enable/disable local rules
# PHP Functions PHP_CHECKS=yes PHP_SAFE_MODE=yes ALLOW_dl=no ALLOW_exec=no ALLOW_leak=no ALLOW_passthru=no ALLOW_pfsockopen=no ALLOW_phpinfo=yes ALLOW_popen=no ALLOW_posix_kill=no ALLOW_posix_mkfifo=no ALLOW_posix_setpgid=no ALLOW_posix_setsid=no ALLOW_posix_setuid=no ALLOW_proc_close=no ALLOW_proc_get_status=no ALLOW_proc_nice=no ALLOW_proc_open=no ALLOW_proc_open=no ALLOW_proc_terminate=no ALLOW_shell_exec=no ALLOW_show_source=no ALLOW_system=no
# Denyhosts settings # uses EMAIL for notifications DENYHOSTS_ENABLED=yes DENYHOSTS_EMAIL="$EMAIL" DENYHOSTS_FROM="denyhosts@$HOSTNAME" DENYHOSTS_SYSLOG=yes DENYHOSTS_SHUN_TIME="4w"
# SSH ALLOW_ssh_proto1=no ALLOW_root_logins=no DISABLE_strict_mode=no DISABLE_ignore_rhosts=no DISABLE_pubkey_authentication=no ALLOW_password_authentication=no DISABLE_privilege_separation=no
# Rkhunter settings RKHUNTER_ENABLED=yes RKHUNTER_EMAIL=$EMAIL