ASL
From Atomicorp Wiki
Using ASL 2.0
Quickstart Documentation
1) Update the signature database
asl -u
2) Run a report
asl -r
3) Read the App Inventory DB
less /var/asl/data/webapp.db
Understanding the Report
Checking for ASL kernel: [FAILED] ASL kernel is not running, which means you are exposed to Buffer overrun attacks, no TPE, and no GRSEC ACL capability
Configuration
Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:
# Authentication information CONFIGURED=yes # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog USERNAME="USERNAME" PASSWORD="PASSWORD" UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/" # where the rule updater will grab updates ASLHOME="/var/asl" # internal variable, dont modify
# ASL general config NOTIFY=yes # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications EMAIL="scott@atomicrocketturtle.com" # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app. ADMIN_USERS="SOMEUSER" # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace. # list of hosts separated by whitespace IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12" # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc) # webserver, custom SYSTEM_TYPE="webserver" # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
# Kernel config # Disable module_loading after the system has booted VSERVER=no # probably will be deprecated ALLOW_kmod_loading=no # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
# PSMOD config PSMON_ENABLED=yes # Turn PSMON and its checks On or Off PSMON_EMAIL="$EMAIL" # who to email PSMON alerts to PSMON_FROM="psmon@$HOSTNAME" # From: line for PSMON
# OSSEC config OSSEC_ENABLED=yes # Enable OSSEC OSSEC_MODE="server" # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system. OSSEC_EMAIL="$EMAIL" # Where OSSEC email alerts go OSSEC_SMTP_SERVER="localhost" # System ossec sends email through OSSEC_FROM="ossec@$HOSTNAME" # From line for OSSEC alerts OSSEC_SHUN_ENABLE_TIMEOUT=yes # Enables expiration of OSSEC shunning events (see IP_WHITELIST above) OSSEC_SHUN_TIME="600" # Time a shunned host will remain on the blacklist (10 minutes)
# MODSECURITY config MODSEC_ENABLED=yes # Turn MOD_SECURITY and its checks on/off MODSEC_SERVERSIG="Apache" # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored MODSEC_KEEPFILES="RelevantOnly" # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not. MODSEC_LOG404=no # not used yet. Application default is to log 404 errors in mod_security logs. MODSEC_LOGTYPE="Serial" # Serial or Concurrent. Serial sets modsecurity to log all events to one log file. MODSEC_LOGFILE="modsec_audit.log" # The log file for above. MODSEC_LOGELEMENT="ABIFHZ" # Elements of an event that will be logged #A = audit log header (mandatory) #B = request headers #I = request body, except when multipart/form-data encoding is used #F = final response headers #H = audit log trailer #Z = final boundary (mandatory) MODSEC_REQMEMLIMIT="131072" # Maximum size of the request body to keep in memory, higher value requires more server memory, lower can impact disk I/O MODSEC_DEBUGLOG=yes # not used yet (on by default: modsec_debug.log) MODSEC_DATADIR="/var/asl/data/msa" # top level dir used for mod_security internals. Must be read/write by the apache user MODSEC_TMPDIR="/tmp" # Directory where temporary files are created
# Rule configuration starts here MODSEC_RULES_POLICY=on # enable/disable the HTTP Policy rules MODSEC_RULES_ROBOTS=on # enable/disable the Bad Robot ruls MODSEC_RULES_GENERIC=on # enable/disable generic attack rules MODSEC_RULES_TROJAN=on # enable/disable trojan detection rules MODSEC_RULES_OUTBOUND=off # enable/disable outbound rules (recommend this OFF for PSA environments) MODSEC_RULES_MARKETING=off # enable/disable marketing tracking rules (google, msn, yahoo bots) MODSEC_RULES_LOCAL=on # enable/disable local rules
# PHP Functions PHP_CHECKS=yes # (yes/no) enable/disable php checks PHP_SAFE_MODE=yes # (yes/no) enable safe_mode checks. Turning safe_mode off exposes you to a number of threats, including remote file inclusion ALLOW_dl=no # (yes/no) disables the dl() function. dl() would allow an attacker to load their own extension into php. ALLOW_exec=no ALLOW_leak=no ALLOW_passthru=no ALLOW_pfsockopen=no ALLOW_phpinfo=yes ALLOW_popen=no ALLOW_posix_kill=no ALLOW_posix_mkfifo=no ALLOW_posix_setpgid=no ALLOW_posix_setsid=no ALLOW_posix_setuid=no ALLOW_proc_close=no ALLOW_proc_get_status=no ALLOW_proc_nice=no ALLOW_proc_open=no ALLOW_proc_open=no ALLOW_proc_terminate=no ALLOW_shell_exec=no ALLOW_show_source=no ALLOW_system=no
# Denyhosts settings # uses EMAIL for notifications DENYHOSTS_ENABLED=yes DENYHOSTS_EMAIL="$EMAIL" DENYHOSTS_FROM="denyhosts@$HOSTNAME" DENYHOSTS_SYSLOG=yes DENYHOSTS_SHUN_TIME="4w"
# SSH ALLOW_ssh_proto1=no ALLOW_root_logins=no DISABLE_strict_mode=no DISABLE_ignore_rhosts=no DISABLE_pubkey_authentication=no ALLOW_password_authentication=no DISABLE_privilege_separation=no
# Rkhunter settings RKHUNTER_ENABLED=yes RKHUNTER_EMAIL=$EMAIL
