Upgrading ASL
Contents |
[edit] General Upgrade instructions
This section applies to all upgrades.
[edit] Run commands as the root user
When upgrading ASL, run all upgrade commands as the root user. Do not use sudo to run these commands.
[edit] Pre-requisites
Always check to make sure that your system meets the pre-requisites for ASL before upgrading. You can access the latest requirements for ASL on the ASL prerequisites page.
[edit] Updates
Ensure that your system has all of your OS vendors updates installed. ASL is tested against the latest versions of vendors OSes, and may require updated software from your vendor to work correctly and securely.
[edit] Release Notes
Each release includes Release Notes. We highly recommend you review the release notes before upgrading.
[edit] Test Environment
We recommend that you test all ASL upgrades on a test system before deploying an ASL update into a production environment. For this reason, all ASL licensees come with a free QA and development licensee so you can test out all ASL updates.
[edit] Version Specific Upgrade Instructions
[edit] ASL 4.0
[edit] Release Notes
Please see the Atomic_Secured_Linux#ASL_4.0_Release_Notes page.
[edit] Upgrading
[edit] Automatic Upgrade
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.
[edit] From 4.0 to 4.0.x
Run the following commands as root:
Step 1)
aum -u
Step 2)
asl -s -f
Note: It is recommended that you clear your yum cache if you encounter any errors on upgrade:
yum clean all
Note: Do not use yum to upgrade ASL or its components, always use "aum". Please see the yum upgrades article for more information.
[edit] From 3.2 to 4.0
ASL 4.0 uses the ASL installer to upgrade from 3.2 to 4.0. See the unattended installs article for advanced instructions for unattended installations.
You can upgrade ASL by following these steps:
Step 1) Become the root user
As the root user, run step 2 below. Do not use "sudo" to run these commands.
Use this command to become root:
su -
Step 2) Run the installer
Cut and paste the command below, and run this command as root:
wget -q -O - https://updates.atomicorp.com/installers/asl |sh
Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.
Note: You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.
If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL if you are unsure:
https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget
Step 3) Reinstall the ASL database
During installation, when asked if you want to reinstall the ASL database, answer yes. ASL4 has a new database schema that is faster, and reinstallation of the database is required.
[edit] ASL 3.2
[edit] Release Notes
Please see the Atomic_Secured_Linux#ASL_3.2_Release_Notes page.
[edit] Upgrading
ASL 3.2 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:
Step 1)
As the root user, run through Steps 2-4 below. Do not use "sudo" to run these commands.
Step 2)
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
Step 3)
/var/asl/bin/aum -uf
Note: If you have changed UPDATE_TYPE to "rules-only", you must change this to "all" temporarily to manually upgrade ASL. If you do not wish to upgrade the kernel, you can set this temporarily to "Exclude-kernel".
Step 4)
yum upgrade mod_security tortix-waf
Step 5)
/var/asl/bin/asl -s -f
[edit] Automatic Upgrade
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.
[edit] Notes for 3.2 Upgrades
[edit] Cpanel
Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.
Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.
[edit] Version Check
In addition to the release notes referenced above, you can check to see if you are running 3.2 by running this command as root:
asl -v
You should see an output similar to this:
ASL Version 3.2.1-0.10.el5.art: CentOS 6 (SUPPORTED)
The "Centos 6" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.2, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.
If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:
yum clean all
And then try the upgrade again.
[edit] ASL 3.0
ASL 3.0 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:
[edit] Automatic Upgrade
Check to make sure you have ASL set to upgrade itself:
Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".
If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.
[edit] Force an upgrade if you have automatic upgrades configured
[edit] Force update step 1
Run this command as root:
asl -uf
[edit] Force update step 2
Set the new security policy, by running this command as root:
asl -s -f
This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.
Please see the release notes, which include additional information when upgrading from 2.2 to 3.0:
Atomic_Secured_Linux#ASL_3.0_Release_Notes
[edit] Manual Upgrade if you do not have have automatic upgrades configured
If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.
To upgrade manually you will then need to run these commands (run them as root):
Step 1) yum upgrade asl asl-web mod_security kernel
Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".
Step 2) asl -uf
Step 3) asl -s -f
Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:
Atomic_Secured_Linux#ASL_3.0_Release_Notes
[edit] Notes for 3.0 Upgrades
In addition to the release notes referenced above, you can check to see if you are running 3.0 by running this command as root:
asl -v
You should see an output similar to this:
ASL Version 3.0: CentOS 5 (SUPPORTED)
The "Centos 5" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.0, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.
If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:
yum clean all
And then try the upgrade again.
[edit] ASL 2.2
ASL 2.2 uses the RPM package management system. You can upgrade ASL by using the following command:
yum upgrade
When you have completed upgrading any component of ASL you must run this command to finish configuring your system:
asl -s -f
This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time even if you have not upgraded any ASL components.
[edit] Automatic Upgrade system
Since version 2.1, ASL has the ability to automatically update itself. This is configurable from the ASL GUI. The option in the GUI is: UPDATE_TYPE. There are three modes:
- all - This will configure ASL to automatically upgrade all of its components, including the rules. This is the most secure option.
- exclude-kernel - This will configure ASL to upgrade all of its components, including the rules, but will not upgrade the kernel. This is the second most secure option.
- rules-only - This option will configure ASL to only keep the rules up to date. This is the least secure option.
You can also configure the frequency at which ASL checks for updates by configuring the AUTOMATIC_UPDATES setting in the GUI. You can configure ASL to check for updates:
- daily
- hourly
- none
We recommend that users test all upgrades on a test system before deploying to a production system.
[edit] Yum
Do not use yum to upgrade ASL. The ASL upgrader, aum, is the only supported method for upgrading ASL.
If you are going to use yum to upgrade other parts of your system, we recommend you exclude the ASL channels. For example:
yum --disablerepo=asl* --disablerepo=tortix* upgrade
[edit] Per Component
The following command may be used to check for updates, and install them if needed on a per component level. You do not need to run these commands if you are using aum -u. /var/asl/bin/aum upgrade [component]
Where component is one or more of the following, seperated by spaces:
appinv clamav geomap modsec ossec
Note that ASL itself will always be checked when an upgrade command is run.