|
|
| (51 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | '''Feaures in ASL 2.0'''
| + | = Introduction = |
| | | | |
| − | Hardened kernel with grsecurity, and firewall enhancements
| + | Atomic Secured Linux(tm), or "ASL" for short, is a Unified Security Suite addon for Linux(tm) systems designed to protect servers against zero day threats. Unlike other expensive security "solutions" that pretend to achieve security through signature-based detection, known-vulnerability patching and other reactive methods, Atomic Secured Linux(tm) provides real proactive security. The only solution that protects both your applications and operating system, Atomic Secured Linux is essential for public-facing servers and shared-hosting environments. |
| | | | |
| − | ASL Modules | + | And Atomic Secured Linux (ASL) is uniquely designed for beginners and experts alike. You just install ASL onto your existing system and it does the work for you, plus you can try it for free! |
| − | | + | |
| − | * denyhosts for ssh brute force attack detection
| + | |
| | | | |
| − | * mod_security as the web application layer firewall
| + | ASL works by proactively immunizing the system against whole classes of vulnerabilities, and combines security at all layers, from the firewall, to your applications and services, and all the way down to the kernel to provide the most complete multi-spectrum protection solution available for Linux servers today. It helps to ensure that your system is secure and also compliant with commercial and government security standards. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in todays complex systems and applications, such as cloud and web hosting environments, multiuser systems, CRM's, ERPs, forums, shopping carts, Content Management systems, custom applications and more. |
| | | | |
| − | * ossec for event monitoring, file system integrity checking, and rootkit detection
| + | == '''Features in ASL''' == |
| − |
| + | |
| − | * rkhunter for rootkit detection
| + | |
| | | | |
| − | * psmon process monitoring, to ensure security services are always running | + | * Web Application Firewall with Realtime Atomicorp/Gotroot.com rules |
| | | | |
| − | * Web Application inventory module | + | * Highspeed Stateful firewall |
| | | | |
| − | * Plesk Server Administrator web interface | + | * Attack Chain Disruption to prevent zero day attacks |
| | | | |
| − | * SSH configuration validation | + | * Network based Intrusion Prevention System |
| | | | |
| − | * General security hardening (unnecessary services, etc) | + | * Host Based Intrusion Prevention for event monitoring, file system integrity checking, and rootkit protection |
| | | | |
| − | * PHP configuration, checks for dangerous settings | + | * Web Based Security Information Manager and Unified Threat Manager |
| | | | |
| − | * Apache configuration checks | + | * Vulnerability scanner and vulnerability repair and elimination system |
| | | | |
| − | * Rule updater for Mod_security, GRsecurity, and the Application Inventory system | + | * Realtime Malware Protection |
| | | | |
| − |
| + | * Hardened secure kernel to protect against rootkits |
| | | | |
| | + | * Self Healing system for system, database and application errors |
| | | | |
| − | Using ASL 2.0
| + | * Self Learning Least Privilege Role Based Access Control System |
| | | | |
| − | '''Quickstart Documentation'''
| + | * System Hardening tools |
| | | | |
| − | 1) Update the signature database
| + | * Stand Alone secure web GUI |
| − | asl -u
| + | |
| | | | |
| − | 2) Run a report
| + | * Malware uploader scanner |
| − | asl -r
| + | |
| | | | |
| − | 3) Read the App Inventory DB
| + | * Brute force attack detection (Control Panels, FTP, SSH, Web applications, SMTP, POP, IMAP and more!) |
| − | less /var/asl/data/webapp.db
| + | |
| | | | |
| − | '''Understanding the Report'''
| + | * Just In Time Patching system: Automatic security rules to protect unpatched systems, and unpatched web applications. |
| | | | |
| − | KERNEL Report
| + | * Rootkit detection and prevention, including kernel level rootkits |
| − | Checking for ASL kernel: [FAILED] [HIGH RISK]
| + | |
| − | # ASL kernel is not running, which means you are exposed to Buffer overrun attacks, no TPE, and no GRSEC ACL capability
| + | |
| | | | |
| − | General Settings
| + | * Process monitoring watchdog, to ensure critical and security services are always running |
| − | Updatedb is enabled: [FAILED] [INFORMATIONAL]
| + | |
| − | # updatedb is used for generating the locate database, this is not a security message.
| + | |
| − |
| + | |
| − | Checking for unnecessary services
| + | |
| − | portmap is disabled: [FAILED] [LOW]
| + | |
| − | nfslock is disabled: [OK] [LOW]
| + | |
| − | rpcidmapd is disabled: [OK] [LOW]
| + | |
| − | cups is disabled: [OK] [LOW]
| + | |
| − | gpm is disabled: [FAILED] [LOW]
| + | |
| − | xfs is disabled: [FAILED] [LOW]
| + | |
| − | messagebus is disabled: [FAILED] [LOW]
| + | |
| − | # These are all services turned on by default. The risk is low, because they are unnecessary services, rather than they are directly exploitable. Recommend that they be disabled.
| + | |
| | | | |
| | + | * Web Application inventory module |
| | | | |
| − | Checking general settings for PSA
| + | * Systems configuration validation (SSH, PHP and more) |
| − | /var/log/psa exists: [FAILED] [INFORMATIONAL]
| + | |
| − | # This is a check for a shortcut to /usr/local/psa/var/log. This is not a security message.
| + | |
| | | | |
| | + | * General security hardening (unnecessary services, etc) |
| | | | |
| − | Checking psmon settings
| + | * PHP configuration, checks and fixes dangerous settings |
| − | # PSMON is a watchdog daemon, used to start services if they crash. It is used to monitor and restart services like denyhosts, ossec, etc. It can used to monitor any service however (apache, qmail, etc).
| + | |
| − | # this module checks to ensure that psmon is configured as defined in /etc/asl/config
| + | |
| − | Checking for psmon installation: [OK] [INFORMATIONAL]
| + | |
| − | # is it installed
| + | |
| − | Process monitoring enabled: [FAILED] [INFORMATIONAL]
| + | |
| − | # is it set to start up. psmon ensures that other security components are running, in the event that they crash.
| + | |
| − | Notifications to: root [OK] [INFORMATIONAL]
| + | |
| − | # is it set to send notifications to your configured email address
| + | |
| − | From line set to: psmon@cp8.foreststar.net [FAILED] [INFORMATIONAL]
| + | |
| − | # is it set to send from the configured email address
| + | |
| − | | + | |
| − | Checking General ossec-hids settings
| + | |
| − | # OSSEC is a host based IDS, it monitors log files, detects file system changes as well as root kits, can shun attackers, and can combine data from multiple systems.
| + | |
| − | Checking for ossec-hids installation: [OK] [INFORMATIONAL]
| + | |
| − | # is it installed
| + | |
| − | OSSEC is configured in server mode [INFORMATIONAL]
| + | |
| − | # what mode is it in, client, server, or local
| + | |
| − | Checking for ossec-hids-server installation: [FAILED] [INFORMATIONAL]
| + | |
| − | # is the ossec-hids-server rpm installed
| + | |
| − | Enable email notification: [OK] [INFORMATIONAL]
| + | |
| − | # does it notify
| + | |
| − | Notifications to: root [FAILED] [INFORMATIONAL]
| + | |
| − | # who they go to (/etc/asl/config)
| + | |
| − | Notifications from: ossec@cp8.foreststar.net [FAILED] [INFORMATIONAL]
| + | |
| − | # From line (/etc/asl/config)
| + | |
| − | SMTP server set to: ac3.atomicorp.com [FAILED] [INFORMATIONAL]
| + | |
| − | # SMTP server it will use to send alerts (/etc/asl/config)
| + | |
| − | Client connections allowed through firewall: [OK] [INFORMATIONAL]
| + | |
| − | # Firewall rule check. Since this system is a server, it would need to be configured to allow those connections to it.
| + | |
| − | Shun period time set to: 600 [OK] [INFORMATIONAL]
| + | |
| − | # period to shun an attacker (/etc/asl/config)
| + | |
| − | | + | |
| − | Verifying OSSEC whitelists
| + | |
| − | # checks to see that whitelisted hosts are in the ossec configuration
| + | |
| − | checking 127.0.0.1: [OK] [INFORMATIONAL]
| + | |
| − | | + | |
| − | Checking local OSSEC settings for PSA
| + | |
| − | # Checks to see that ossec is monitoring PSA logs
| + | |
| − | Monitoring httpsd_access_log: [FAILED] [INFORMATIONAL]
| + | |
| − | Monitoring httpsd_error_log: [FAILED] [INFORMATIONAL]
| + | |
| − | # /usr/local/psa/admin/logs/httpsd_access_log and /usr/local/psa/admin/logs/httpsd_access_log/httpsd_error_log
| + | |
| − | | + | |
| − | Checking General rkhunter settings
| + | |
| − | # rkhunter is a signature based rootkit hunter, this module checks basic rkhunter configuration.
| + | |
| − | # it will email the notification contact nightly with a security report, if it detects anything suspicious
| + | |
| − | # this module overlaps with OSSEC to some extent.
| + | |
| − | Checking for rkhunter installation: [OK] [INFORMATIONAL]
| + | |
| − | Notifications to: root [OK] [INFORMATIONAL]
| + | |
| − | Enable ssh root login tests: [OK] [INFORMATIONAL]
| + | |
| − | # Ensures that the Root Login test is enabled in rkhunter
| + | |
| − | | + | |
| − | Checking General httpd settings
| + | |
| − | Verify .htacces AllowOverride not set to ALL: [OK]
| + | |
| − | | + | |
| − | Performing an inventory of web applications
| + | |
| | | | |
| − | Indexing applications: ......
| + | * Apache configuration checks and fixes |
| − | Scanning applications:
| + | |
| | | | |
| − | Checking General mod_security settings
| + | * DOS protection system |
| − | Checking for mod_security installation: [OK]
| + | |
| − | ServerSignature set to: Apache [FAILED]
| + | |
| − | SecUploadDir set to: /var/asl/data/suspicious [FAILED]
| + | |
| − | SecUploadKeepFiles set to: RelevantOnly [FAILED]
| + | |
| − | Logging set to: Serial [OK]
| + | |
| − | Logfile set to: modsec_audit.log [OK]
| + | |
| − | Logging elemets set to: ABIFHZ [OK]
| + | |
| − | SecRequestBodyInMemoryLimit set to: 131072 [OK]
| + | |
| − | SecDataDir set to: /var/asl/data/msa [FAILED]
| + | |
| − | SecTmpDir set to: /tmp [OK]
| + | |
| | | | |
| − | Checking rule class settings
| + | * Rule updater for Mod_security, GRsecurity, HIDS, Self Healing and the Application Inventory system |
| − | HTTP Policy ruleset : on [OK]
| + | |
| − | Bad Robots ruleset : on [OK]
| + | |
| − | Generic Attacks ruleset : on [OK]
| + | |
| − | Trojan detection ruleset : on [OK]
| + | |
| − | Outbound rules : off [FAILED]
| + | |
| − | Marketing ruleset : off [OK]
| + | |
| − | Local ruleset : on [OK]
| + | |
| | | | |
| | + | * Custom code for system hardening |
| | | | |
| − | Checking General PHP settings
| + | * Special ClamAV rules |
| − | Checking for php installation: [OK]
| + | |
| − | PHP Safe Mode Enabled: [FAILED]
| + | |
| − | Register Globals Disabled: [OK]
| + | |
| | | | |
| − | Checking for High-Risk functions
| + | = Downloading ASL = |
| − | Function dl disabled: [FAILED]
| + | |
| − | Function exec disabled: [FAILED]
| + | |
| − | Function furl_open disabled: [FAILED]
| + | |
| − | Function furl_open disabled: [FAILED]
| + | |
| − | Function leak disabled: [FAILED]
| + | |
| − | Function passthru disabled: [FAILED]
| + | |
| − | Function pfsockopen disabled: [FAILED]
| + | |
| − | Function phpinfo disabled: [ALLOWED]
| + | |
| − | Function popen disabled: [FAILED]
| + | |
| − | Function posix_kill disabled: [FAILED]
| + | |
| − | Function posix_mkfifo disabled: [FAILED]
| + | |
| − | Function posix_setpgid disabled: [FAILED]
| + | |
| − | Function posix_setsid disabled: [FAILED]
| + | |
| − | Function posix_setuid disabled: [FAILED]
| + | |
| − | Function proc_close disabled: [FAILED]
| + | |
| − | Function proc_get_status disabled: [FAILED]
| + | |
| − | Function proc_nice disabled: [FAILED]
| + | |
| − | Function proc_open disabled: [FAILED]
| + | |
| − | Function proc_open disabled: [FAILED]
| + | |
| − | Function proc_terminate disabled: [FAILED]
| + | |
| − | Function shell_exec disabled: [FAILED]
| + | |
| − | Function show_source disabled: [FAILED]
| + | |
| − | Function system disabled: [FAILED]
| + | |
| | | | |
| − | Checking PHP extensions
| + | == '''How can I get a copy of ASL?''' == |
| − | /etc/php.ini
| + | |
| − | /etc/php.d/imap.ini
| + | |
| − | /etc/php.d/ldap.ini
| + | |
| − | /etc/php.d/mysql.ini
| + | |
| | | | |
| | + | Please visit the [https://atomicorp.com/features/ Atomic Secured Linux product page]. |
| | | | |
| | + | == '''Can I try it out first?''' == |
| | | | |
| − | '''Configuration'''
| + | Absolutely! Just sign up for a [https://atomicorp.com/amember/signup/index/c/oMzRCoqd no risk and no obligation free 10 day trial here]. |
| | | | |
| − | Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:
| + | == '''Where is the ASL FAQ?''' == |
| − |
| + | |
| − | # Authentication information
| + | |
| − | CONFIGURED=yes # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog
| + | |
| − | USERNAME="USERNAME"
| + | |
| − | PASSWORD="PASSWORD"
| + | |
| − | UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/" # where the rule updater will grab updates
| + | |
| − | ASLHOME="/var/asl" # internal variable, dont modify
| + | |
| | | | |
| − | # ASL general config
| + | [[ASL FAQ]] - Atomic Secured Linux Frequently Asked Questions (FAQ) |
| − | NOTIFY=yes # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications
| + | |
| − | EMAIL="scott@atomicrocketturtle.com" # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app.
| + | |
| − | ADMIN_USERS="SOMEUSER" # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace.
| + | |
| − | # list of hosts separated by whitespace
| + | |
| − | IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12" # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc)
| + | |
| − | # webserver, custom
| + | |
| − | SYSTEM_TYPE="webserver" # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
| + | |
| | | | |
| − | # Kernel config
| |
| − | # Disable module_loading after the system has booted
| |
| − | VSERVER=no # probably will be deprecated
| |
| − | ALLOW_kmod_loading=no # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
| |
| | | | |
| − | # PSMOD config
| + | = '''Installing ASL''' = |
| − | PSMON_ENABLED=yes # Turn PSMON and its checks On or Off
| + | |
| − | PSMON_EMAIL="$EMAIL" # who to email PSMON alerts to
| + | |
| − | PSMON_FROM="psmon@$HOSTNAME" # From: line for PSMON
| + | |
| | | | |
| − | # OSSEC config
| + | [http://www.atomicorp.com/wiki/index.php/ASL_installation Installation Page] |
| − | OSSEC_ENABLED=yes # Enable OSSEC
| + | |
| − | OSSEC_MODE="server" # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system.
| + | |
| − | OSSEC_EMAIL="$EMAIL" # Where OSSEC email alerts go
| + | |
| − | OSSEC_SMTP_SERVER="localhost" # System ossec sends email through
| + | |
| − | OSSEC_FROM="ossec@$HOSTNAME" # From line for OSSEC alerts
| + | |
| − | OSSEC_SHUN_ENABLE_TIMEOUT=yes # Enables expiration of OSSEC shunning events (see IP_WHITELIST above)
| + | |
| − | OSSEC_SHUN_TIME="600" # Time a shunned host will remain on the blacklist (10 minutes)
| + | |
| | | | |
| − | # MODSECURITY config
| |
| − | MODSEC_ENABLED=yes # Turn MOD_SECURITY and its checks on/off
| |
| − | MODSEC_SERVERSIG="Apache" # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks
| |
| − | MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored
| |
| − | MODSEC_KEEPFILES="RelevantOnly" # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not.
| |
| − | MODSEC_LOG404=no # not used yet. Application default is to log 404 errors in mod_security logs.
| |
| − | MODSEC_LOGTYPE="Serial" # Serial or Concurrent. Serial sets modsecurity to log all events to one log file.
| |
| − | MODSEC_LOGFILE="modsec_audit.log" # The log file for above.
| |
| − | MODSEC_LOGELEMENT="ABIFHZ" # Elements of an event that will be logged
| |
| − | #A = audit log header (mandatory)
| |
| − | #B = request headers
| |
| − | #I = request body, except when multipart/form-data encoding is used
| |
| − | #F = final response headers
| |
| − | #H = audit log trailer
| |
| − | #Z = final boundary (mandatory)
| |
| − | MODSEC_REQMEMLIMIT="131072" # Maximum size of the request body to keep in memory, higher value requires more server memory, lower can impact disk I/O
| |
| − | MODSEC_DEBUGLOG=yes # not used yet (on by default: modsec_debug.log)
| |
| − | MODSEC_DATADIR="/var/asl/data/msa" # top level dir used for mod_security internals. Must be read/write by the apache user
| |
| − | MODSEC_TMPDIR="/tmp" # Directory where temporary files are created
| |
| | | | |
| − | # Rule configuration starts here
| + | == Configuration == |
| − | MODSEC_RULES_POLICY=on # enable/disable the HTTP Policy rules
| + | |
| − | MODSEC_RULES_ROBOTS=on # enable/disable the Bad Robot ruls
| + | |
| − | MODSEC_RULES_GENERIC=on # enable/disable generic attack rules
| + | |
| − | MODSEC_RULES_TROJAN=on # enable/disable trojan detection rules
| + | |
| − | MODSEC_RULES_OUTBOUND=off # enable/disable outbound rules (recommend this OFF for PSA environments)
| + | |
| − | MODSEC_RULES_MARKETING=off # enable/disable marketing tracking rules (google, msn, yahoo bots)
| + | |
| − | MODSEC_RULES_LOCAL=on # enable/disable local rules
| + | |
| | | | |
| | + | ASL can be configured through the ASL GUI. Please see the [[ASL Configuration]] page for documentation. |
| | | | |
| | + | == '''Reporting False Positives''' == |
| | | | |
| | + | See the [[Reporting False Positives]] page for details. |
| | | | |
| − | # PHP Functions
| + | == ASL Web GUI Password Reset == |
| − | PHP_CHECKS=yes # (yes/no) enable/disable php checks
| + | |
| − | PHP_SAFE_MODE=yes # (yes/no) enable safe_mode checks. Turning safe_mode off exposes you to a number of threats, including remote file inclusion
| + | |
| − | ALLOW_dl=no # (yes/no) disables the dl() function. dl() would allow an attacker to load their own extension into php.
| + | |
| − | ALLOW_exec=no # (yes/no) disables exec() function. exec() allows an attacker to execute shell commands through php
| + | |
| − | ALLOW_leak=no # (yes/no) disables leak() function.
| + | |
| − | ALLOW_passthru=no # (yes/no) disable passthru(). This function allows an attacker to execute shell commands through php
| + | |
| − | ALLOW_pfsockopen=no # (yes/no) This function allows an attacker to open sockets, useful for spamming, remote inclusion, etc.
| + | |
| − | ALLOW_phpinfo=yes # (yes/no) recon attack. Allowed by default in psa environments. phpinfo can expose internal information used by attackers
| + | |
| − | ALLOW_popen=no # (yes/no) process open, allows attacker to execute commands on a system
| + | |
| − | ALLOW_posix_kill=no # (yes/no) kill processes owned by the apache user
| + | |
| − | ALLOW_posix_mkfifo=no # (yes/no) creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes
| + | |
| − | ALLOW_posix_setpgid=no # (yes/no) Set process group id for job control
| + | |
| − | ALLOW_posix_setsid=no # (yes/no) Make the current process a session leader
| + | |
| − | ALLOW_posix_setuid=no # (yes/no) Set the UID of the current process. (Apache would have to run as root for this to work anyway)
| + | |
| − | ALLOW_proc_close=no # Close a process opened by proc_open()
| + | |
| − | ALLOW_proc_get_status=no # Get information about a process opened by proc_open()
| + | |
| − | ALLOW_proc_nice=no # change nice level on process opened by proc_open
| + | |
| − | ALLOW_proc_open=no # execute commands
| + | |
| − | ALLOW_proc_terminate=no # kill processes started by proc_open()
| + | |
| − | ALLOW_shell_exec=no # execute shell commands
| + | |
| − | ALLOW_show_source=no # Alias of highlight_file(), lets you view a php file. Exposes passwords, vulnerability recon, etc.
| + | |
| − | ALLOW_system=no # execute shell commands
| + | |
| | | | |
| − | # Denyhosts settings
| + | To reset your password, run this command: |
| − | # uses EMAIL for notifications
| + | |
| − | DENYHOSTS_ENABLED=yes
| + | |
| − | DENYHOSTS_EMAIL="$EMAIL"
| + | |
| − | DENYHOSTS_FROM="denyhosts@$HOSTNAME"
| + | |
| − | DENYHOSTS_SYSLOG=yes
| + | |
| − | DENYHOSTS_SHUN_TIME="4w"
| + | |
| | | | |
| − | # SSH
| + | /var/asl/bin/asl-web-passwd your_user_name |
| − | ALLOW_ssh_proto1=no
| + | |
| − | ALLOW_root_logins=no
| + | |
| − | DISABLE_strict_mode=no
| + | |
| − | DISABLE_ignore_rhosts=no
| + | |
| − | DISABLE_pubkey_authentication=no
| + | |
| − | ALLOW_password_authentication=no
| + | |
| − | DISABLE_privilege_separation=no
| + | |
| | | | |
| − | # Rkhunter settings
| + | Note: This utility is only valid post-installation. |
| − | RKHUNTER_ENABLED=yes
| + | |
| − | RKHUNTER_EMAIL=$EMAIL
| + | |
Atomic Secured Linux(tm), or "ASL" for short, is a Unified Security Suite addon for Linux(tm) systems designed to protect servers against zero day threats. Unlike other expensive security "solutions" that pretend to achieve security through signature-based detection, known-vulnerability patching and other reactive methods, Atomic Secured Linux(tm) provides real proactive security. The only solution that protects both your applications and operating system, Atomic Secured Linux is essential for public-facing servers and shared-hosting environments.
And Atomic Secured Linux (ASL) is uniquely designed for beginners and experts alike. You just install ASL onto your existing system and it does the work for you, plus you can try it for free!
ASL works by proactively immunizing the system against whole classes of vulnerabilities, and combines security at all layers, from the firewall, to your applications and services, and all the way down to the kernel to provide the most complete multi-spectrum protection solution available for Linux servers today. It helps to ensure that your system is secure and also compliant with commercial and government security standards. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in todays complex systems and applications, such as cloud and web hosting environments, multiuser systems, CRM's, ERPs, forums, shopping carts, Content Management systems, custom applications and more.
