Difference between revisions of "ASL"

From Atomicorp Wiki
Jump to: navigation, search
Line 1: Line 1:
 
 
== '''Feaures in ASL 2.0''' ==
 
== '''Feaures in ASL 2.0''' ==
  
Line 331: Line 330:
  
 
Changing this setting in /etc/asl/config does *NOT* require a policy update with "asl -s -f".
 
Changing this setting in /etc/asl/config does *NOT* require a policy update with "asl -s -f".
 +
 +
 +
 +
== Mod_Security: Re-Enabling Rules ==
 +
 +
ASL supports the ability to disable rules through the web and command line interface. Once a rule has been disabled, it can be re-enabled by running the following:
 +
 +
asl --enable-rule <rule id>
 +
 +
example:
 +
 +
asl --enable-rule 123456

Revision as of 11:13, 6 October 2008

Contents

Feaures in ASL 2.0

Web Application Firewall, Special ClamAV rules, System Hardening tools, Hardened kernel with grsecurity, and firewall enhancements

ASL Modules

  • custom code for system hardening
  • denyhosts for ssh brute force attack detection
  • mod_security as the web application layer firewall
  • ossec for event monitoring, file system integrity checking, and rootkit detection
  • rkhunter for rootkit detection
  • psmon process monitoring, to ensure security services are always running
  • Web Application inventory module
  • Plesk Server Administrator web interface
  • SSH configuration validation
  • General security hardening (unnecessary services, etc)
  • PHP configuration, checks for dangerous settings
  • Apache configuration checks
  • Rule updater for Mod_security, GRsecurity, and the Application Inventory system



Using ASL 2.0

Quickstart Documentation

1) Update the signature database

asl -u

2) Run a report

asl -r

3) Read the App Inventory DB

less /var/asl/data/webapp.db

Understanding the Report

KERNEL Report
Checking for ASL kernel:                                   [FAILED]  [HIGH RISK]
# ASL kernel is not running, which means you are exposed to Buffer overrun attacks, no TPE, and no GRSEC ACL capability
General Settings
Updatedb is enabled:                                     [FAILED]    [INFORMATIONAL]
# updatedb is used for generating the locate database, this is not a security message.

Checking for unnecessary services
   portmap is disabled:                                   [FAILED]   [LOW]
   nfslock is disabled:                                   [OK]       [LOW]
   rpcidmapd is disabled:                                 [OK]       [LOW]
   cups is disabled:                                      [OK]       [LOW]
   gpm is disabled:                                       [FAILED]   [LOW]
   xfs is disabled:                                       [FAILED]   [LOW]
   messagebus is disabled:                                [FAILED]   [LOW]
   # These are all services turned on by default. The risk is low, because they are unnecessary services, rather than they are directly exploitable. Recommend that they be disabled.


Checking general settings for PSA
  /var/log/psa exists:                                   [FAILED]     [INFORMATIONAL] 
  # This is a check for a shortcut to /usr/local/psa/var/log.  This is not a security message.


Checking psmon settings
# PSMON is a watchdog daemon, used to start services if they crash. It is used to monitor and restart services like denyhosts, ossec, etc. It can used to monitor any service however (apache, qmail, etc).
# this module checks to ensure that psmon is configured as defined in /etc/asl/config
  Checking for psmon installation:                         [OK]       [INFORMATIONAL]
  # is it installed
  Process monitoring enabled:                              [FAILED]   [INFORMATIONAL]
  # is it set to start up. psmon ensures that other security components are running, in the event that they crash. 
  Notifications to: root                                   [OK]       [INFORMATIONAL]
  # is it set to send notifications to your configured email address
  From line set to: psmon@cp8.foreststar.net               [FAILED]   [INFORMATIONAL]
  # is it set to send from the configured email address
Checking General ossec-hids settings
# OSSEC is a host based IDS, it monitors log files, detects file system changes as well as root kits, can shun attackers, and can combine data from multiple systems.
  Checking for ossec-hids installation:                    [OK]       [INFORMATIONAL]
  # is it installed
  OSSEC is configured in server mode                                  [INFORMATIONAL]
  # what mode is it in, client, server, or local
    Checking for ossec-hids-server installation:           [FAILED]   [INFORMATIONAL]
    # is the ossec-hids-server rpm installed
    Enable email notification:                             [OK]       [INFORMATIONAL]
    # does it notify
    Notifications to: root                                 [FAILED]   [INFORMATIONAL]
    # who they go to (/etc/asl/config)
    Notifications from: ossec@cp8.foreststar.net           [FAILED]   [INFORMATIONAL]
    # From line (/etc/asl/config)
    SMTP server set to: ac3.atomicorp.com                  [FAILED]   [INFORMATIONAL]
    # SMTP server it will use to send alerts (/etc/asl/config)
    Client connections allowed through firewall:           [OK]       [INFORMATIONAL]
    # Firewall rule check. Since this system is a server, it would need to be configured to allow those connections to it. 
    Shun period time set to: 600                           [OK]       [INFORMATIONAL]
    # period to shun an attacker (/etc/asl/config)
   Verifying OSSEC whitelists
   # checks to see that whitelisted hosts are in the ossec configuration
     checking 127.0.0.1:                                  [OK]      [INFORMATIONAL]
Checking local OSSEC settings for PSA
# Checks to see that ossec is monitoring PSA logs
  Monitoring httpsd_access_log:                          [FAILED]  [INFORMATIONAL]
  Monitoring httpsd_error_log:                           [FAILED]  [INFORMATIONAL]
  # /usr/local/psa/admin/logs/httpsd_access_log and /usr/local/psa/admin/logs/httpsd_access_log/httpsd_error_log
Checking General rkhunter settings
# rkhunter is a signature based rootkit hunter, this module checks basic rkhunter configuration.
# it will email the notification contact nightly with a security report, if it detects anything suspicious
# this module overlaps with OSSEC to some extent.
 Checking for rkhunter installation:                      [OK]  [INFORMATIONAL] 
 Notifications to: root                                   [OK]  [INFORMATIONAL]
 Enable ssh root login tests:                             [OK]  [INFORMATIONAL]
 # Ensures that the Root Login test is enabled in rkhunter
Checking General httpd settings
 Verify .htacces AllowOverride not set to ALL:            [OK]

Performing an inventory of web applications

 Indexing applications: ......
 Scanning applications: 

Checking General mod_security settings

 Checking for mod_security installation:                  [OK]
 ServerSignature set to: Apache                           [FAILED]
 SecUploadDir set to: /var/asl/data/suspicious            [FAILED]
 SecUploadKeepFiles set to: RelevantOnly                  [FAILED]
 Logging set to: Serial                                   [OK]
 Logfile set to: modsec_audit.log                         [OK]
 Logging elemets set to: ABIFHZ                           [OK]
 SecRequestBodyInMemoryLimit set to: 131072               [OK]
 SecDataDir set to: /var/asl/data/msa                     [FAILED]
 SecTmpDir set to: /tmp                                   [OK]
 Checking rule class settings  
   HTTP Policy ruleset : on                               [OK]
   Bad Robots ruleset : on                                [OK]
   Generic Attacks ruleset : on                           [OK]
   Trojan detection ruleset : on                          [OK]
   Outbound rules : off                                   [FAILED]
   Marketing ruleset : off                                [OK]
   Local ruleset : on                                     [OK]


Checking General PHP settings

 Checking for php installation:                           [OK]
 PHP Safe Mode Enabled:                                   [FAILED]
 Register Globals Disabled:                               [OK]

Checking for High-Risk functions

 Function dl disabled:                                    [FAILED]
 Function exec disabled:                                  [FAILED]
 Function furl_open disabled:                             [FAILED]
 Function furl_open disabled:                             [FAILED]
 Function leak disabled:                                  [FAILED]
 Function passthru disabled:                              [FAILED]
 Function pfsockopen disabled:                            [FAILED]
 Function phpinfo disabled:                               [ALLOWED]
 Function popen disabled:                                 [FAILED]
 Function posix_kill disabled:                            [FAILED]
 Function posix_mkfifo disabled:                          [FAILED]
 Function posix_setpgid disabled:                         [FAILED]
 Function posix_setsid disabled:                          [FAILED]
 Function posix_setuid disabled:                          [FAILED]
 Function proc_close disabled:                            [FAILED]
 Function proc_get_status disabled:                       [FAILED]
 Function proc_nice disabled:                             [FAILED]
 Function proc_open disabled:                             [FAILED]
 Function proc_open disabled:                             [FAILED]
 Function proc_terminate disabled:                        [FAILED]
 Function shell_exec disabled:                            [FAILED]
 Function show_source disabled:                           [FAILED]
 Function system disabled:                                [FAILED]
Checking PHP extensions
 /etc/php.ini 
 /etc/php.d/imap.ini 
 /etc/php.d/ldap.ini 
 /etc/php.d/mysql.ini 


Configuration

Currently the web interface is incomplete. ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:

# Authentication information
CONFIGURED=yes                                         # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog
USERNAME="USERNAME"                         
PASSWORD="PASSWORD"
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"  # where the rule updater will grab updates
ASLHOME="/var/asl"                                     # internal variable, dont modify
# ASL general config
NOTIFY=yes                             # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications
EMAIL="scott@atomicrocketturtle.com"   # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app.
ADMIN_USERS="SOMEUSER"                 # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace.
# list of hosts separated by whitespace
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"    # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc)
# webserver, custom
SYSTEM_TYPE="webserver"                # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
# Kernel config
# Disable module_loading after the system has booted
VSERVER=no                             # probably will be deprecated
ALLOW_kmod_loading=no                  # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
# PSMOD config 
PSMON_ENABLED=yes                      # Turn PSMON and its checks On or Off
PSMON_EMAIL="$EMAIL"                   # who to email PSMON alerts to
PSMON_FROM="psmon@$HOSTNAME"           # From: line for PSMON
# OSSEC config
OSSEC_ENABLED=yes                      # Enable OSSEC
OSSEC_MODE="server"                    # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system.
OSSEC_EMAIL="$EMAIL"                   # Where OSSEC email alerts go
OSSEC_SMTP_SERVER="localhost"          # System ossec sends email through
OSSEC_FROM="ossec@$HOSTNAME"           # From line for OSSEC alerts
OSSEC_SHUN_ENABLE_TIMEOUT=yes          # Enables expiration of OSSEC shunning events (see IP_WHITELIST above)
OSSEC_SHUN_TIME="600"                  # Time a shunned host will remain on the blacklist (10 minutes)
# MODSECURITY config
MODSEC_ENABLED=yes                     # Turn MOD_SECURITY and its checks on/off
MODSEC_SERVERSIG="Apache"              # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks
MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored
MODSEC_KEEPFILES="RelevantOnly"        # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not. 
MODSEC_LOG404=no	                # not used yet. Application default is to log 404 errors in mod_security logs. 
MODSEC_LOGTYPE="Serial"                # Serial or Concurrent. Serial sets modsecurity to log all events to one log file.
MODSEC_LOGFILE="modsec_audit.log"      # The log file for above.
MODSEC_LOGELEMENT="ABIFHZ"             # Elements of an event that will be logged
 #A = audit log header (mandatory)
 #B = request headers
 #I = request body, except when multipart/form-data encoding is used
 #F = final response headers
 #H = audit log trailer
 #Z = final boundary (mandatory)
MODSEC_REQMEMLIMIT="131072"            # Maximum size of the request body to keep in memory,  higher value requires more server memory, lower can impact disk I/O
MODSEC_DEBUGLOG=yes                    # not used yet (on by default: modsec_debug.log)
MODSEC_DATADIR="/var/asl/data/msa"     # top level dir used for mod_security internals. Must be read/write by the apache user
MODSEC_TMPDIR="/tmp"                   # Directory where temporary files are created
# Rule configuration starts here
MODSEC_RULES_POLICY=on                 # enable/disable the HTTP Policy rules 
MODSEC_RULES_ROBOTS=on                 # enable/disable the Bad Robot ruls
MODSEC_RULES_GENERIC=on                # enable/disable generic attack rules
MODSEC_RULES_TROJAN=on                 # enable/disable trojan detection rules
MODSEC_RULES_OUTBOUND=off              # enable/disable outbound rules (recommend this OFF for PSA environments)
MODSEC_RULES_MARKETING=off             # enable/disable marketing tracking rules (google, msn, yahoo bots)
MODSEC_RULES_LOCAL=on                  # enable/disable local rules



# PHP Functions
PHP_CHECKS=yes                         # (yes/no) enable/disable php checks
PHP_SAFE_MODE=yes                      # (yes/no) enable safe_mode checks. Turning safe_mode off exposes you to a number of threats, including remote file inclusion
ALLOW_dl=no                            # (yes/no) disables the dl() function. dl() would allow an attacker to load their own extension into php. 
ALLOW_exec=no                          # (yes/no) disables exec() function. exec() allows an attacker to execute shell commands through php
ALLOW_leak=no                          # (yes/no) disables leak() function. 
ALLOW_passthru=no                      # (yes/no) disable passthru(). This function allows an attacker to execute shell commands through php
ALLOW_pfsockopen=no                    # (yes/no) This function allows an attacker to open sockets, useful for spamming, remote inclusion, etc.
ALLOW_phpinfo=yes                      # (yes/no) recon attack. Allowed by default in psa environments. phpinfo can expose internal information used by attackers
ALLOW_popen=no                         # (yes/no) process open, allows attacker to execute commands on a system
ALLOW_posix_kill=no                    # (yes/no) kill processes owned by the apache user
ALLOW_posix_mkfifo=no                  # (yes/no) creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes
ALLOW_posix_setpgid=no                 # (yes/no) Set process group id for job control
ALLOW_posix_setsid=no                  # (yes/no) Make the current process a session leader
ALLOW_posix_setuid=no                  # (yes/no) Set the UID of the current process. (Apache would have to run as root for this to work anyway)
ALLOW_proc_close=no                    # Close a process opened by proc_open() 
ALLOW_proc_get_status=no               # Get information about a process opened by proc_open()
ALLOW_proc_nice=no                     # change nice level on process opened by proc_open
ALLOW_proc_open=no                     # execute commands
ALLOW_proc_terminate=no                # kill processes started by proc_open()
ALLOW_shell_exec=no                    # execute shell commands
ALLOW_show_source=no                   # Alias of highlight_file(), lets you view a php file. Exposes passwords, vulnerability recon, etc.
ALLOW_system=no                        # execute shell commands
# Denyhosts settings
# uses EMAIL for notifications
DENYHOSTS_ENABLED=yes
DENYHOSTS_EMAIL="$EMAIL"
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
DENYHOSTS_SYSLOG=yes
DENYHOSTS_SHUN_TIME="4w"
# SSH
ALLOW_ssh_proto1=no 
ALLOW_root_logins=no
DISABLE_strict_mode=no
DISABLE_ignore_rhosts=no
DISABLE_pubkey_authentication=no
ALLOW_password_authentication=no
DISABLE_privilege_separation=no 
# Rkhunter settings
RKHUNTER_ENABLED=yes
RKHUNTER_EMAIL=$EMAIL


Application Inventory

The application inventory module is designed to identify applications installed on the system by analysing it's source code. It can be a very CPU intense operation and is configured by default to run once per day. ASL supports configuring the Application Inventory to run either Daily, Weekly, or with the following setting in /etc/asl/config

APPINV_CRON="daily"

Valid settings for this field are:

"daily"

"weekly"

"off"

Changing this setting in /etc/asl/config does *NOT* require a policy update with "asl -s -f".


Mod_Security: Re-Enabling Rules

ASL supports the ability to disable rules through the web and command line interface. Once a rule has been disabled, it can be re-enabled by running the following:

asl --enable-rule <rule id>

example:

asl --enable-rule 123456

Personal tools