Difference between revisions of "ASL"

From Atomicorp Wiki
Jump to: navigation, search
m
m (Mod_Security: Re-Enabling Rules)
Line 252: Line 252:
  
  
== Mod_Security: Re-Enabling Rules ==
+
== Mod_Security: Enabling/Disabling Rules ==
  
ASL supports the ability to disable rules through the web and command line interface. Once a rule has been disabled, it can be re-enabled by running the following:
+
ASL supports the ability to disable rules through the web and command line interface. To disable a rule just use this command:
 +
 
 +
asl --disable-rule <rule id>
 +
 
 +
Once a rule has been disabled, it can be re-enabled by running the following:
  
 
asl --enable-rule <rule id>
 
asl --enable-rule <rule id>
Line 261: Line 265:
  
 
asl --enable-rule 123456
 
asl --enable-rule 123456
 +
 +
You can also do by virtual host:
 +
 +
asl --vhost www.example.com --disable-rule <rule id>
 +
 +
asl --vhost www.example.com --enable-rule <rule id>
  
 
A full list of currently disabled rules is available in /etc/asl/disabled_signatures
 
A full list of currently disabled rules is available in /etc/asl/disabled_signatures

Revision as of 17:49, 23 August 2010

Contents

How do I buy a copy?

Please visit the ASL page here.

Features in ASL 2.2

  • Web Application Firewall with Realtime Gotroot.com rules
  • Realtime Malware Protection
  • Hardened kernel with grsecurity
  • Self Learning Least Privilege Role Based Access Control System
  • System Hardening tools
  • firewall enhancements
  • stand Alone GUI
  • Malware uploader scanner (Web and FTP)
  • ssh brute force attack detection
  • Just In Time Patching system: Automatic security rules to protect unpatched systems
  • Host Based Intrusion Detection for event monitoring, file system integrity checking, and rootkit detection
  • rootkit detection and preventing, including kernel level rootkits
  • process monitoring watchdog, to ensure security services are always running
  • Web Application inventory module
  • SSH configuration validation
  • General security hardening (unnecessary services, etc)
  • PHP configuration, checks and fixes dangerous settings
  • Apache configuration checks and fixes
  • DOS protection system
  • Rule updater for Mod_security, GRsecurity, and the Application Inventory system
  • custom code for system hardening
  • Special ClamAV rules

Using ASL 2.2

Installing ASL

Installation Page


Quickstart Command Line Documentation

1) Help

Atomic Secured Linux

Usage: asl [options]

 -bl  --blacklist <value>                 Add <ip> to Blacklist.
 -c   --config                            Configure ASL settings.
 -ck  --check                             Show list of updates.
 -dr  --disable-rule <value>              Disable modsec rule by signature ID.
 -dbl --domain-blacklist <value>          Add <domain> to spam blacklist.
 -er  --enable-rule <value>               Re-enable modsec rule by signature

ID.

 -f   --fix                               Fix and Repair mode.
 -l   --list                              List ASL modules.
 -m   --module <value>                    Run a specific module.
 -mbl --malware-blacklist <value>          Add <domain> to malware blacklist.
 -nc  --nocolor                           Disable Color.
 -pc  --permissions-check                 Check/Fix permissions on ASL

dirs/files.

      --reload-firewall                   Reload Firewall rules.
      --remove-blacklist <value>          Remove <ip> from Blacklist.
      --remove-domain-blacklist <value>   Remove <domain> from spam Blacklist.
      --remove-malware-blacklist <value>  Remove <domain> from malware

Blacklist.

      --remove-whitelist <value>          Remove <ip> from Whitelist.
      --report-false-positive <value>     Report false positive on <path>.
 -r   --return                            Prompt to continue.
 -s   --scan                              Scan mode.
      --show-alert <value>                Show alert using <path>.
 -t   --terse                             Terse mode used for reporting
 -ub  --unblock <value>                   Unblock <ip> from active response

system.

 -u   --update                            Update rules and signatures.
 -v   --version                           Show version.
 -wl  --whitelist <value>                 Add <ip> to whitelist.


2) Update the rules and signatures databases

asl -u

2) Run a vulnerability scan

asl -s

3) Run a vulnerability scan, and fix vulnerabilities

asl -s -f

Basic Configuration

ASL can be configured through /etc/asl/config, the following is a list of each setting and what it does:

# Authentication information
CONFIGURED=yes                                         # an internal setting, if its set to no you would (in theory) be forced through a configuration dialog
USERNAME="USERNAME"                         
PASSWORD="PASSWORD"
UPDATEPATH="www.atomicorp.com/channels/asl-bleeding/rules/"  # where the rule updater will grab updates
ASLHOME="/var/asl"                                     # internal variable, dont modify
# ASL general config
NOTIFY=yes                             # used to determine if modules that can send email notifications, will do so. Setting this to: no, will disable ALL email based notifications
EMAIL="scott@atomicrocketturtle.com"   # a master email address, settings below will use the $EMAIL variable to assign this address. Can be overridden per app.
ADMIN_USERS="SOMEUSER"                 # who your administrative users are, this is used by modules like SSH to harden the system. Its highly recommended to define admin users, separated by whitespace.
# list of hosts separated by whitespace
IP_WHITELIST="127.0.0.1 10.10.10.10 10.10.10.11 10.10.10.12"    # IP's listed here will not be shunned by any of the IDS's (modsec, denyhosts, etc)
# webserver, custom
SYSTEM_TYPE="webserver"                # webserver, or custom right now. Used by ossec, and some other modules. Use webserver only for now.
# Kernel config
# Disable module_loading after the system has booted
VSERVER=no                             # probably will be deprecated
ALLOW_kmod_loading=no                  # ASL kernels can be set to disallow module loading to defend against kernel root kits. The default is to NOT allow module_loading after the system has booted.
# PSMOD config 
PSMON_ENABLED=yes                      # Turn PSMON and its checks On or Off
PSMON_EMAIL="$EMAIL"                   # who to email PSMON alerts to
PSMON_FROM="psmon@$HOSTNAME"           # From: line for PSMON
# OSSEC config
OSSEC_ENABLED=yes                      # Enable OSSEC
OSSEC_MODE="server"                    # options are client, server, local. Servers can accept OSSEC events from clients. Local is a standalone OSSEC system.
OSSEC_EMAIL="$EMAIL"                   # Where OSSEC email alerts go
OSSEC_SMTP_SERVER="localhost"          # System ossec sends email through
OSSEC_FROM="ossec@$HOSTNAME"           # From line for OSSEC alerts
OSSEC_SHUN_ENABLE_TIMEOUT=yes          # Enables expiration of OSSEC shunning events (see IP_WHITELIST above)
OSSEC_SHUN_TIME="600"                  # Time a shunned host will remain on the blacklist (10 minutes)
# MODSECURITY config
MODSEC_ENABLED=yes                     # Turn MOD_SECURITY and its checks on/off
MODSEC_SERVERSIG="Apache"              # The "signature" the system will present to clients. The default is to send a client versions of the software installed. This helps against recon attacks
MODSEC_UPLOADDIR="/var/asl/data/suspicious" # Where suspicious uploaded files (POSTS) will be stored
MODSEC_KEEPFILES="RelevantOnly"        # Off, or RelevantOnly. Related to above, this tells the system to keep those files or not. 
MODSEC_LOG404=no	                # not used yet. Application default is to log 404 errors in mod_security logs. 
MODSEC_LOGTYPE="Serial"                # Serial or Concurrent. Serial sets modsecurity to log all events to one log file.
MODSEC_LOGFILE="modsec_audit.log"      # The log file for above.
MODSEC_LOGELEMENT="ABIFHZ"             # Elements of an event that will be logged
 #A = audit log header (mandatory)
 #B = request headers
 #I = request body, except when multipart/form-data encoding is used
 #F = final response headers
 #H = audit log trailer
 #Z = final boundary (mandatory)
MODSEC_REQMEMLIMIT="131072"            # Maximum size of the request body to keep in memory,  higher value requires more server memory, lower can impact disk I/O
MODSEC_DEBUGLOG=yes                    # not used yet (on by default: modsec_debug.log)
MODSEC_DATADIR="/var/asl/data/msa"     # top level dir used for mod_security internals. Must be read/write by the apache user
MODSEC_TMPDIR="/tmp"                   # Directory where temporary files are created
MODSEC_CLEAN_ALERT="90"                # Number of days to keep logs of events.


# Rule configuration starts here
MODSEC_RULES_POLICY=on                 # enable/disable the HTTP Policy rules 
MODSEC_RULES_ROBOTS=on                 # enable/disable the Bad Robot ruls
MODSEC_RULES_GENERIC=on                # enable/disable generic attack rules
MODSEC_RULES_TROJAN=on                 # enable/disable trojan detection rules
MODSEC_RULES_OUTBOUND=off              # enable/disable outbound rules (recommend this OFF for PSA environments)
MODSEC_RULES_MARKETING=off             # enable/disable marketing tracking rules (google, msn, yahoo bots)
MODSEC_RULES_LOCAL=on                  # enable/disable local rules



# PHP Functions
PHP_CHECKS=yes                         # (yes/no) enable/disable php checks
PHP_SAFE_MODE=yes                      # (yes/no) enable safe_mode checks. Turning safe_mode off exposes you to a number of threats, including remote file inclusion
ALLOW_dl=no                            # (yes/no) disables the dl() function. dl() would allow an attacker to load their own extension into php. 
ALLOW_exec=no                          # (yes/no) disables exec() function. exec() allows an attacker to execute shell commands through php
ALLOW_leak=no                          # (yes/no) disables leak() function. 
ALLOW_passthru=no                      # (yes/no) disable passthru(). This function allows an attacker to execute shell commands through php
ALLOW_pfsockopen=no                    # (yes/no) This function allows an attacker to open sockets, useful for spamming, remote inclusion, etc.
ALLOW_phpinfo=yes                      # (yes/no) recon attack. Allowed by default in psa environments. phpinfo can expose internal information used by attackers
ALLOW_popen=no                         # (yes/no) process open, allows attacker to execute commands on a system
ALLOW_posix_kill=no                    # (yes/no) kill processes owned by the apache user
ALLOW_posix_mkfifo=no                  # (yes/no) creates a special FIFO file which exists in the file system and acts as a bidirectional communication endpoint for processes
ALLOW_posix_setpgid=no                 # (yes/no) Set process group id for job control
ALLOW_posix_setsid=no                  # (yes/no) Make the current process a session leader
ALLOW_posix_setuid=no                  # (yes/no) Set the UID of the current process. (Apache would have to run as root for this to work anyway)
ALLOW_proc_close=no                    # Close a process opened by proc_open() 
ALLOW_proc_get_status=no               # Get information about a process opened by proc_open()
ALLOW_proc_nice=no                     # change nice level on process opened by proc_open
ALLOW_proc_open=no                     # execute commands
ALLOW_proc_terminate=no                # kill processes started by proc_open()
ALLOW_shell_exec=no                    # execute shell commands
ALLOW_show_source=no                   # Alias of highlight_file(), lets you view a php file. Exposes passwords, vulnerability recon, etc.
ALLOW_system=no                        # execute shell commands
# Denyhosts settings
# uses EMAIL for notifications
DENYHOSTS_ENABLED=yes
DENYHOSTS_EMAIL="$EMAIL"
DENYHOSTS_FROM="denyhosts@$HOSTNAME"
DENYHOSTS_SYSLOG=yes
DENYHOSTS_SHUN_TIME="4w"
# SSH
ALLOW_ssh_proto1=no 
ALLOW_root_logins=no
DISABLE_strict_mode=no
DISABLE_ignore_rhosts=no
DISABLE_pubkey_authentication=no
ALLOW_password_authentication=no
DISABLE_privilege_separation=no 
# Rkhunter settings
RKHUNTER_ENABLED=yes
RKHUNTER_EMAIL=$EMAIL

Reporting False Positives

See the Reporting False Positives page for details.

Application Inventory

The application inventory module is designed to identify applications installed on the system by analysing it's source code. It can be a very CPU intense operation and is configured by default to run once per day. ASL supports configuring the Application Inventory to run either Daily, Weekly, or with the following setting in /etc/asl/config

APPINV_CRON="daily"

Valid settings for this field are:

"daily"

"weekly"

"off"

Changing this setting in /etc/asl/config does *NOT* require a policy update with "asl -s -f".

ASL Web GUI Password Reset

To reset your password, run this command:

/var/asl/bin/asl-web-passwd your_user_name


Mod_Security: Enabling/Disabling Rules

ASL supports the ability to disable rules through the web and command line interface. To disable a rule just use this command:

asl --disable-rule <rule id>

Once a rule has been disabled, it can be re-enabled by running the following:

asl --enable-rule <rule id>

example:

asl --enable-rule 123456

You can also do by virtual host:

asl --vhost www.example.com --disable-rule <rule id>

asl --vhost www.example.com --enable-rule <rule id>

A full list of currently disabled rules is available in /etc/asl/disabled_signatures

ASL inside a VPS

All of the features of ASL work inside a VPS except the ASL kernel (this is not to be confused with a Virtual Machine, the ASL kernel works just fine in a VM). VPS' do not have their own kernel. A VPS is an abstration of the single kernel running on the host system. If you are using a VPS on a server that is not running ASL you will see several important kernel vulnerabilities reported in your system. These vulnerabilities are real, and they can not be fixed from inside a VPS.

To eliminate these vulnerabilities in a VPS the host server must be running ASL as well.

VPS's will also see "hidden processes" reported by ASL. This is also expected as the rootkit detection capabilities of ASL are seeing hidden processes from other VPS' running on the system. Therefore VPS customers that do not wish to get these alerts will need to turn rootkit checks off inside their VPS's. To do this modify this file:

just modify this file:

/var/ossec/etc/ossec.conf

Search for this:

 <rootcheck>

you should see something like this:

 <rootcheck>
 <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
 <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
 </rootcheck>

Check that to this:

 <rootcheck>
 <disabled>yes</disabled>
 </rootcheck>

You will also want to disable the hidden process checks in the VPS that are performed by rkhunter:

You want to edit this file:

/etc/rkhunter.conf

Look for this line:

 ENABLE_TESTS="all"

Change it to:

 #ENABLE_TESTS="all"

Then look for this line:

 #DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps"

And change it to:

 DISABLE_TESTS="hidden_procs os_specific"


It is recommended that you not disabled these checks on the host server.

If you are not on a VPS, then reports of hidden process means you do in fact have hidden processes. That means your system was compromised at some point in the past, and ASL has detected that a rootkit is installed.

Personal tools