Difference between revisions of "ASL installation"

From Atomicorp Wiki
Jump to: navigation, search
m (Automated ASL installer)
m (Installation and Downloads)
Line 21: Line 21:
 
= Installation and Downloads =
 
= Installation and Downloads =
  
== Release Notes ==
+
== Step 1:  Read the Release Notes ==
  
 
The latest ASL release notes are available in the [https://www.atomicorp.com/wiki/index.php/Atomic_Secured_Linux#ASL_3.2_Release_Notes ASL 3.2 Release Notes article]
 
The latest ASL release notes are available in the [https://www.atomicorp.com/wiki/index.php/Atomic_Secured_Linux#ASL_3.2_Release_Notes ASL 3.2 Release Notes article]
  
== Automated ASL installer ==
+
== Step 2:  Run the Automated ASL installer ==
  
 
Installing ASL is as simple as running one command, and answering a few questions about your system.  The rest is taken care of for you by ASL.  No need to mess around with configuration files, installing rpms, compiling from source or setting up repos.  Just run the installer as root and answer the questions the installer provides to tailor ASL for your system.
 
Installing ASL is as simple as running one command, and answering a few questions about your system.  The rest is taken care of for you by ASL.  No need to mess around with configuration files, installing rpms, compiling from source or setting up repos.  Just run the installer as root and answer the questions the installer provides to tailor ASL for your system.
Line 37: Line 37:
 
Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.  Once the installation is complete you will need to reboot your system to boot into the new hardened kernel that comes with ASL.  You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL system.
 
Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.  Once the installation is complete you will need to reboot your system to boot into the new hardened kernel that comes with ASL.  You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL system.
  
== Post-Installation Quickstart/Configuration ==
+
== Step 3: (Optional)  If you have installed the ASL kernel ==
 +
 
 +
Reboot your system to boot into the secure ASL kernel.  The secure ASL kernel is not required to run ASL, but it will make your system more secure and protection it from things your regulat kernel can not.
 +
 
 +
=== Before you reboot ===
 +
 
 +
Check to make sure you haven't locked yourself out of your system.  If you told ASL to lock down SSH, make sure you can log into your system.  Don't close out your current session, '''log in with a new session'''.  This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
 +
 
 +
== Step 4:  Post-Installation Quickstart/Configuration ==
  
 
=== Log into the GUI ===
 
=== Log into the GUI ===
Line 45: Line 53:
 
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
 
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
  
=== Before you reboot ===
+
The username and password are the same credentials you created when you purchased your licenseYou can change the ASL control panel credentials by following the process [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_reset_my_ASL_GUI_password.28s.29.3F here], and you can additional users by following [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_create_new_accounts_in_the_ASL_GUI_.3F this process].
 
+
Check to make sure you haven't locked yourself out of your systemIf you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, '''log in with a new session'''. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
+
  
 
=== Log into the support portal ===
 
=== Log into the support portal ===
Line 56: Line 62:
  
 
The support system uses the same username and password used to install ASL (your ASL username and password).  Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
 
The support system uses the same username and password used to install ASL (your ASL username and password).  Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
 +
 +
=== ASL FAQ ===
 +
 +
And also, please read thru the [[ASL FAQ]].  It covers just about everything anyone has every asked us about, regarding ASL.
  
 
== Command Line ==
 
== Command Line ==

Revision as of 17:30, 3 December 2012

Contents

Introduction

ASL is designed to integrate with your existing operating system. Customized environments that deviate from OS vendor designed standards, and packaging can use ASL Lite, or consult with our services group for a custom solution.

Dedicated systems will be using the ASL hardened kernel. For older distributions this can involve changes in the names of kernel modules involved with SATA, SCSI, and Network card modules.

Before You Start

Please note: If you purchased a Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation . These are instructions to install ASL.

If you purchased Atomic Secured Linux, then continue to the steps below.

Prerequisites

Please see the ASL prerequisites page for important information outlining the systems requirements for ASL to function, and recommendations for it to perform optimally.

Requirements

Please see the ASL prerequisites page for requirements and recommendations for ASL installation.

Installation and Downloads

Step 1: Read the Release Notes

The latest ASL release notes are available in the ASL 3.2 Release Notes article

Step 2: Run the Automated ASL installer

Installing ASL is as simple as running one command, and answering a few questions about your system. The rest is taken care of for you by ASL. No need to mess around with configuration files, installing rpms, compiling from source or setting up repos. Just run the installer as root and answer the questions the installer provides to tailor ASL for your system.

wget -q -O - https://www.atomicorp.com/installers/asl |sh

If you prefer to use a standard HTTP connection run this command:

wget -q -O - http://www.atomicorp.com/installers/asl |sh

Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system. Once the installation is complete you will need to reboot your system to boot into the new hardened kernel that comes with ASL. You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL system.

Step 3: (Optional) If you have installed the ASL kernel

Reboot your system to boot into the secure ASL kernel. The secure ASL kernel is not required to run ASL, but it will make your system more secure and protection it from things your regulat kernel can not.

Before you reboot

Check to make sure you haven't locked yourself out of your system. If you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, log in with a new session. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.

Step 4: Post-Installation Quickstart/Configuration

Log into the GUI

https://YOUR_SERVERS_IP:30000

You can view alerts, block attackers, configure ASL and use its many features from the GUI.

The username and password are the same credentials you created when you purchased your license. You can change the ASL control panel credentials by following the process here, and you can additional users by following this process.

Log into the support portal

Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to log into your support account:

https://www.atomicorp.com/support/support-portal.html

The support system uses the same username and password used to install ASL (your ASL username and password). Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.

ASL FAQ

And also, please read thru the ASL FAQ. It covers just about everything anyone has every asked us about, regarding ASL.

Command Line

If you're a command line person you can also run or re-run many of ASL's features from the command line. Here are a few highlights:

1) Configure/Re-Configure ASL

 asl -c

2) Scan the system for vulnerabilities, malware and other security issues.

 asl -s

3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.

 asl -s -f

You can also find out about all the command line options in asl by running this command:

 asl -h

Troubleshooting

Please see the ASL Troubleshooting article.

We also recommend you read the ASL FAQ.

SELinux

SELinux policies have been known to interfere with some RPM updates. This is because SELinux policies are not always adjusted for modern platforms and third party packages, such as control panels. This can manifest itself in mysterious failures in %pre and %post macros (confirmed on RHEL4).

ASL includes an advanced RBAC system that is more powerful and easier to use than SELinux and we recommend you use that instead of SELinux. However, if you wish to use SELinux ASL will work fine with SELinux, however you may need to adjust your SELinux policies for your systems specific needs.

If you encounter any issues with rpm installations on your system, and you are not qualified to adjust your SELinux policies that came with your operating system, we recommend you disable SELinux and use the built in RBAC in ASL.

To disable SELinux set:

selinux=0

in the kernel boot parameters for your system.

setenable 0, setenforce 0 and disabling SELinux with sysctl are not effective. To disable selinux you must boot with selinux=0 set for your system.

Known Kernel Module Name Changes

1and1 network card module name changes

Vmware SCSI emulation name changes


1and1 Checklist for /etc/modules.conf or /etc/modprobe.conf

Step 1) Enumerate hardware with /sbin/lspci

Step 2) Check network cards,

Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] was

 alias eth0 8139too

change to

 alias eth0 via-rhine

Step 3) Check SATA modules

Testing the Kernel

Grub Users

1) Once the Atomic kernel is installed, determine which position the Atomic kernel has been installed.

Example:

[root@ac3 ~]# cat /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/hda3
#          initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=5
serial --unit=0 --speed=57600
terminal --timeout=5 serial console
title CentOS (2.6.17-1.art)
       root (hd0,0)
       kernel /vmlinuz-2.6.17-1.art ro root=LABEL=/ console=ttyS0,57600n8 selinux=0
       initrd /initrd-2.6.17-1.art.img
title CentOS (2.6.9-34.0.2.ELsmp)
       root (hd0,0)
       kernel /vmlinuz-2.6.9-34.0.2.ELsmp ro root=LABEL=/ console=ttyS0,57600n8
       initrd /initrd-2.6.9-34.0.2.ELsmp.img

Note the line: default=1, this indicates the kernel the system will boot by default, starting at position 0. Position 0 is "title CentOS (2.6.17-1.art)", and position 1 is "title CentOS (2.6.9-34.0.2.ELsmp)" in this example, indicating the system is configured to boot into the default CentOS kernel.

2) Type: grub

the following will be displayed:

GNU GRUB  version 0.97  (640K lower / 3072K upper memory)
[ Minimal BASH-like line editing is supported.  For the first word, TAB
  lists possible command completions.  Anywhere else TAB lists the possible
  completions of a device/filename.]
grub>

3) At the grub prompt set the default kernel to 0, and to only boot once with the following:

grub> savedefault --default=0 --once

4) type: quit

5) reboot the system. If for some reason the kernel does not work with the Atomic kernel, or is otherwise non-responsive, powercycling the system will restore the system to the default kernel.

Lilo Users

1) The art kernel should be listed in /boot - for example:

       /boot/vmlinuz-2.6.19-7.art

2) Create a symbolic link to this:

       ln -s  /boot/vmlinuz-2.6.19-7.art   /boot/vmlinuz-art

3) edit /etc/lilo.conf to add a section for the art kernel. Eg:

       image=/boot/vmlinuz-art
       label=lxart
       append="console=tty0 console=ttyS0,57600 panic=30"

4) Type: lilo to make the change permanent. Then to test that you can boot into the new kernel do

      lilo -v -v
      lilo -R lxart
      shutdown -r now

5) When it's rebooted, doing a uname -r should show the new art kernel. Now you can make it permanent. Edit /etc/lilo.conf so that it has the line:

      default=lxart

6) type lilo. Then reboot.

Important Notes

Cpanel

Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.

Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.

Personal tools