ASL prerequisites

From Atomicorp Wiki
Jump to: navigation, search

Contents

Introduction

Atomic Secured Linux, or ASL for short, is a powerful security suite that will be analyzing actions of your system in real time. For it to work correctly it will need a properly tuned system with reasonable resources. This document outlines the requirements to install ASL, for ASL to function properly and recommendations for ASL to perform optimally.

Requirements

Client

ASL is accessed and managed through a dedicated web console via your web browser. Please see the following FAQ for a list of browsers that ASL is currently supported:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#What_browsers_does_the_ASL_GUI_work_with.3F

ASL also includes a limited number of command line features.

Server

Operating system

ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to work correctly.

Supported Operating Systems

A listed of supported operating systems is provided at this url:

http://wiki.atomicorp.com/wiki/index.php?title=ASL_FAQ#What_Linux_distributions_do_you_support.3F

OS Updates and patches

ASL is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for ASL to install and work correctly.

ASL will not install on a system that is missing vendors updates, and will generate an alert during installation if vendor updates are missing. You must have you system patched and up to date to install ASL.

Third Party modifications to the OS

Third Party modifications to operating system (OS) files are not supported. For example, third party replacement of glibc would not be supported.

Hardware

Memory

ASL requires at least 2 GB of memory. 4 GB of memory is highly recommend to make use of all of ASLs features.

CPU

4 CPU cores is recommended to use all of ASLs features.

ASL does not require a 64bit CPU, however the use of 64Bit CPUs is highly recommended.

File systems

ASL disk space requirements

Minimum free disk space requirements per partition:

Directory Minimum Free Space Required
/var Varies (see note below.)
/usr 500 MB
/tmp 10 MB (see note below.)
/etc 100 MB
/boot 30 MB (see note 1 and note 2 below.)

ASL will log and record security events on the system. The amount of space required for this will vary depending on the amount of events that occur on your system. ASL will record all of its events in the /var partition. Therefore, you should have adequate free space available in the /var partition for your system. We recommend at least 5GB of space in this partition, but this is a minimum. You should allocate more space if you intend to keep logs for extended periods of time. You may need to increase this depending on the amount of events that occur on your system and the archive period you have set in your ASL Configuration.

ASL components will be installed in the /boot, /usr, /etc and /var partitions. A minimum of 100MB of free space is required to install ASL, and additional space is required in /var as described above.

Third Party yum repositories

ASL is tested and supported with standard installations of the supported OSes, and not with any third party versions of software.

Database

Requirements

ASL requires a database to work. The supported databases are documented below. Please follow the instructions in those sections for your platform.

Supported databases

Centos

ASL is supported with the official versions from Centos for that distribution.

Centos 6

ASL is supported with Mysql as provided by the Centos project.

Centos 7

ASL is supported with Mariadb 5 and 10 as provided by the Centos project.

Redhat

ASL is supported on RHEL 5, 6 and 7 with the official versions from Redhat for that distribution.

Cloud Linux
CloudLinux 5 and 6

ASL is supported with the official versions from Centos for that distribution.

CloudLinux 7

ASL is supported with Mariadb 5 and 10 .

Third Party versions

ASL also works with the following versions of CPanels mysql rpms, where CPanel currently supports them for that OS and architecture:

  1. MySQL50
  2. MySQL51
  3. MySQL55

Note: CPanel does not follow package management or MySQL norms or standards. Unlike other MySQL vendors and packagers, CPanel makes non-standard changes to their MySQL rpms as they change both these packages, and what they include. We encourage our customers to contact CPanel regarding any issues with CPanels mysql packages or to use MySQL from one of the vendors above.

ASL is not tested or supported with any other mysq, mariadb or other variants builds or versions not documented above.

Database installation

If you do not have a supported database already installed on your system, follow these instructions to install a supported database on your system in the sections below:

Centos 6 or Redhat Enterprise 6

Please follow the instructions at this link:

https://support.atomicorp.com/hc/en-us/articles/360006149833

Centos 7 or RHEL 7

Please follow the instructions at this link:

https://support.atomicorp.com/hc/en-us/articles/360006056554

MySQL Configuration

old_passwords

This should not be enabled in mysql. If you have this enabled, for example:

old_passwords = 1

Disable or remove this option.

mysql root credentials

You will need your mysql root (superuser) credentials to install ASL. Please note that if your system is setup to only allow logins to your mysql superuser account from a specific IP, or from socket connections only, you will need to change this to allow logins as your mysql superuser account from the source IP address you configure ASL to use. If you use 127.0.0.1 as your mysql address (Recommended), then ASL will use 127.0.0.1 as your source IP. If you use a non-localhost IP, then you will need to configure mysql to use

Note: one Plesk systems the mysql root (superuser) name is changed by Plesk to "admin". Please contact Parallels if you have questions.

skip-name-resolve

Do not enable skip-name-resolve. If you have skip-name-resolve enabled in mysql, then mysql will not resolve localhost and network logins will always fail if you have mysql configured to only allow superuser logins from "localhost". You will find that command line logins work, provided a host IP is not provided (127.0.0.1) as mysql treats localhost as file socket only.

Query caching

When using mysql, querying caching must be enabled. The following setting in mysql must be set for ASL to perform correctly. Failure to set this will result in significant performance impact to ASL, and the system.

query_cache_size=32m

This information is provided as a courtesy, to add this setting to mysql please look for this section:

[mysqld]

in your /etc/my.cnf file.

In this section you will want to add the query_cache configuration setting. For example:

query_cache_size=32m

And then restart mysqld.

If you are not comfortable with configuring mysql, please contact a qualified MySQL administrator for assistance. And in all cases, we recommend you make a backup of any configuration file before you change it.

skip-networking

mysql must not be started with --skip-networking. ASL chroots itself, and will use the localhost network socket to talk to mysql, and not the file system socket. Therefore, networking must be enabled in mysql.

max_connections

Setting this too low will cause unnecessary timeouts of the database and will adversely impact ASL, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of ASL as documented at the URL below:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query

This should be set at a minimum to the number of concurrent mysql connections you would expect your mysql server to handle at its busiest. If you continue to get lost connection errors, you will need to increase this limit. For example:

max_connections = 2048

wait_timeout

Setting this too low will cause unnecessary timeouts of the database and will adversely impact ASL, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of ASL as documented at the URL below:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query

This should be set to 28800 or higher:

wait_timeout=28800

interactive_timeout

Setting this too low will cause unnecessary timeouts of the database and will adversely impact ASL, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of ASL as documented at the URL below:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query

This should be set to 28800 or higher:

interactive_timeout = 28800

MySQL tuning

ASL is tested with a standard MySQL configuration with query_caching enabled, as described above. If you have made additional changes to the configuration of MySQL these may be sub-optimal for ASL. Please consult a qualified MySQL expert for assistance with MySQL performance issues if you have made additional changes to the configuration of MySQL and experience performance issues.

Additional

VPS
kernel

VPS systems, that is virtual private servers using Virtuzzo or OpenVZ will not have their own kernel (a VPS shares the hosts kernel). Therefore, there is no free space requirement on a VPS for /boot as the kernel will not be installed.

firewall

Note: Most hosting providers provide fully functional openvz and Virtuzzo containers, however some providers provided limited containers with very limited firewall capabilities. If your firewall does not start, then your container may be on of these limited systems.

Please see this Odin KB article to configure your openvz/Virtuzzo hardware node:

http://kb.odin.com/en/113000

CPanel

If you have CPanel installed, you must have mod_uniqueid installed for mod_security to work correctly. Please contact CPanel for support if you are not sure how to enable this in CPanel.

Support software

shell

ASL does include some shell scripts. These shell scripts are "bash" shell scripts. If the default shell on the system has been changed from bash to some other shell these scripts may not work correctly. Therefore, ASL is only supported on systems where bash is configured as the default shell.

wget

To install ASL you must have a working copy of wget installed on your system, with working HTTPS support (this means your version of wget supports SSL, which ASL uses to download all the software it needs securely). All of the supported OSes above include HTTPS support in wget. However some third party products and hosting companies have been known to replace wget with crippled versions that do not support HTTPS. ASL will not install correctly if your system has been crippled in this manner.

install wget

As root run this command:

yum install wget

Then test to make sure wget supports TLS/SSL. To test if your wget supports HTTPS you can run this command:

wget https://www.atomicorp.com/test-file.html

If your wget supports SSL it will download the file test-file.html, and if you examine the contents of the file you will see this sentence:

If you can read this, your test worked.

If you do not see this sentence, then your wget likely does not support SSL. If you see an error like this:

HTTPS support not compiled in.

Your wget does not support SSL. This means someone has crippled your system and replaced the wget from your OS vendor with a crippled version of wget. They may have also replaced other critical parts of your OS with damaged and crippled software and your system will not be able to install and use ASL.

This means your system can not securely download software, which is a serious vulnerability. You will need to contact the parties that have crippled your system for a solution to replace the crippled version of wget they have installed on your system with a non-crippled version that supports SSL.

If you see an error like this:

Resolving www.atomicorp.com... failed: Name or service not known.

That means your system does not have DNS setup, or otherwise can not resolve our server. Please contact your hosting provider for assistance with DNS on your system.

Third Party Software

OSSEC

Do not install OSSEC from third party sources. ASL will replace and manage OSSEC on your system. ASL is not supported with third party sources for OSSEC.

If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.

rkhunter

Do not install rkhunter from third party sources. ASL will manage rkhunter on your system. ASL is not supported with third party sources for rkhunter, and third party or worse parallel installs of rkhunter are known to break rkhunter and its databases.

If you have any third party software of this nature installed, and have issues using rkhunter or installing ASL, you will need to uninstall this third party software.

clamav

ASL will install clamav on your system with the latest version of clamav, and will manage clamav for you. ASL is not supported with third party sources for clamav. Do not install clamav from third party sources.

If you have any third party software of this nature installed, and have issues using or installing ASL, you will need to uninstall this third party software or disable these features in those products.

modsecurity

Do not install modsecurity using any third party tools. If you have done this in the past, remove modsecurity, disable its installation in your control panel (if you are using a control panel), remove any rules and third party add ons, and completely remove your modsecurity configuration from your system.

Note: Do not enable modsecurity in cpanel. This will cause cpanel to overwrite the enhanced modsecurity and will cause duplicate rules to be installed on your system.

ASL is not supported with any third party software that manipulates modsecurity. If you have any third party software of this nature installed, and have issues using or installing ASL, you must uninstall all third party software that installs, configures or manipulates modsecurity before you install ASL.

Note: if you are using Litespeed, you do not have modsecurity installed on your system. You may have a module from Litespeed that acts like modsecurity. You do not need that module, please remove it and follow the instructions in the Litespeed article to setup Litespeed with the T-WAF. Litespeeds must be protected with the T-WAF, as Litespeeds module does not support the full rule language and will leave your system open to attacks their module can not protect you from. The T-WAF will fully protect Litespeed.

firewalls

In Linux you can only safely use one tool to manage your firewall. If you have multiple tools all trying to do the same thing, they absolutely will conflict with each other. For this reason, if you use a third party firewall with ASL, then you can not use ASL to manage your firewall as well. It absolutely will cause conflicts.

Therefore, ASL is not supported with any third party software that manipulates or manages the Linux firewall, iptables or ipset. This includes third party firewall management tools, such as CSF, APF, Parallels Firewall tools, the iptables service (not the iptables command line tools, just the service), firewalld, and any other firewall management tools. ASL includes a powerful firewall and kernel enhancements to the Linux firewall system (netfilter) that these tools do not support. The use of third party firewall tools is unnecessary and redundant.

If you have any third party software of this nature installed you will need to:

  1. uninstall this third party software before you install ASL, or if you can not uninstall it you must disable any firewall features in these products.
  2. remove all firewall rules implemented by these products

You also can not use third party firewall management tools to change the firewall on the system, for example fwbuilder. Only the use of the ASL firewall manager is supported with ASL.

If you installed ASL with any third product firewall you will need to remove it, and any firewall rules it has implemented on your system, and reinstall ASL.

If you want to use a third party firewall with ASL, then you must disable the ASL firewall and active response and any firewall related issues will be unsupported.

iptables daemon

Disable the iptables service.

You will not need to run the iptables daemon service with ASL (the iptables command line tools are fine. Do not remove the iptables command line tools). Running the iptables service will cause conflicts. Please make sure you have disabled the iptables service on your system:

service stop iptables

chkconfig --del iptables

If you had this service enabled when you installed ASL, you will experience problems with your firewall. You will need to disable the service, as described above, and flush any remaining firewall rules. Please follow the process below:

Step 1) Disable iptables


service iptables stop

chkconfig --del iptables

Step 2) Stop the ASL firewall

service asl-firewall stop

Step 3) Flush any remaining firewall rules

rm /etc/asl/firewall/running.fw

Step 4) Restart the ASL firewall

service asl-firewall start

firewalld

Disable the firewalld service.

You will not need to run the firewalld daemon service with ASL. Running the firewalld service will cause conflicts. Please make sure you have disabled the firewalld service on your system:

service stop firewalld

chkconfig --del firewalld

If you had this service enabled when you installed ASL, you will experience problems with your firewall. You will need to disable the service, as described above, and flush any remaining firewall rules. Please follow the process below:

Step 1) Disable firewalld


service iptables firewalld

chkconfig --del firewalld

Step 2) Stop the ASL firewall

service asl-firewall stop

Step 3) Flush any remaining firewall rules

rm /etc/asl/firewall/running.fw

Step 4) Restart the ASL firewall

service asl-firewall start

Apache

ASL is fully compatible with Apache 2.0, 2.2, and 2.4. ASL will automatically install the WAF module into Apache for standard supported OS vendor Apache builds, and supported control panel builds.

PHP

The only versions of PHP currently supported by ASL are: Our version, your OS Vendors' version, as well as cPanels' version made through EasyApache.

PERL

The only versions of PERL currently supported by ASL are: Our version and your OS Vendors' official version.

Third part and source installs of PERL are not supported.

ConfigServer

ASL does not support any ConfigServer products. If you have these on your system, they will need to be uninstalled prior to your installation to ensure that ASL installs correctly, and works properly on your system. We have more information on the ConfigServer products located here: https://www.atomicorp.com/wiki/index.php/ASL_FAQ#Is_ASL_compatible_with_ConfigServer

= fail2ban

fail2ban is not necessary and should not be used with ASL. The use of fail2ban with ASL may result is problems with your firewall, and could cause your system to be unreachable. If you have fail2ban on your system, uninstall it. Again, you will not need it with ASL.

Recommendations

Memory

A minimum of 4 GB of memory is recommended for sites with high volume of events and/or domains. In general, modern Linux systems perform better with more memory, as the Linux kernel will cache file reads speeding up the system and other applications will use memory to further speed up their operations. Memory is a cheap way to speed up a system.

CPU

Multiple 64Bit CPUs are highly recommended for systems with high volume events and/or domains.

Database

bind-address

If you do not need to allow remote access to mysql, then we recommend that you configure mysql to only allow connections from the local host. You can do that by adding this configuration option to /etc/my.cnf:

bind-address=127.0.0.1

And restarting the mysql service.

Query caching

When using mysql, querying caching must be enabled. Larger query caches will result in greater performance, however this must be tuned to the capabilities of the system. Larger query caches also require more memory, so to increase this setting you will need at least 2GB of RAM and preferably 4GB of RAM or more.

For example, on a system with 2GB of RAM the query cache should be set to 128M.

query_cache_size=96m

For systems with 4GB of RAM, or more, a large query cache can be used:

query_cache_size=128m

You can try larger cache sizes, but we find that 128m is generally as high as you need to go. High values may be counter productive.

Dedicated I/O channel

For systems with high volumes of events we recommend you move your mysql databases to their own I/O channel separate from your web sites and/or other file system intensive operations. This will give the database its own dedicated I/O channel to the database files. Databases can be quite large, and the ASL events database will grow over time based on the archive settings you have configured in your ASL Configuration. Therefore, a faster way of reading these databases will improve performance on the system.

mysql tuning

If you are using mysql, we highly recommend you tune it with a professionals help. mysql is a wonderful and powerful database server, but it is not tuned in its default configuration and will perform very poorly as a result. Even if mysql appears to be performing well for you, if you are using the default settings your database server is operating much slower than it needs to be.

You can use the excellent tool mysqltuner to help with this, however this tool will just provide recommendations and an experts assistance should be consulted before making any changes to your mysql configuration, and to make the best use of the recommendations mysqltuner may provide.

To install mysqltuner, please run this command as root:

yum install mysqltuner

And to run it, just run this command:

mysqltuner

More information is available about mysqltuner at this website:

http://www.mysqltuner.com/

Disk Space

/boot

Warning: The 30MB minimum is just that, a minimum.

This the minimum free space necessary to install the ASL kernel (which currently uses approximately 15MB of disk space), and to provide some additional space for a possible upgrade of that kernel. When upgrading kernels ASL will attempt to retain the previous kernels installed on the system, in case there is a need to use older kernels. On systems where a lack of space exists in /boot it may not be possible to either install newer kernels, or keep older kernels. Redhat recommends that /boot be set to a minimum of 250MB to ensure there is adequate space to install and retain kernels.

If your system only has 30MB of space available, you should expect to run into issues in the future with disk space issues on /boot. At best you may only be able to install 2 kernels on your system. We highly recommend you increase the size of /boot to allow for additional kernels to be installed on your system, to provide you with both maximum flexibility as well as a fall back option to earlier kernels should you run into an issue with a different kernel.

/var

ASL follows the Linux standard which is to use /var for any logs. ASL will keep records as long as you desire, therefore the minimum disk space requirements will depend on your data retention requirements. You should monitor your database and /var partitions drive usage and prepare accordingly to add more space based on event volume for your system. If you run out of space in the /var directory, the ASL web console may not work correctly, and other parts of ASL may fail as well.

ASL will also record other events, such as file changes and software updates in a special monitoring system, this data is also stored in /var. Please see the ASL FAQ for further details about tuning this system should you wish to use less drive space for this.

Please see the ASL configuration page for settings to control the amount of days worth of data ASL will keep in the database and in the stored logs in /var/asl:

https://www.atomicorp.com/wiki/index.php/ASL_Configuration

/tmp

Your operating system uses /tmp to process temporary files. For long term use of ASL, and the operating system, /tmp should be as large as necessary for your OS. The actual amount of space needed in your /tmp partition will vary substantially depending on what you are doing with your OS.

ASL needs some amount of free space in /tmp for installation, and may need to use /tmp as part of ongoing activities. However, this partition is primarly used by your OS, not ASL, and a full /tmp partition may result in very adverse effects by your OS. Please contact your OS vendor for assistance with sizing you /tmp partition to meet your OSes needs.

Personal tools