Difference between revisions of "Upgrading ASL"

From Atomicorp Wiki
Jump to: navigation, search
m (Automatic Upgrade system)
m (ASL 3.2)
Line 1: Line 1:
 
== ASL 3.2 ==
 
== ASL 3.2 ==
 +
 +
=== Release Notes ===
 +
 +
Please see the [[Atomic_Secured_Linux#ASL_3.0_Release_Notes]] page.
 +
 +
=== Upgrading ===
  
 
[[ASL]] 3.2 uses the internal upgrade management system in ASL.  You can upgrade [[ASL]] by following these steps:
 
[[ASL]] 3.2 uses the internal upgrade management system in ASL.  You can upgrade [[ASL]] by following these steps:

Revision as of 12:32, 27 November 2012

Contents

ASL 3.2

Release Notes

Please see the Atomic_Secured_Linux#ASL_3.0_Release_Notes page.

Upgrading

ASL 3.2 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Step 1)

/var/asl/bin/aum -u

or (deprecated)

/var/asl/bin/asl -u

Step 2)

/var/asl/bin/asl -s -f

Failure to run both of these commands will result in errors.

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Force an upgrade if you have automatic upgrades configured

Force update step 1

Run this command as root:

aum -uf

Force update step 2

Set the new security policy, by running this command as root:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.

Please see the release notes, which include additional information when upgrading from 3.0 to 3.2:

Atomic_Secured_Linux#ASL_3.2_Release_Notes

Manual Upgrade if you do not have have automatic upgrades configured

If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.

To upgrade manually you will then need to run these commands (run them as root):

Step 1) yum upgrade asl asl-web mod_security kernel

Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".

Step 2) aum -uf

Step 3) asl -s -f

Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.2_Release_Notes

Notes for 3.2 Upgrades

In addition to the release notes referenced above, you can check to see if you are running 3.2 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.2.0-0.10.el5.art: CentOS 6 (SUPPORTED)

The "Centos 6" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.2, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 3.0

ASL 3.0 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Force an upgrade if you have automatic upgrades configured

Force update step 1

Run this command as root:

asl -uf

Force update step 2

Set the new security policy, by running this command as root:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.

Please see the release notes, which include additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Manual Upgrade if you do not have have automatic upgrades configured

If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.

To upgrade manually you will then need to run these commands (run them as root):

Step 1) yum upgrade asl asl-web mod_security kernel

Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".

Step 2) asl -uf

Step 3) asl -s -f

Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Notes for 3.0 Upgrades

In addition to the release notes referenced above, you can check to see if you are running 3.0 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.0: CentOS 5 (SUPPORTED)

The "Centos 5" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.0, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 2.2

ASL 2.2 uses the RPM package management system. You can upgrade ASL by using the following command:

yum upgrade

When you have completed upgrading any component of ASL you must run this command to finish configuring your system:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time even if you have not upgraded any ASL components.

Automatic Upgrade system

Since version 2.1, ASL has the ability to automatically update itself. This is configurable from the ASL GUI. The option in the GUI is: UPDATE_TYPE. There are three modes:

  • all - This will configure ASL to automatically upgrade all of its components, including the rules. This is the most secure option.
  • exclude-kernel - This will configure ASL to upgrade all of its components, including the rules, but will not upgrade the kernel. This is the second most secure option.
  • rules-only - This option will configure ASL to only keep the rules up to date. This is the least secure option.

You can also configure the frequency at which ASL checks for updates by configuring the AUTOMATIC_UPDATES setting in the GUI. You can configure ASL to check for updates:

  • daily
  • hourly
  • none

We recommend that users test all upgrades on a test system before deploying to a production system.

Personal tools