Upgrading ASL

From Atomicorp Wiki
Revision as of 13:40, 31 December 2012 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

General Upgrade instructions

This section applies to all upgrades.

Run commands as the root user

When upgrading ASL, run all upgrade commands as the root user. Do not use sudo to run these commands.

Pre-requisites

Always check to make sure that your system meets the pre-requisites for ASL before upgrading. You can access the latest requirements for ASL on the ASL prerequisites page.

Updates

Ensure that your system has all of your OS vendors updates installed. ASL is tested against the latest versions of vendors OSes, and may require updated software from your vendor to work correctly and securely.

Release Notes

Each release includes Release Notes. We highly recommend you review the release notes before upgrading.

Test Environment

We recommend that you test all ASL upgrades on a test system before deploying an ASL update into a production environment. For this reason, all ASL licensees come with a free QA and development licensee so you can test out all ASL updates.

Version Specific Upgrade Instructions

ASL 3.2

Release Notes

Please see the Atomic_Secured_Linux#ASL_3.2_Release_Notes page.

Upgrading

ASL 3.2 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Step 1)

/var/asl/bin/aum -uf

Step 2)

service ossec-hids restart

Step 3) (Cpanel Only)

If you do not have cpanel installed, you do not need to run this command. Step 3 is not necessary for non-cpanel environments, skip to Step 4.

If you have cpanel installed, run this command:

/scripts/easyapache --build

Step 4)

/var/asl/bin/asl -s -f

Step 5) (Optional)

(This step is optional, see release notes)

/var/asl/bin/asl_db_rotate

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Force an upgrade if you have automatic upgrades configured

Force update step 1

Run this command as root:

aum -uf

Force update step 2

Set the new security policy, by running this command as root:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.


Force update step 3 (cpanel only)

If you have cpanel installed, also run this command:

/scripts/easyapache --build

If you do not have cpanel installed, you do not need to run this command. Step 3 is not necessary for non-cpanel environments.

Please see the release notes, which include additional information when upgrading from 3.0 to 3.2:

Atomic_Secured_Linux#ASL_3.2_Release_Notes

Manual Upgrade if you do not have have automatic upgrades configured

If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.

To upgrade manually you will then need to run these commands (run them as root):

Step 1) yum upgrade asl asl-web mod_security kernel

Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".

Step 2) aum -uf

Step 3) asl -s -f

Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.2_Release_Notes

Notes for 3.2 Upgrades

Cpanel

Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.

Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.

Version Check

In addition to the release notes referenced above, you can check to see if you are running 3.2 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.2.1-0.10.el5.art: CentOS 6 (SUPPORTED)

The "Centos 6" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.2, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 3.0

ASL 3.0 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Force an upgrade if you have automatic upgrades configured

Force update step 1

Run this command as root:

asl -uf

Force update step 2

Set the new security policy, by running this command as root:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.

Please see the release notes, which include additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Manual Upgrade if you do not have have automatic upgrades configured

If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.

To upgrade manually you will then need to run these commands (run them as root):

Step 1) yum upgrade asl asl-web mod_security kernel

Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".

Step 2) asl -uf

Step 3) asl -s -f

Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Notes for 3.0 Upgrades

In addition to the release notes referenced above, you can check to see if you are running 3.0 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.0: CentOS 5 (SUPPORTED)

The "Centos 5" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.0, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 2.2

ASL 2.2 uses the RPM package management system. You can upgrade ASL by using the following command:

yum upgrade

When you have completed upgrading any component of ASL you must run this command to finish configuring your system:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time even if you have not upgraded any ASL components.

Automatic Upgrade system

Since version 2.1, ASL has the ability to automatically update itself. This is configurable from the ASL GUI. The option in the GUI is: UPDATE_TYPE. There are three modes:

  • all - This will configure ASL to automatically upgrade all of its components, including the rules. This is the most secure option.
  • exclude-kernel - This will configure ASL to upgrade all of its components, including the rules, but will not upgrade the kernel. This is the second most secure option.
  • rules-only - This option will configure ASL to only keep the rules up to date. This is the least secure option.

You can also configure the frequency at which ASL checks for updates by configuring the AUTOMATIC_UPDATES setting in the GUI. You can configure ASL to check for updates:

  • daily
  • hourly
  • none

We recommend that users test all upgrades on a test system before deploying to a production system.

Personal tools