store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Dec 22, 2014 5:50 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Asl --undo
Unread postPosted: Wed Feb 04, 2009 12:40 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
It would be great to have a switch called "undo" which would undo the changes the last asl -f -s did to your system.

This way if it changes a file in a way that breaks your system or a certain subset of functionality (web, ftp, ssh, w/e) you can easily roll back.


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Wed Mar 04, 2009 8:22 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2113
I like this idea.

It particular, I'd like to see a feature that would allow people to roll-back mod_sec rules.

Sure, I can do it by getting the last rules rpm and installing manually, but what if the asl site is down at the time? (and sure, I can fix mod_sec rules when they go wrong, but maybe other people can't).

I used to use a script I called panic.sh which I remember Scott chuckling about when he saw it a few years back. My rules update script backed up the existing rules and installed the new ones, while the panic script copied the backup over the new ones in the event of a problem.

Something similar might be good in ASL 3

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Wed Mar 04, 2009 8:57 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
The old ones are still there incidentally, in /var/asl/updates/


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Thu Mar 05, 2009 7:32 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2113
Ah! Interesting.

Looking at them in date order I see that the mod_sec rule size went from 567k (compressed) in early December 2008 to 1.5Mb (compressed) in mid December 2008 and then way down to 279k at the end of January 2009.

Unfortunately this is probably why I'm able to run the rules these days.

But I'm going off topic so I'll leave it there.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Thu Mar 05, 2009 9:00 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
Yeah we were rolling the .svn dirs into those tar.gz's before, so the .conf's that you're loading are largely uniform. Its a good debugging observation though!


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Thu Mar 05, 2009 10:34 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3680
Location: Chantilly, VA
Yes, the rule sizes did NOT go down, we just removed the subversion directories from the rule files which is why they are smaller. In fact the rule sizes have gone up and will continue to do so as they include application specific rules. They are compiled at runtime into modsec and into apache. Most of the rule logic never occurs on most systems because much of the ruleset size now is related to rules for specific applications. If you don't have that application the rule logic will not fire.

The blacklists are an exception, they always get called and not application specific. We try to keep them to only the current malware/spam sources or known long term sources of trouble. The blacklists are a "backup" ruleset to help cover cases we might not have thought of, so if you want to reduce the memory footprint of the rules the blacklists are a good choice as they are not a mandatory ruleset but more of backup parachute if you will. If you have the memory though we highly recommend you run ALL the rules - we do and all of our systems.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Asl --undo
Unread postPosted: Thu Mar 05, 2009 11:34 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2113
Ah, that's very interesting about the svn stuff (and the rest).

Thanks Scott, thanks Mike.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group