ASL 2.2 is going into Beta today. This is a complete re-write of ASL to allow for the future enterprise features and also as part of the port to Windows.
Complete re-write in C
Lots of New vulnerability check and auto-fix
FTP anti-malware upload protection
SFTP anti-malware upload protection
Full FIPS 140-2 compliance
ASL instance locking
Excessive whitelist vulnerability check
Disabled signature vulnerability checks
Vulnerability checks for whitelisting IP's in mod_security
Enhanced Cross Site Scripting protection
More SSH checks
Added support to --report-false positive to use both the full and relative paths.
New PHP checks and cloaking capabilities.
New asl-stream client replaces modsec-clam perl tool.
Lots of bugfixes
- bitmasks handled correctly in whitelists
- Bugfix to detect spamassassin before checking its permissions
- Bugfix for ossec_check and web.conf, deprecated dhtml.conf files
- Bugfix for mod_security_check to correctly parse Dir directives
- Bugfix for mod_security_check SecAuditLogStorageDir
- Bugfix, mod_security_check now supports both "on/off" and "yes/no" values
- Bugfix, mod_security_check copies rulegroups over correctly now
- Bugfix, mod_security_check copies over tertiary configs now (spam.conf,
- Bugfix, mod_security_check, when the whitelist is enabled, it is now flagged
as a vulnerability
- Bugfix, php_check updated to support yes/no, and on/off conditions
- Fixed regexs on ossec_check for /etc/asl/web.conf (used by the plesk ASL
- command line arguements now support multiple entries, for example:
asl --whitelist 10.10.10.1 10.10.10.2 10.10.10.3
- Bugfix, corrected condition where ssh vulnerability checks were not
being reported for SSH password authentication being enabled.
- Setting SSH_BANNER to "no" or "off" will disable adding the banner to the
system (For Breun at lemonbit.nl)
- Extended APACHE_RESTART setting to support the modes: yes/restart
(/etc/init.d/httpd stop and start), no/off (do nothing), graceful
- Added mod_security_check module, C rewrite of mod_security_check.sh
- Bugfix #XXX, where config value MODSEC_40_APACHE was not being assigned correctly in mod_security_check
- Lowered vulnerability level for safe_mode to moderate.
- Lowered vulnerability level for escapeshellcmd to low.
- Bugfix #XXX, OSSEC_NOTIFY was not previously being populated in the config correctly. This was preventing email notification from being disable-able.
- Bugfix #XXX, added a wrapper to lint the config file for the CONFIGURED flag
- Added detection for Horde and Squirrel webmail to change defaults in configuration_setup to allow exec, popen, escapeshellcmd
ASL 2.3 will be going into alpha soon, which includes the new GUI.
Also in case anyone is interested, we use even numbers for non-development trees. So a 2.0, 2.2, 2.4 will be the version numbers for final releases when they come out of beta. 2.1, 2.3, 2.5, etc. are development trees. So the 2.1 tree will be retired and rolled into 2.3 shortly. Anything thats stable enough from 2.1 is rolled into 2.2, and so on. That way if you want to stay on the screaming edge just use the odd versions (2.3, 2.5, etc.) and if you prefer stable stick with the even trees (2.2, 2.4, 2.6, etc.)
Please report all bugs with 2.2 or 2.3 through the support portal:https://support.prometheus-group.com