ASL 2.2 is going into Beta today. This is a complete re-write of ASL to allow for the future enterprise features and also as part of the port to Windows.

2.2 includes:

Complete re-write in C
Lots of New vulnerability check and auto-fix
FTP anti-malware upload protection
SFTP anti-malware upload protection
FTP RBLs
Full FIPS 140-2 compliance
ASL instance locking
Excessive whitelist vulnerability check
Disabled signature vulnerability checks
Vulnerability checks for whitelisting IP's in mod_security
Enhanced Cross Site Scripting protection
Enhanced firewalling
More SSH checks
Added support to --report-false positive to use both the full and relative paths.
New PHP checks and cloaking capabilities.
New asl-stream client replaces modsec-clam perl tool.

Lots of bugfixes
- bitmasks handled correctly in whitelists
- Bugfix to detect spamassassin before checking its permissions
- Bugfix for ossec_check and web.conf, deprecated dhtml.conf files
- Bugfix for mod_security_check to correctly parse Dir directives
- Bugfix for mod_security_check SecAuditLogStorageDir
- Bugfix, mod_security_check now supports both "on/off" and "yes/no" values
- Bugfix, mod_security_check copies rulegroups over correctly now
- Bugfix, mod_security_check copies over tertiary configs now (spam.conf,
sql.txt, etc)
- Bugfix, mod_security_check, when the whitelist is enabled, it is now flagged
as a vulnerability
- Bugfix, php_check updated to support yes/no, and on/off conditions
- Fixed regexs on ossec_check for /etc/asl/web.conf (used by the plesk ASL
module)
- command line arguements now support multiple entries, for example:
asl --whitelist 10.10.10.1 10.10.10.2 10.10.10.3
- Bugfix, corrected condition where ssh vulnerability checks were not
being reported for SSH password authentication being enabled.
- Setting SSH_BANNER to "no" or "off" will disable adding the banner to the
system (For Breun at lemonbit.nl)
- Extended APACHE_RESTART setting to support the modes: yes/restart
(/etc/init.d/httpd stop and start), no/off (do nothing), graceful
(/etc/init.d/httpd graceful)
- Added mod_security_check module, C rewrite of mod_security_check.sh
- Bugfix #XXX, where config value MODSEC_40_APACHE was not being assigned correctly in mod_security_check
- Lowered vulnerability level for safe_mode to moderate.
- Lowered vulnerability level for escapeshellcmd to low.
- Bugfix #XXX, OSSEC_NOTIFY was not previously being populated in the config correctly. This was preventing email notification from being disable-able.
- Bugfix #XXX, added a wrapper to lint the config file for the CONFIGURED flag
- Added detection for Horde and Squirrel webmail to change defaults in configuration_setup to allow exec, popen, escapeshellcmd

ASL 2.3 will be going into alpha soon, which includes the new GUI.

Also in case anyone is interested, we use even numbers for non-development trees. So a 2.0, 2.2, 2.4 will be the version numbers for final releases when they come out of beta. 2.1, 2.3, 2.5, etc. are development trees. So the 2.1 tree will be retired and rolled into 2.3 shortly. Anything thats stable enough from 2.1 is rolled into 2.2, and so on. That way if you want to stay on the screaming edge just use the odd versions (2.3, 2.5, etc.) and if you prefer stable stick with the even trees (2.2, 2.4, 2.6, etc.)

Please report all bugs with 2.2 or 2.3 through the support portal:

https://support.prometheus-group.com

The package is now available in [asl-2.0] testing

To upgrade:

yum --enablerepo=asl-2.0-testing upgrade asl

Scott,

Is compliance report module able to be tweaked in the final 2.2?

This is where for example you run a non asl kernel by choice or non choice like a VDS, or where you may allow certain functions like xwindows or certain php functions, but you can choose these not to show up as critical, high, moderate or low risk (as you set these in the compliance module as accepted risks)?

Not at this time, this target was to get the rewrite done first, and work in some of the new subsystems (rule updater, config file parser, yadda yadda). The compliance module were shooting to have available by Q3.

Thanks Scott at least now the timeline.

I assume that the module will allow you to supress any vulnerabilities that you accept?

Once it's closer any chance of seeing them in bleeding?

The module will support the security process outlined in NIST 800-53 (http://csrc.nist.gov/publications/PubsSPs.html), and we'll expand it to support other standards (HIPAA, GLBA, SOX, etc) as we go.

How goes the beta? Any chance we will see ASL 2.2 in the stable channel soon?
I'm planning to install two new boxes in July and it would be very nice to jump directly to ASL 2.2.

We're going to do another beta release soon, possibly even this week.

Anything new in the upcoming beta, or just a big fix release?

Most likely bug fixes, and License manager updates.

Hi Scott,

Any news on the compliance report tool to tweak the vulnerabilities?

I thought this would be available before 2.2 goes stable?

Its actually a separate product, and while it will integrate with systems running ASL it doesn't require it. Its still in flux right now, since NIST 800-53 rev3 literally went into draft on friday.