store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Sep 18, 2014 7:38 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Experimental modules coming soon
Unread postPosted: Tue Sep 01, 2009 10:59 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
We're working on some new experimental modules for ASL and are looking for beta testers and feedback. We call them experimental because we need feedback about their effectiveness.

Some of the new modules are:

THUDS - Transparent HTTP Download Scanner

This module will transparently scan all HTTP downloads to the system for malware and will block anything bad it finds.

LL-TOMS - Low-volume Lightweight Transparent Outbound Mail Scanner

This modules is not designed to replace your MTA but is designed to augment your security by scanning anything going out on port 25 (except from your MTA, which should be using spamassassin, clamav, etc. itself.) for spam, malware, etc. This is to help with systems where customers need to be able to send mail out natively but not thru the local MTA.

Keep in mind, this module is not a mail server - its transparent so its not designed to replace the mail server. It wont spool, its real time.

LUDS - Local User Defense System

This module will lock down functions, programs and capabilities on the system so that local shell users are divided into two groups: trusted and everyone else (the default is everyone else). Trusted users will be able to run applications that could present a risk to the system.

This module may include other capabilities such as anomaly detection - please let us know what you also like to see in this module, or any of the modules - or even if we should think about another module.

RTMDS - Real Time Malware Detection System

This module will give you the ability to set certain directories for realtime malware detection. Right now the experimental module can detect and block (delete) malware when its written to a directory (or any subdirectory) or if a file is changed (and becomes malware). Quarantining is possible, but not complete in the internal builds (plus we dont recommend that for local security - sort of defeats the purpose to just move the malware...).

The modules aren't finished yet, but as soon as they are we'll post and put them into the testing channel. As always please let us know if we can add more capabilities/features to ASL.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Experimental modules coming soon
Unread postPosted: Sun Sep 20, 2009 4:27 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
RTMDS - Real Time Malware Detection System

This will be the first experimental module coming out. Its in final internal testing on our production machines and we should be putting it out this week if that testing goes well. The module will go into the testing channel if we feel its solid enough and encourage everyone to try it out.

The module will require a reboot - or if you do allow module loading you can just install the RTMDS system as it works with the current ASL kernel, it just needs a couple of modules installed.

The RTMDS uses clamd, davuko and redirfs to scan for malware, that way you can tune clamd globally to block whatever you want. The RTMDS hooks the kernel file system calls, sends the file to clamd and allows the access to continue if clamd approves the file. The RTMDS hooks will check files in three cases:

When a file is opened/read
When a file is closed.
When something is executed.

You will get a permission denied error if its a bad file, and the results will show up in the clamd.log in realtime.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Experimental modules coming soon
Unread postPosted: Thu Oct 01, 2009 4:19 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
RTMDS is available now for testing. At the moment, installation will need to be done manually. To install, run these commands (if you dont know what these mean, I recommend you wait for an installer and not do this manually):

yum --enablerepo=asl-2.0-testing install kmod-dazuko

This should install the dazuko and redirfs modules. You will then need to add in these modules to your system. If you have kernel protection mode set, you will need to reboot to load the modules.

Add these lines to /etc/init.d/asl-mod:

modprobe redirfs
modprobe dazuko

Then you will need to reboot or load these modules. Once they are loaded, check to make sure you have this device:
/dev/dazuko

It should look like this:
crw------- 1 root root 247, 0 Oct 1 11:57 /dev/dazuko

Finally, modify clamd to tie into the kernel to check files for bad things by adding this to clamd:
ClamukoScanOnAccess yes

# Set access mask for Clamuko.
# Default: no
ClamukoScanOnOpen yes
ClamukoScanOnClose yes
ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
ClamukoIncludePath /var/www
ClamukoIncludePath /tmp
ClamukoIncludePath /var/tmp
ClamukoIncludePath /home
ClamukoIncludePath /var/spool/samba
ClamukoIncludePath /var/lib/vmware/
ClamukoIncludePath /var/cache/coolkey
ClamukoIncludePath /dev/shm
ClamukoIncludePath /usr/local/psa/tmp
ClamukoIncludePath /var/asl/data/suspicious

And if you need to exclude anything, add in the full path to the exclusions like this:
ClamukoExcludePath /some/path

And comment out this:

User clamav

clamd has to run as root to be able to see all the files on the system. If this gives you pause thats understandable, however keep in mind that an ASL kernel is immune to buffer and heap overflows so an attack on clamd of that nature is not likely to work. We're also going to be putting out RBAC policies in the very near future for things like clamd, apache and other apps.

Also, you can tell clamd to watch the entire filesystem - but you will add additional, and possibly un-needed load to the system. From a security perspective, its definitely the right thing to do, but if your users can change files in /bin, for example, watch /bin for malware is a bit of a waste. If root can write to /bin, root can also disable clamd or exclude /bin. So the included directories above were put together based on an assumption of the directories that users can write to - and therefore likely places for malware. If we missed a standard directory, let us know.

Also, the kernel hook works on read and execute, not on write. So malware can be written to a location, it can not be read or executed. This is partially a limitation of dazuko, and also by design. dazuko doesnt hook writes, but we chose that because it lets your users files remain on the system - in a locked state if you will - until you can figure out what to do with it. This is sort of a quarantine in place, if you will.

This is test software, so please use them at your own risk. We are using them on our production boxes, but this is still testing software and is not part of ASL yet. If it breaks, we want to know, but its not supported yet.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Experimental modules coming soon
Unread postPosted: Fri Apr 22, 2011 11:57 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 644
are all of these still in beta/testing?
Will all of these work for those of us who dont use your kernel?


Top
 Profile  
 
 Post subject: Re: Experimental modules coming soon
Unread postPosted: Fri Apr 22, 2011 2:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7899
Location: earth
They are part of the mainline 2.2 series now. It might be supportable on the default CentOS 6 kernel when it becomes available.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group