store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Nov 25, 2014 10:42 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Seeking Dazuko Information
Unread postPosted: Fri Sep 17, 2010 4:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 111
As I fully respect the opinions and experience of the ASL community members I was hoping on getting some general advice and information on using Dazuko. Successes? Failures?

A couple of quick questions off the top of my head...

Will it stop rootkits from being installed?

What are the recommended settings for /etc/asl/dazuko-include and /etc/asl/dazuko-exclude on a standard CentOS/Plesk/ASL box?

Do changes to those config files require a reboot each time?

Any information you can give about your experiences using it would be excellent.

Thanks!


Top
 Profile  
 
 Post subject: Re: Seeking Dazuko Information
Unread postPosted: Fri Sep 17, 2010 4:53 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3670
Location: Chantilly, VA
My two cents (and rushing out the door, so if I missed a point or misunderstood let me know!):

Quote:
Will it stop rootkits from being installed?


If you mean kernel level rootkits, it might be able to stop them from being uploaded or opened but only if they can be detected. So yes its helpful, but its not the actual layer we use to stop rootkits. kernel rootkits are best stopped with the hardened ASL kernel. The ASL kernel will stop rootkits from being installed if you configure ASL to lock the kernel (which is the default). So out of the bot, ASL stops rootkits from being installed. You dont even need dazuko to stop rootkits if you have the ASL kernel.

If you mean PHP shells and stuff like that, yes dazuko is a great tool, but for kernel rootkits alone its not the solution. It might stop kernel level rootkits, but thats not what we added into ASL for. Its there to help prevent things from running that are malicious, and good kernel level rootkit attack can get around that potentially - which is why ASL has rootkit protections built into the kernel.

Quote:
What are the recommended settings for /etc/asl/dazuko-include and /etc/asl/dazuko-exclude on a standard CentOS/Plesk/ASL box?


I recommend you set dazuko to watch all your user writable directories, such as:

/home
/tmp
/var/tmp
/var/www

Your statistics directories may generate false positives however. We've tried to account for that in the clamav rules we include, and so far all the error_log false positives (malicious domains for example used to generate FPs in the error_log) has been accounted for, and if you run into just let us know its pretty easy for us to tune the rules to ignore non-malicious events.

We don't recommend setting dazuko to watch /bin and /usr because those are largely unnecessary. You need to become root to change those, and if the bad guys have root they can just disable dazuko. ASL can also prevent this through the Role Based Access Control system, but thats an advanced option that we dont enable by default (you need to create your own policies to use it). Its like SELinux, except it has a self learning mode - but you still need to tune it for your system.

So, didnt want to get off on a tangent, RBAC good - now back to dazuko.

Quote:
Do changes to those config files require a reboot each time?


No. Just a reload of clamd.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Seeking Dazuko Information
Unread postPosted: Fri Sep 17, 2010 5:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 111
Thanks, Michael. This is exactly the type of info I was hoping for. I have it up and running and everything seems to be working beautifully so far.

I've been hit twice now with the svh5 rootkit. The first time happened a couple of years ago and that's what first prompted me to start using ASL in the first place. The second time was a few days ago with ASL installed and I have yet to figure out exactly how they got in. I guess I was wondering if something like Dazuko might help guard against this.


Top
 Profile  
 
 Post subject: Re: Seeking Dazuko Information
Unread postPosted: Sat Sep 18, 2010 12:04 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7957
Location: earth
In order for that one to be installed you'd have to have root credentials to the box. Theres no exploit that would let you do it. My guess is that they've compromised your login to the system.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group