ASL FAQ
From Atomicorp Wiki
What is the benefit of Subscribing to ASL?
A: ASL includes a full SIM with a stand alone web gui, a fully integrated web application firewall, event correlation, intelligent log reduction and alerting, a built in vulnerability scanner with automatic vulnerability repair, virtual patching, compliance monitoring, self healing, anti-spam protection, anti-malware protection, upload malware protection (Web and FTP), realtime malware protection, automatic redation, a secure and hardened kernel, Stack Protection, Heap Protection, a Role Based Access Control system and many many more features!
The second aspect of ASL is support. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, with drivers, etc. We focus on building software such as ASL that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the work, special defenses against kernel module rootkits, cutting edge just in time patching technology and more!
Help! I need help!
See the ASL Support page for instructions on contacting support, opening a case and other tools you can use to get assistance.
What is included with the support , what is your approx response time?
Email based support, within 4 hours of the request during normal business hours which are monday-friday from 9am - 5pm EST except on US Federal Holidays.
For extended support customers, the response time is dictated in the support contract and includes after hours support, and may include 24/7 support depending on the support contract.
What are your normal support hours?
Support business hours are 09:00 AM to 05:00 PM, US Eastern Time, Monday through Friday, excluding holidays.
Our holiday schedule:
2009
- Thursday, January 1 New Year’s
- Thursday, January 2 New Year’s
- Monday, January 19 Birthday of Martin Luther King, Jr.
- Monday, February 16 Washington’s Birthday
- Monday, May 25 Memorial Day
- Friday, July 3 Independence Day
- Monday, September 7 Labor Day
- Monday, October 12 Columbus Day
- Wednesday, November 11 Veterans Day
- Thursday, November 26 Thanksgiving Holiday
- Friday, November 27 Thanksgiving Holiday
- Thursday, December 24 Christmas Eve Day
- Friday, December 25 Christmas Day
2010
- Friday, January 1 New Year’s Day
- Monday, January 18 Birthday of Martin Luther King, Jr.
- Monday, February 15 Washington’s Birthday
- Monday, May 31 Memorial Day
- Monday, July 5 Independence Day
- Monday, September 6 Labor Day
- Monday, October 11 Columbus Day
- Thursday, November 11 Veterans Day
- Thursday, November 25 Thanksgiving Holiday
- Thursday, November 26 Thanksgiving Holiday
- Friday, December 24 Christmas Eve Day
Support requests received after hours will be addressed during the next business day.
Do you offer support outside of your normal support coverage?
Yes, for customers with extended support contracts. Please contact sales@atomicorp.com for more information.
Do you offer phone support?
Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.
Phone support is not available without an existing extended support contract.
What Linux distributions do you support?
As of September 2009, we officially support:
Centos 4 and 5
RHEL 4 and 5
Fedora 9, and 10
We have unsupported builds for:
Centos 3
RHEL 3
Fedora Core 4, 5, 6, 7 and 8 (These are End of Life by the Fedora project)
Fedora 11
Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?
Yes, but only through extended support contracts. If you do not have an extended support contract there is no support. Please contact sales@atomicorp.com and we can put together a proposal for your project and price out ongoing support for your custom configuration.
What browsers does the ASL GUI work with?
Officially we support:
Firefox 2, 3 and 3.5 Internet Explorer 6 and 7
We have unofficial reports that the GUI should work with Opera and Safari and are working to officially test and support these as well.
ASL does not support my version of Fedora or RHEL.
We do not support versions of RHEL, Centos or Fedora which are themselves no longer supported by the vendor. So older version of any of the above we do not support, with a few very special exceptions as needed by our customers.
We do this because of the serious security issues associated with running an operating system that is no longer supported. For example, if a serious vulnerability were to be discovered in openssh and there was no patch for your system, ASL may not be able to protect your system adequately. Some vulnerabilities are beyond even our capabilities to defend against. We are always looking out for your security - and unsupported OSes are always a serious risk to operate.
For newer versions we work as fast as possible to support new distributions. RHEL and Centos get top priority, then we work on Fedora and other distros. Fedora is a wonderful distro (we use it for all our companies desktops!), but its not a very good platform for servers with its short support cycle. Therefore we focus on it after the longer cycle RHEL and Centos builds.
What are the minimum system requirement for ASL?
If all of the ASL security features are turned on, we recommend that your system have a minimum of 1GB of RAM. ASL includes advanced web application and antispam security features that do best with this minimum requirement.
Our servers run without issue with 2GB of RAM on Dual Core P4s or single core AMD 64bit CPUs.
Do you have pre-defined access policies , or do we have to configure these policies?
A: Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.
What is the default username and password for ASL Web (2.2)?
ASL Web follows the Plesk model, the default username and password are:
Username: admin
Password: setup
If predefined will your policy fits into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?
Atomicorp was founded by Plesk founders. ASL is specifically designed to integrate in that environment and with other control panels too.
I am getting this error in ossec.log, ossec-dbd(5202): ERROR: Error connecting to database 'localhost'(tortix): ERROR: Unknown MySQL server host 'localhost' (0).
Check to ensure you are not using "skip-networking" in /etc/my.cnf, OSSEC chroots and because it does so, cannot use the regular mysql socket to communicate to the database. It requires a TCP connection over the loopback IP address. Likely mysql has been configured to not listen on the loopback IP (skip-networking) or firewall rules are blocking connections to it.
If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?
A: TPE would prevent an untrusted user, such as apache, from executing commands owned by apache. It would log to syslog, an example entry follows:
Nov 11 14:53:10 server4 kernel: grsec: From 10.249.64.1: denied untrusted exec of /tmp/w00t by apache [uid/eid: 48/48] /home/httpd/vhosts/testhost.atomicorp.com/httpdocs/modules/phpBB/index.php
What is the performance impact of using ASL on a system with 700-1000 domains per server?
A: PaX operates with around a 3-5% of additional overhead on Intel processors, AMD processors implement this in hardware, so there is no additional overhead.
How can I disable ASL?
Step 1) Disable mod_security
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
Step 2) Disable mod_evasive
mv /etc/httpd/conf.d/mod_evasive.conf /etc/httpd/conf.d/mod_evasive.conf.disabled
Step 3) Disable OSSEC
/etc/init.d/ossec stop
Step 4) Restart apache
/etc/init.d/httpd
Step 5) Remove the hardened proftp
yum remove psa-proftpd-1.3.2a-1.el5.art
Step 6) Kernel
boot into a non-ASL kernel
Horde webmail is reporting: "There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution."
A: Horde requires the exec() and/or popen() functions to be enabled. This post in the support forums details how to only allow functions for webmail [1]. The escapeshellcmd function also needs to be available or sending mail will fail without any error messages.
Kernel is reporting: No module ehci-hcd/ohci-hcd/ehci-hcd found for kernel during an upgrade
A: These modules have been deprecated from newer kernels. The error message can be safely ignored, if you want to remove this message from future updates remove those entries from /etc/modprobe.conf
How can I modify mod_security rules for a domain, rule, or globally?
A: See the Mod_security page for more information.
How do I remove ASL?
A: For ASL 2.0:
yum remove mod_security asl mod_evasive ossec-hids psmon rkhunter skdet unhide paxtest clamd asl-web-gui gradm
A: For ASL 2.2:
yum remove mod_security asl mod_evasive ossec-hids psmon rkhunter skdet unhide paxtest clamd asl-web gradm
grsec: denied untrusted exec of /path/to/some/application
This means that application is owned by an untrusted user. This helps to prevent untrusted users from uploaded software to the system, which could include trojans, malware and rootkits. There are a number of ways to allow the application to run, and these are in order or most secure to least secure:
1. Change the ownership of the file to root.root and make sure the file and ensure directory it is in are not writable by other users. Here is an example you will need to adapt to your system:
chown root.root /path/to/directory/of/application chown root.root /path/to/application chmod og-w /path/to/application
In some cases, such as users that are not in the untrusted group, you can just move the application to a trusted directory or make sure the directory it is in is owned by root.root. For example, for a setuid script owned by "testuser":
[testuser2@ac2 ~]$ pwd /home/testuser2 [testuser2@ac2 ~]$ id uid=510(testuser2) gid=510(testuser2) groups=510(testuser2) [testuser2@ac2 ~]$ cat ~testuser/sensitive_file cat: /home/testuser/sensitive_file: Permission denied [testuser2@ac2 ~]$ /usr/local/trusted_apps/special_cat ~testuser/sensitive_file This data can only be read by setuid [testuser2@ac2 ~]$ ls -al /usr/local/trusted_apps/special_cat -rwsr-xr-x 1 testuser testuser 23132 Dec 17 19:45 /usr/local/trusted_apps/special_cat
As you can see from this example, there is a setuid program called special_cat (its a copy of /bin/cat) that is setuid to testuser. testuser2 tried to open the file ~testuser/sensitive_file with "cat", but can not because testuser2 must use the setuid program "/usr/local/trusted_apps/special_cat" to read those files.
The key to making this work with the secure ASL kernel is that the directory must be owned by root.root:
[testuser2@ac2 ~]$ ls -al /usr/local/trusted_apps/ total 36 drwxr-xr-x 2 root root 4096 Dec 17 19:53 . drwxr-xr-x 12 root root 4096 Dec 17 19:53 .. -rwsr-xr-x 1 testuser testuser 23132 Dec 17 19:45 special_cat
This helps prevent malicious users from uploading programs to the system that you do not want, and it also helps prevent users from running programs you don't trust in ways that can compromise the security of your system. The key is to make sure no one can modify the file except the user that owns it, and that the file is in a directory that only root can modify or place new files in. This helps to prevent path poisoning attacks.
2. Remove the user from the untrusted group in /etc/group - we do not recommend you do this. The default users are system processes such as apache that should NEVER be trusted by the system. This makes it easy for an attacker to upload a trojan to the system.
What is the difference between whitelist and disable sig?
Whitelisting keeps an IP address from being shunned.
Disabled Sig turns off a signature for the entire system.
If you are experiencing a false positive and wish to disable it, we recommend you report the false positive and we will put put an update rapidly that will resolve the issue.
What does the following alert mean and what should be done?
Message: [file "/etc/httpd/modsecurity.d/05_asl_scanner.conf"] [line "37"] [id "351000"] [rev "1"] [msg "Malicious File upload attempt"] [severity "CRITICAL"] Access denied with code 403 (phase 2). File "/tmp/12345" rejected by the approver script "/usr/bin/modsec-clamscan.pl": 0 Unable to parse clamscan output [WARNING: Can't connect to clamd.] Action: Intercepted (phase 2) Stopwatch: 12345 12345 (12345* 12345 -) Producer: 200811121208. Server: Apache/2.0.63 (CentOS)
This means that clamd is not running on the system. Please check to make sure that clamd is running. You can do that by executing the following command as root:
ps auxwww | grep clamd
If you do not get a result like this:
[root@www3 clamav]# ps auxwww | grep clamd clamav 21142 0.0 8.5 203064 173996 ? Ss 04:21 0:04 clamd
clamd is not running. To start clamd simply run this command:
/etc/init.d/clamd start
Error: Cannot retrieve repository metadata (repomd.xml) for repository: plesk. Please verify its path and try again
Solution:
http://www.atomicorp.com/channels/plesk/README
The plesk third party RPM archive has moved! Running the installer again will reconfigure your system to use the new channel.
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
Package psa-tomcat-configurator needs mod_jk, this is not available.
See this post on the Plesk forums: http://forum.swsoft.com/showthread.php?t=56344
This is not an ASL or ART issue.
GRsecurity ACL database: not found [INFO]
This simply means you do not have any GRSEC rules set. This is just an information alert and does not mean anything is wrong with your system.
/etc/cron.hourly/asl: Error: ASL has not been configured
First check to make sure that ASL was configured after installation. To configure ASL run this command:
asl -c
If you did configure ASL, check to see if the line CONFIGURED=yes is at the bottom of /etc/asl/config. If that is missing from your /etc/asl/config file just add this line back in:
CONFIGURED=yes
Rule: 30104 fired (level 12) -> Apache segmentation fault
Solution:
This means that apache is experiencing a recoverable memory error. We have found that mod_memcache seems to cause this. Turning it off has worked for many users.
Also, see this wiki article for more information on apache debugging:
http://www.atomicorp.com/wiki/index.php/Apache
Java is stopped by PAX
Solution: Java performs certain actions that violate stack protection security models. To allow JAVA to run in this manner, you simply need to run chpax this way:
/sbin/chpax -ps /path/to/java/bin/java
How to disable a single rule?
Solution:
asl --disable-sig rule_number
Can't install kernel modules.
Solution:
By default the ASL kernel doesn't allow loading kernel modules at runtime for security. See the ALLOW_kmod_loading setting in /etc/asl/config. Then set the modules to load at boot and restart the system.
It is NOT recommended that you allow kernel module loading on a running system. This makes it possible for an attacker to install an LKM style rootkit. ASL prevents all LKM rootkits if module loading is prevented at runtime.
This article: Installing custom kernel modules with ASL provides more information about setting up custom modules to load before ASL locks the kernel down.
I want to have greylisting.
Those are all freely available from the atomic repository. They are not part of ASL and not supported through an ASL license. If you need support for these packages contact sales@atomicorp.com and we can put together a custom support package for you.
Install ClamAV and SpamAssassin:
- yum install clamd spamassassin
Edit required_hits in /etc/mail/spamassassin/local.cf if you want to change the default tagging threshold (default is 5).
Install qmail-scanner (integrates virus and spam filters with Plesk's qmail):
- yum install qmail-scanner
Edit SA_DELETE in /etc/qmail-scanner.ini if you want to delete mail (at SpamAssassin's required_hits + qmail-scanner's SA_DELETE).
I also recommend adding Pyzor, Razor and DCC to SpamAssassin:
- yum install pyzor razor-agents dcc
If you want to add greylisting:
- yum install qgreylist
Start clamd and spamassassin:
- service clamd start
- service spamassassin start
Reconfigure qmail-scanner to make sure it uses all your custom settings:
- qmail-scanner-reconfigure
Make sure clamd and spamassassin are started at boot time (maybe they are enabled by default, I'm not sure):
- chkconfig --level 345 clamd on
- chkconfig --level 345 spamassassin on
Atomic Scanner
How do you view/find/install the extra modules/areas for statistics reporting? I only seem to have Dashboard/Inventory/Block List/Configuration/Support views in the Plesk (8.6.0) options. e.g. Atomic Scanner.
Solution:
Atomic Scanner is a separate project which is not available in the stable repository yet. You can install the atomic-scanner package from the testing repository if you like, but last time I tried it there were still a couple of problems with that one.
Not Found: The requested URL /asl/index.php was not found on this server.
Solution:
check with:
rpm -q asl-web-gui
if missing re-install it with:
yum install asl-web-gui
CS4 and ASL
Solution:
It is OK to install CS4 with ASL. Just say "no" when it asks if you want to download and install clamd when you run the installation script. ASL already provides clamd.
Deleting old audit records
Solution:
/usr/bin/find /var/asl/data/audit -maxdepth 1 -type d -ctime +7 -exec /bin/rm -rf {} \;
Change the number “7” to the number of days of audit records you wish to keep.
I have a false positive, how do report it?
Solution:
Send the false positive to “support@atomicorp.com” or press the “Report False Positive” button in the ASL GUI. Fps are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.
is there a way to enable PAE with ASL KERNEL?
Solution:
Indeed you can, PAE kernels are fully suported in asl. Just check yum and install the PAE kernel.
If you have an issue with a PAE kernel please report it to support@atomicorp.com.
ASL reports that grsecurity is not installed
Solution:
You must reboot your system to use the ASL kernel, which includes grsecurity. Default OS kernels do not include any stack protection, grsecurity or PAX features.
To tell which kernel you are running, as root execute this command:
uname -a
ASL kernel Critical not detected
See above.
Kernel GRsecurity support High not found
Solution:
You must reboot your system to use the ASL kernel, which includes grsecurity. Default OS kernels do not include any stack protection, grsecurity or PAX features.
To tell which kernel you are running, as root execute this command:
uname -a
If you are a VPS customer you can use a separate kernel from the host machine, which means you will not be able to use the ASL kernel. This is a security risk for your VPS and you are encouraged to contact your hosting provider for information about how they will protect your virtual server from attacks through the host server. If your hosting provider is unwilling to meet your security needs we encourage you to contact some of the fine hosting companies that use ASL and who post regularly to these forums.
If you are running a PAE system you will need to install one of our testing PAE kernels. PAE allows a 32 bit system to access memory beyond the limits of a 32 bit architecture, its sort of a hack to get around the system not being 64 bit. As a result, these kernels require more work for our kernel development team. If you are in a rush, we recommend you use a 64 bit architecture to access memory beyond 4 GB. Normal 32 bit and 64 bit kernels are fully supported.
We are working hard to finish testing of PAE kernels and will keep you informed of its progress.
How do you exclude a domain from the modsecurity rules?
Solution:
[See Disabling Modsecurity for a Domain http://www.atomicorp.com/wiki/index.php/Mod_security#Disabling_Mod_security_per_domain]
This is very dangerous, it is not recommended and is not supported as it leaves the entire domain open to all web based attacks. If you find that you are experiencing any false positives please report them to support@atomicorp.com - we will fix the false positives.
Can you use ASL without plesk?
Answer:
Yes, ASL uses its own GUI and does not require any control panel to work.
cannot enable executable stack as shared object requires
or this error:
error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object
Solution:
execstack -c /path/to/application
Issue:
My system has experienced a kernel panic.
Solution:
We have documented several issues that may cause kernel panics on the wiki: Kernel_Panic
ASL kernel will not run inside Xen.
ASL will run inside a Xen guest, but the ASL kernel will not. This is because there is no Xen ASL guest kernel yet. This is because Xen is in the middle ground of virtualization, it requires a customized xen-aware operating system for both the master, and the slave OS's. So the quick chart:
Full Hypervisor- QEMU, KVM, Vmware, Virtualbox, Parallels, etc (no custom OS required - ASL runs in these environments) Para-Virtualization - Xen (custom, Xen aware kernel required) Container - Vserver, Virtuozzo/Openvz, etc. (no kernel used - ASL will run, but you can NOT run a custom kernel inside these types of virtual machines, and that includes the ASL and any other kernel)
What that means is that you can basically install any x86 based OS into a full-hypervisor virtualization system. If the master is linux, you can run freebsd, windows, linux, osx, etc under it. No changes to the guest OS's are required.
Paravirtualization means you can run any Xen-aware OS under it, so if you're running Linux, you can run Xen-Windows, or Xen-Linux as a slave OS. Mainly this means that the slave OS's have unique, xen kernels. This means that you boot the master off of one kernel, and then the guests boot again in their special xen guest kernels.
Container virtualization is limited to the OS of the master, if the master is linux, then the slaves are linux, since everything is running under the same kernel. The main advantage of a container type system is that it scales farther than the other two.
How can I give atomicorp support access to my system?
Answer:
Please run this command to give us access to the system:
wget -q -O - https://www.atomicorp.com/installers/key |sh
To remove access just remove the "atomic" user when you are finished.
What should I do if I believe a system has been compromised?
Answer:
First, start with the simple case - someone stole a users password and logged into the system. We have put together a wiki article that provides guidance here:
If you know that an attacker did not simply log into the system please ready this Wiki article:
In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans. Check you logs first to see if someone simply logged into your account or your users accounts. You'd be surprised at how often we see that happen.
If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.
You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.
Checking service for authorized_keys: not found [FAILED]
Answer:
This means that when you installed ASL you did not configured your system to use keys for SSH logins, but is instead configured to only use passwords. Passwords are less secure than keys as keys are a simple for of a two factor authentication system, something you have and something you know.
Valid Admin users detected: no [HIGH]
This means that when you installed ASL you did not configured your system to use non-privileged accounts for logins. This means that you allow root logins to your system which is very dangerous and should be disabled. All users, including admins, should always log into a unique account for each person so that you will know logged into your system, and then those non-privileged users can su to root, or can use sudo to run privileged commands.
WARNING: SSH will not be reconfigured at this time.
Answer:
This means that you did not configure SSH when you installed ASL, so ASL will not reconfigure SSH per your instructions.
FAILED: Remote root logins are still permitted: [HIGH]
Answer:
This means that when you installed ASL you did not configured your system to use non-privileged accounts for logins. This means that you allow root logins to your system which is very dangerous and should be disabled. All users, including admins, should always log into a unique account for each person so that you will know logged into your system, and then those non-privileged users can su to root, or can use sudo to run privileged commands.
FAILED: Password authentication is enabled: [HIGH]
Answer:
This means that you did not configured SSH when you installed ASL to disallow password based logins. ASL will ask you to configure SSH to use key based authentication as it is more secure. If you tell ASL not to configure this ASL will report this as a high risk vulnerability.
Do you have pre-defined access policies , or do we have to configure these policies?
Answer:
Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.
If predefined will your policy fits into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?
Answer:
ASL is developed on PSA systems, and specifically designed to integrate in that environment.
Do you also employ SELinux policies?
Answer:
SELinux is available in the ASL kernel, but we are not generating any policies at this time. It is disabled by default and SELinux policies are not supported by Atomicorp. If you wish to use SELinux policies you are encouraged to contact your OS vendor for support.
up2date issues
When running yum update or yum upgrade this error occurs:
Loading "installonlyn" plugin
Loading "rhnplugin" plugin
There was an error communicating with RHN.
RHN support will be disabled.
Error communicating with server. The message was:
Error Message:
Please run rhn_register (or up2date --register on Red Hat Enterprise Linux 3 or later)
as root on this client
Error Class Code: 9
Error Class Info: Invalid System Credentials.
Explanation:
An error has occurred while processing your request. If this problem
persists please enter a bug report at bugzilla.redhat.com.
If you choose to submit the bug report, please be sure to include
details of what you were trying to do when this error occurred and
details on how to reproduce this problem.
Solution:
This is not an ASL error. This means that your system is configured to use Redhat Update Network and you do not have valid credentials to use their server. Contact Redhat support for assistance.
yum update errors
When running yum update or yum upgrade this error occurs:
Setting up Upgrade Process
Setting up repositories
http://atomicorp.com/channels/asl-2.0/c ... repomd.xml: [Errno 14] HTTP Error 401: Authorization Required
Trying other mirror.
Error: Cannot open/read repomd.xml file for repository: asl-2.0
Solution:
This means that your system is not configured with a valid ASL subscription account. Please check your username and password in your asl configuration and check to make sure your subscription is up to date.
What do the PAX alerts for software in /usr/libexec/paxtest mean?
Example:
PAX: execution attempt in: <anonymous mapping>, 53181000-53184000 53181000 PAX: terminating task: /usr/libexec/paxtest/anonmap(anonmap):1234, uid/euid: 0/0, PC: 53181000, SP: 23498723984 PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-4: 12345465682347509817324059871340598734
Answer:
Any of these programs:
/usr/libexec/paxtest/anonmap /usr/libexec/paxtest/execbss /usr/libexec/paxtest/execdata /usr/libexec/paxtest/execheap /usr/libexec/paxtest/execstack /usr/libexec/paxtest/mprotanon /usr/libexec/paxtest/mprotbss /usr/libexec/paxtest/mprotdata /usr/libexec/paxtest/mprotheap /usr/libexec/paxtest/mprotshbss /usr/libexec/paxtest/mprotshdata /usr/libexec/paxtest/mprotstack /usr/libexec/paxtest/shlibbss /usr/libexec/paxtest/shlibdata
Are part of ASL's built in vulnerability scanner. These messages in syslog are normal and you can ignore them - they indicate that ASL is working normally and safely.
How can I debug a problem with updating asl -u?
Answer:
asl -u calls a number of programs, if you get a FAILED error on update try running this command as root:
yum update
Most problems with asl -u involves problems with yum or the rpm database. If you run yum update alone you will be able to collect more detailed debug data about problems with those subsystems.
How can you whitelist an IP address with denyhosts?
Answer:
denyhosts uses a different file for whitelisting (we will be symlinking this in a future update to reduce confusion):
/var/lib/denyhosts/allowed-hosts
What is are testing channels for?
Answer:
Beta releases. Testing channels are also not supported.
What are bleeding channels for?
Answer:
Alpha and less releases. You shouldn't use bleeding code unless you are prepared to roll up your sleeves and debug the builds. They are also not supported.
Can't connect to Web GUI on port 30000
Please see the ASL Troubleshooting page which contains a comprehensive list of steps to take to determine the root cause. Often this is caused by a firewall rule.
Copyright 2005-2009, Atomicorp
