[asl-2.0] ASL 2.2.6 Release Announcement

[asl-2.0] ASL 2.2.6 Release Announcement

We are proud to announce the latest release for our flagship Atomic Secured Linux product, the latest in unified threat management systems.¬ Atomic Secured Linux(tm) is an out-of-the-box Unified Security Suite for Linux(tm) systems designed to protect your servers against both known and unknown threats. It is distributed through a subscription yum channel ensuring that ASL is always kept up to date. Unlike other security solultions, ASL works by combining security at all layers, from the aKernel all the way up to the application layer to provide the most complete protection available for Linux servers and helps to ensure that your system is compliant with commercial and government security standards. ASL includes the most hardened kernel on the market, automated system hardening techniques, userspace and host Intrusion Prevention Systems (IPS), malware/rootkit detection and elimination, blacklisting technologies and web application firewalling to protect multiuser and web application hosting environments like no other solution. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in todays complex systems and applications, such as web hosting environments, multiuser systems, CRM’s, ERPs, forums, shopping carts, Content Management systems and custom applications. ASL

Release Notes:

This update includes support for the kernel level anti-malware and anti-virus module, dazuko. Th Dazuko implements scanning and blocking in real-time on file open, close, access, or execution events. Aside from being considerably faster, this feature is intended to cover alternate conditions where malware is added to the system over SSH and other file sharing methods (NFS, GFS, SMB, etc). It will require the addition of the kernel kmod-dazuko/kmod-dazuko-PAE rpms to the system. An additional ASL configuration setting “CLAMAV_ENABLE_DAZUKO” will need to be set to “yes”. As of this release graphical integration is planned for ASL Web in the next release.

This feature will¬ require configuring two optional files:

/etc/asl/dazuko-include, a list of directories or filesystems to monitor with dazuko (note: dont use /! Its both not necessary on a Linux system and will break things, scanning /proc for example will break your system)
/etc/asl/dazuko-exclude, a list of directories to exclude from monitoring (/var/spool/qscan for example)

Files identified as malware will return a permission denied message when someone tries to open them.

Two additional template files have been added to this update:
/var/asl/data/templates/template-clamd.conf
/var/asl/data/templates/template-freshclam.conf

Changelog:

  • Support for Plesk 9.5
  • Added support for the dazuko anti-spam kernel module
  • Added detection for different userid environments for clamd (qscand, clamav, root)
  • Added new template files, template-clamd.conf, and template-freshclam.conf
  • Added init script for the asl-av (dazuko) module
  • Added support to the OSSEC updater to manage decoder.xml
  • Added support to manage the psa-proftpd user
  • Added some feedback to the user that clamav is restarting when it takes a long time
  • Added requires on vixie-cron for el4/el5 environments
  • Added diagnostic utility for support
  • Added WAF output redactor (MODSEC_99_REDACTOR)
  • Added vulnerability check for Active Response mode being disabled
  • Added requires on denyhosts 2.4-24, ossec 2.4.1-4, and conflicts on psa-proftp older than 1.3.3
  • Added sysctl disabling fuctionality to asl-mod, this is tied to the ALLOW_kmod_loading token.
  • Enabled safebrowsing by default in freshclam template
  • Feature Request #144, fix events that effect OSSEC will no longer reload/purge the active response list
  • Feature Request #327, RKHUNTER_SSH_ROOT_LOGIN has been deprecated, this check is always enabled
  • core ASL package upgrades will now force asl -s -f at the next available monitor event (hourly normally)
  • duplicate entries in whitelists will now be ignored.
  • Extended mysql 5.1 detection for plesk environments
  • Expanded deprecation module for denyhosts
  • general_check services are now sorted by default, removed a duplicate gpm check
  • rkhunter_check will now disable app scan checks by default

¬

Bugfixes:

  • Bugfix #XXX, removed a duplicate ASL kernel detection message
  • Bugfix #XXX, for asl_user creation events
  • Bugfix #XXX, fix for detecting the mysql version in a non-psa environment
  • Bugfix #XXX, corrected a condition where disabled_modules would be attempted when the device did not exist.
  • Bugfix #XXX, other half of the “too many files” error from psa-proftpd.
  • Bugfix #311, psa_check will now correct a deprecated setting in psa-proftpd (Scoreboard) that would break session tracking
  • Bugfix #324, corrects a condition where non-modsecurity 403 errors are defined as “undefined”
  • Bugfix #344, detect proftp-tls/proftp-asl file contents and replace them if they are 0 length.

¬

Upgrading to 2.2.6:

¬

Step 1) yum upgrade asl asl-web

¬

Step 2) yum install mod_sed

¬

Optional: To use dazuko (ASL Kernel is required, 2.8.32.8 recommended)
Step 1)
(32 bit):
yum¬ install kmod-dazuko

for 32-bit PAE:
yum¬ install kmod-dazuko-PAE

for 64-bit:
yum¬ install kmod-dazuko

Step 2) Upgrade ASL
yum¬ upgrade asl asl-web

Step 3) Edit /etc/asl/dazuko-include, add directories to monitor
vim /etc/asl/dazuko-include
/home
/var/tmp

Step 4) Set “CLAMAV_ENABLE_DAZUKO”, and “CLAMAV_SCANON…” settings to “yes” in /etc/asl/config

Step 5) Update the policy. The dazuko module will not load at this point, a failure message is expected here because the kernel doesnt allow modules to be loaded. Not to worry, a reboot will add the module.
asl -s -f

Step 6) reboot

¬

¬

¬