This is the first Draft for the ASL 3.0 Release candidate which we should be releasing shortly. I'm sure I missed things in this!
ASL 3.0.0-0.rc1 Release Candidate #1
+ support for Cloudlinux 5
+ support for Scientific Linux 5 & 6
+ support for Red Hat Enterprise Linux 6
+ support for Xen virtualization (as a guest OS)
+ support for directadmin environments
+ support for cpanel environments
+ Firewall Rule Management system, this is an advanced interface for the first phase of firewall rule management.
+ HIDS (Host Based Intrusion Detection) Rule Manager:
* List rules by ID, or Category
* Modify the Active Response policy globally or per rule
* Change Severity Level per rule
* Activate/Deactivate Logging per rule
* Enable/Disable Email alerts per rule
+ WAF (Web Application Firewall) Rule Management, rules can now be
enabled/disabled globally or by virtual domain. Additionally rules can now be
set at different severity levels, and have their base response policy elements
modified to include shunning, email alerts, and logging.
+ Repeat Offendor blocking, block times will now increase based on a user
defined setting (Default x2 of block time) each time they return.
+ File Integity management system:
* Interface allows for list or tree view sorting.
* "Notify" lists, this allows notifications to be sent to different email addresses for change alerts to different files.
* "Watch" configuration, allows for the definition of what files or
directories the system will monitor for changes. Configuration options
allow for real-time monitoring, user/group ownership changes,
permissions, checksum, and diff reporting. Diff reporting will include
the changes made to the file in the body of the alert message for
* "Ignore" lists, allows for files or directories to be explicitly
ignored from monitoring.
+ Event Manager:
* lists agent source for events
* Allows for searching for any string in the data field
* Ties directly into the rule manager
* Supports False Positve & False Negative reporting
+ Reports, this is the first phase of the report manager, it currently
includes reports for:
* Failed logins in the last 24 hours, 72 hours, and 30 days
* Top Stats; Events by Level, Alerts in the last 24 hours, and Top
alerts in the full history
* Top Web Attackers in the last 24 hours, and the total number of
attacks in the last 7 days
+ ASL Web User Manager:
* Role Based Access control for ASL Web Users
* Audits logins by ASL Web users
* Role Manager allows for setting what components an ASL Web user can
have access to. Including View Only and Modify options
+ Added kernel policy settings for:
* Trusted Path Execution
* Enable/Disable Privileged IO
* Audit Mount, Chdir, Ptrace, and Text relocation events
* Control Chroot permissions on chmod, chroot, fchdir, capabilities,
mknod, mount, sysctl, nice and findtask
* Audit exec() events inside a chroot
* Audit exec() activity by userid
* Control "Server" class users, users in this group can only act as
servers (IE: no outbound connections allowed)
* Control "Client" class users, users in this grop can only access as
clients (IE: cannot create services for inbound connections)
* Control "Socket" class users, users in this group can act as neither
clients nor servers.
+ Added asl-kernel init script to manage kernel settings
+ Blocklist now associates a block with the Alert that triggered the block.
+ New ASL Dashboard consolidates Attack & Event summary, Module Status, Load monitor and RSS feed.
+ Add False Negative and False Positive reporting to HIDS events
+ Feature Request #415, Add support for SSL settings in Plesk 9.0
+ Feature Request #455, add vhost option when enabling rules
+ Feature request #499, use of localhost is converted to 127.0.0.1 for conditions where /etc/hosts is mangeled.
+ Feature Request #512, Add support for disabling ftp_exec, curl_exec, and curl_multi_exec PHP functions
+ Feature Request #XXX, add the --force-update / -uf flag to force a rule update from the comand line
+ Feature Request #XXX, HIDS updates will be forced if the complete decoder list is not detected.
= ASL Web, asl-web-setup has been retired, by default the ASL Username &
Password will be the login to ASL Web.
= ASL Web, rule ID's are now linked to documentation
= All http connections that include the ASL username & password have been
converted to https.
= HIDS now uses a directory based rule management structure similiar to the apache conf.d design.
= Updated psa_check to look for Vulnerability SA42052 in psa-proftpd
= Added Vulnerability data for http://secunia.com/advisories/42052/
= Proftpd clamav support checks much improved
= waf module now supports SecReadStateLimit, and setting the SecEngine to "DetectionOnly"
= waf_module now generates the default waf config file: /etc/httpd/modsecurity.d/tortix_waf.conf
= waf_module now associates specific rules to the minimum version of
mod_security required to support them. Environments that do not meet these
requirements defined in the rule will not have the ruleset applied in an
= waf_module, rule updates will now roll back to the last known working copy
if an update fails configtest
= Vulnerability report now sorts risks by importance.
= /etc/asl/disabled_signatures and /etc/asl/disabled_vhost_signatures have
been deprecated. They are now replaced by /etc/asl/rules
= Performance improvements to the Application Inventory system.
= ASL database setup event now supports blank password fields.
= php_checks, add detection for PHP 5.3
= psa_checks, add the ability to disable the Plesk crontabmng (PSA_DISABLE_CRONTAB)
= databae-setup will now detect skip-networking conditions that would break
the HIDS connector
= Added an abbreviated CLI false positive reportig flag: -rfp
= Added EOL check for fedora 12
= All apache restart events default to "graceful"
= Rules are now purged from /etc/httpd/modsecurity.d/ on an update if they are
- Bugfix #314, /etc/alternatives/mta-sendmail will now be linked to /etc/alternatives/mta if it does not exist
- Bugfix #385, App inventory can now handle directories with spaces
- Bugfix #405, removed duplicate instances of ASL_WEB_CONFIGURED
- Bugfix #406, remove all references to denyhosts
- Bugfix #453, OSSEC_SHUN_ENABLE_TIMEOUT is set to NO ossec will now restart properly
- Bugfix #457- enabling a rule leaves no longer leaves blank lines and empty statements
- Bugfix #539, #577: Update /dev to support RTC on newer kernels
- Bugfix #XXX, this will properly evaluate an asl.lock file as numeric. If detected as non-numeric, it will assume it is stale and remove the lock.
- Bugfix #XXX, for adding client keys in "agent" mode.
- Bugfix #XXX, add graceful to the APACHE_RESTART options
- Bugfix #XXX, Retired kernel check, set firstboot to disable itself if something fails. This prevents reboot loops.