ASL Lite

From Atomicorp Wiki
Jump to: navigation, search

Contents

[edit] Introduction

Note: ASL Lite is End of Life and is no longer maintained.

Please use ASL or aum.

ASL Lite is a free unsupported lightweight rule updater and basic modsecurity setup project designed specifically as an atomicorp.com mod_security rule downloader for custom apache environments or non-apache/mixed web server implementations. It has been replaced with ASL and is no longer maintained, or supported.

It will on a standard system maintain modsecurity rules to the current version automatically, and upon installation will attempt to determine if modsecurity is installed on the system, and if so, what version if installed. If modsecurity is not installed, it will attempt to install it, and if the installed version is out of date it will attempt to upgrade it to the latest stable version.

ASL Lite supports a guided dialog similar to the standard asl configuration, that allows for the definition of custom commands for restarting web services, location of configuration files, and use via cron. If you need a supported tool to configure, install and manage modsecurity for you, please use ASL.

[edit] Installation

Note: ASL Lite is not supported and is no longer maintained. It has been replaced with aum.

Step 1) Run this command as root:

 wget -q -O - https://www.atomicorp.com/installer/asl-lite |sh

Step 2) Configure ASL Lite for your system

 asl-lite -c

Step 3) Make sure modsecurity is setup correctly

Please see the Atomic_ModSecurity_Rules page for configuration information. You must setup modsecurity exactly as described on that page, third party modifications to modsecurity are not supported.

If you would like to have modsecurity setup for your automatically, please use ASL.

Step 4) Update your rules

 asl-lite -u

[edit] Notes

On package managed systems, asl-lite will install a modsecurity build from the atomic yum repository upon installation. asl-lite does not automatically update modsecurity, it will only perform this action upon installation. ASL has the capability of automatically maintaining modsecurity, and will automatically upgrade it when necessary.

On non-package managed systems, that is systems that have a source compiled version of modsecurity installed (such an cpanel), asl-lite will download the source for modsecurity form the atomicorp repositories. It will then check the system to ensure a valid compilation environment exists, and will automatically download and install the necessary rpms, components and libraries to compile modsecurity and its supporting libraries.


The update path for the Rules has changed. You need to change www.atomicorp.com to updates.atomicorp.com

[edit] Uninstalling

If your system uses package management, run this command as root:

 yum remove asl-lite

If your system does not use package management, there is no automated uninstall, you will need to manually remove asl-lite. The default location for asl-lite is:

/var/asl/bin/asl-lite

Note: This will not disable the rules, or disable modsecurity. To disable the rules, you will need to remove those Atomicorp rules you manually installed. To disable modsecurity, you will also need to remove your modsecurity configuration if you wish to disable the modsecurity.

[edit] Using

[edit] Configure asl-lite

To configure, or re-configure asl-lite, just run this command as root:

 asl -c

[edit] Configuration Options

[edit] Username

This is your license manager username.

[edit] Password

This is your license manager password. If you do not remember your LM password, please visit this URL to change your LM password.

[edit] apache restart command

This is the command that is used to restart apache on your system. modsecurity requires that apache be restarted to load new rules. This means a full restart, and not a configuration reload. The configuration reload option for apache will not work, you must restart apache to load new rules.

[edit] location to store rules

This is the location that asl-lite should use to install your new rules. This needs to be a directory that apache can read, and must be the location configured according to the instructions on the Atomic ModSecurity Rules.

[edit] ASL Whitelist

Saying yes to this option will enable the ASL whitelist rules. These rules will allow you to completely trust an IP address, telling the WAF to completely ignore the IP neither alerting on events nor stopping them.

Note: We recommend you disable this ruleset, whitelisting hosts can be dangerous and hosts should not be trusted unless you are certain they can not be used to attack your system. If you have a shared hosting environment, you should never whitelist the servers own IP address or localhost. This will make it possible for local users, and compromised accounts to be used to attack your server.

[edit] ASL Real-Time Blacklist

This rule family checks an incoming host to see if its on a RBL. By default only the spamhaus XBL-SBL list is enabled. Several other RBLs are including in this rule file and must be either enabled in ASL (ASL will generate this rule file) or if you are not running ASL you must manually enable the other RBLs.

If you use this ruleset, make sure you have a fast locally caching DNS server. This ruleset will query spamhaus for every incoming IP to see if its on a blacklist, if your DNS is slow (or non local) this will make your system seem to crawl, as the read request will be blocked by Apache until it finished the DNS lookup. If you do not have a fast and local DNS server, do not use this ruleset.

[edit] ASL Upload Scanner

This option can not be enabled if you do not have ASL installed. This option requires ASL.

[edit] ASL Anti-Malware

Checks payload and RFI contents for known sources of malware and malware payloads and will block them.

[edit] ASL Generic Attack Detection

The main rules, contains all the generic security rules to protect against classes of attacks, such as SQL injection, XSS, code injection, recursion, etc. These rules require modsecurity 2.6.3 and above.

[edit] ASL User Agents

Looks for malicious or suspicious user agents and known patterns of malicious activity.

[edit] ASL Anti-Spam

Tuned antispam rules, designed to work with all known blogs, forums, guestbooks, CMS' and other web content management systems that allow users to post content.

[edit] ASL Rootkits

Detects and blocks known rootkits, PHP/ASP/PERL shells, spam tools and other malicious web applications from running on the system. (These rules exist for cases where malicious software may already be installed on the system, this is a defense in depth rule set)

[edit] ASL Recons

Blocks known "google hacks" or webserver probes that look for vulnerable applications and signs of compromised systems running unauthorized shells, or unprotected applications that allow uploads which would give an attacker access to the system.

[edit] ASL Just In Time Patches

Just in Time Patches. We publish JITPs daily if there is a new web application vulnerability that the 10_asl_rules.conf do not protect the system against. These are tuned rules for specific vulnerabilities in a web application.

[edit] ASL Redactor

Part of the malicious code removal system. Automatically remove malicious code from web pages, such as hidden iframes, encoded javascript and other malicious code. Do not enable this ruleset if you are not using ASL or do not have mod_sed installed on your system. This is a special ruleset that ASL uses and ASL will enable this ruleset if it needs it. mod_sed support will be discontinued in the future for this ruleset, so do not enable this if you are not using ASL.

[edit] Checking to see if updates are available

To see if updates are available, and to automatically install then, just run this command as root:

 asl-lite -u

If you just want asl-lite to see if any updates are available, but not install them, just run this command as root:

 asl-lite -ck

[edit] Manually updating your rules

To update your rules just run this command as root:

 asl-lite -u

[edit] Automatically updating your rules

We recommend you create a cronjob to automatically update the rules. Your system will only need to update the rules every 24 hours, we do not recommend you configure it to update more often than this as modsecurity requires apache to be restarted when new rules.

Please contact your OS vendor for support with cron if you do not know how to use it.

A simple cronjob to add would look like this (change HOUR and MINUTE to times that work for you)

MINUTE HOUR * * * /var/asl/bin/asl-lite -u

[edit] Output of asl-lite -u

When asl-lite runs it will check the status of a number of different components of ASL. If you have an ASL license it will download all of these, if you only have an asl-lite license it will only download the mod_security rules. The following is a typical output of the updater:

Checking for updates.. ASL version is current: package asl is not installed [OK] APPINV rule updates are available: 201008021738 [INFO] CLAMAV rule updates are available: 201105101031 [INFO] GEOMAP rule updates are available: 201105100956 [INFO] Updating MODSEC to 201105101326: updated [OK] Stopping httpd: [ OK ] Starting httpd: [ OK ] OSSEC rule updates are available: 201105100943 [INFO]

INFO means that an update is available, but your system does not have a license to download and install it. updated means that an update is available and has been installed on your system.

ASL-Lite users should see a result similar to the above when only the MODSEC rules will be updated. ASL users will be able to update and install all the components (ASL, APPINV, CLAMAV, GEOMAP, MODSEC and OSSEC).

Personal tools