Seeking Dazuko Information

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Seeking Dazuko Information

Unread post by spaceout »

As I fully respect the opinions and experience of the ASL community members I was hoping on getting some general advice and information on using Dazuko. Successes? Failures?

A couple of quick questions off the top of my head...

Will it stop rootkits from being installed?

What are the recommended settings for /etc/asl/dazuko-include and /etc/asl/dazuko-exclude on a standard CentOS/Plesk/ASL box?

Do changes to those config files require a reboot each time?

Any information you can give about your experiences using it would be excellent.

Thanks!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Seeking Dazuko Information

Unread post by mikeshinn »

My two cents (and rushing out the door, so if I missed a point or misunderstood let me know!):
Will it stop rootkits from being installed?
If you mean kernel level rootkits, it might be able to stop them from being uploaded or opened but only if they can be detected. So yes its helpful, but its not the actual layer we use to stop rootkits. kernel rootkits are best stopped with the hardened ASL kernel. The ASL kernel will stop rootkits from being installed if you configure ASL to lock the kernel (which is the default). So out of the bot, ASL stops rootkits from being installed. You dont even need dazuko to stop rootkits if you have the ASL kernel.

If you mean PHP shells and stuff like that, yes dazuko is a great tool, but for kernel rootkits alone its not the solution. It might stop kernel level rootkits, but thats not what we added into ASL for. Its there to help prevent things from running that are malicious, and good kernel level rootkit attack can get around that potentially - which is why ASL has rootkit protections built into the kernel.
What are the recommended settings for /etc/asl/dazuko-include and /etc/asl/dazuko-exclude on a standard CentOS/Plesk/ASL box?
I recommend you set dazuko to watch all your user writable directories, such as:

/home
/tmp
/var/tmp
/var/www

Your statistics directories may generate false positives however. We've tried to account for that in the clamav rules we include, and so far all the error_log false positives (malicious domains for example used to generate FPs in the error_log) has been accounted for, and if you run into just let us know its pretty easy for us to tune the rules to ignore non-malicious events.

We don't recommend setting dazuko to watch /bin and /usr because those are largely unnecessary. You need to become root to change those, and if the bad guys have root they can just disable dazuko. ASL can also prevent this through the Role Based Access Control system, but thats an advanced option that we dont enable by default (you need to create your own policies to use it). Its like SELinux, except it has a self learning mode - but you still need to tune it for your system.

So, didnt want to get off on a tangent, RBAC good - now back to dazuko.
Do changes to those config files require a reboot each time?
No. Just a reload of clamd.
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Re: Seeking Dazuko Information

Unread post by spaceout »

Thanks, Michael. This is exactly the type of info I was hoping for. I have it up and running and everything seems to be working beautifully so far.

I've been hit twice now with the svh5 rootkit. The first time happened a couple of years ago and that's what first prompted me to start using ASL in the first place. The second time was a few days ago with ASL installed and I have yet to figure out exactly how they got in. I guess I was wondering if something like Dazuko might help guard against this.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Seeking Dazuko Information

Unread post by scott »

In order for that one to be installed you'd have to have root credentials to the box. Theres no exploit that would let you do it. My guess is that they've compromised your login to the system.
Post Reply