Using ASL Kernel but still get Kernel-check warnings.

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
bananapar
Forum User
Forum User
Posts: 38
Joined: Fri Jul 23, 2010 10:03 am
Location: UK

Using ASL Kernel but still get Kernel-check warnings.

Unread post by bananapar »

After recently acquiring a new server, we installed ASL. After booting into the ASL kernel and setting it as a default we still get kernel check warnings.
asl -f does nothing to fix this. Any suggestions? A couple of things such as popen that can be changed from the control panel are left as is due to requirements of other software on the server.

We are using CentOS 5 x86_64 and also have plesk CP 10 installed.

The entire results of asl -a -f are below:
Asl kernel detected OK
Runtime module loading disabled OK
Grsecurity administrative password not set INFO
Grsecurity acl database not found INFO
Executable anonymous mapping yes HIGH
Executable bss yes HIGH
Executable data yes HIGH
Executable heap yes HIGH
Executable stack yes HIGH
Executable anonymous mapping (mprotect) yes HIGH
Executable bss (mprotect) yes HIGH
Executable data (mprotect) yes HIGH
Executable heap (mprotect) yes HIGH
Executable shared library bss (mprotect) yes HIGH
Executable shared library data (mprotect) yes HIGH
Executable stack (mprotect) yes HIGH
Anonymous mapping randomisation test no OK
Heap randomisation test (et_exec) no OK
Heap randomisation test (et_dyn) no OK
Main executable randomisation (et_exec) no OK
Shared library randomisation test no OK
Stack randomisation test (segmexec) no OK
Stack randomisation test (pageexec) no OK
Executable shared library bss yes HIGH
Executable shared library data yes HIGH
Writable text segments no OK
Checking General security settings
Checking for unnecessary services
Service apmd disabled OK
Service autofs disabled OK
Service avahi-daemon disabled OK
Service bluetooth disabled OK
Service cups disabled OK
Service gpm disabled OK
Service haldaemon disabled OK
Service hidd disabled OK
Service hplip disabled OK
Service isdn disabled OK
Service kdump disabled OK
Service mcstrans disabled OK
Service messagebus disabled OK
Service nfs disabled OK
Service nfslock disabled OK
Service pcscd disabled OK
Service portmap disabled OK
Service rpcidmapd disabled OK
Service xfs disabled OK
Service x11 disabled OK
Checking for End of Life (EOL) operating systems
Centos/5 Supported OK
Checking for updater yum detected OK
Checking for updates system is up to date OK
Checking General Plesk settings
Plesk sql injection vulnerability sa26741 not detected OK
Horde turba vulnerability cve-2008-0807 not detected OK
Horde vulnerability sa28382 not detected OK
Horde turba vulnerability sa28382 not detected OK
Horde mnemo vulnerability sa28382 not detected OK
Horde kronolith vulnerability sa28382 not detected OK
Horde vulnerability cve-2007-6018 not detected OK
Horde vulnerability cve-2008-1284 not detected OK
Horde kronolith vulnerabilty bugtraqid 28898 not detected OK
Proftp vulnerability sa33842 not detected OK
Verify tls enabled in proftp enabled OK
Verify clamav enabled in proftp enabled OK
Set proftp scoreboard to default yes OK
Checking for weak smtp_auth passwords 0 found OK
Verify sslv2 disabled in qmail verified OK
Verify sslv2 disabled in courier imap verified OK
Verify sslv2 disabled in courier pop3d verified OK
Verify expose_php set to off OK
Checking psmon settings
Checking for psmon installation installed OK
Psmon set to enabled OK
Notifications to disabled OK
Checking System services monitored by psmon
Clamd monitored OK
Courier-imap monitored OK
Crond monitored OK
Mysqld monitored OK
Sshd monitored OK
Xinetd monitored OK
Ossec-dbd monitored OK
Stopping psmon: [ OK ]
Starting psmon: [ OK ]
Checking ossec-hids settings
Checking for ossec-hids installation installed OK
Ossec-hids set to enabled OK
OSSEC is configured in server mode.
Checking for server installation installed OK
Email notification disabled OK
Active response enabled OK
Active response timeout 600 OK
Verifying OSSEC whitelists
Checking 109.224.207.40 OK
Checking 127.0.0.1 OK
Excessive whitelists not detected 2 OK
Checking for monitored log files
/var/log/messages monitored OK
/var/log/secure monitored OK
/var/log/maillog monitored OK
/var/log/psa/maillog monitored OK
/var/log/httpd/access_log monitored OK
/var/log/httpd/audit_log monitored OK
/var/log/httpd/error_log monitored OK
/var/log/mysqld.log monitored OK
Reloading ossec-hids: [ OK ]
Checking rkhunter settings
Checking for rkhunter installation installed OK
Rkhunter set to enabled OK
Notifications sent to office@emailitis.com OK
Detected Plesk Environment
Ftp_psa enabled OK
Poppassd_psa enabled OK
Smtp_psa enabled OK
Smtps_psa enabled OK
Submission_psa enabled OK
Checking ssh settings
Enforce protocol version 2 OK
Strict modes enabled yes OK
Ignore .rhosts yes OK
Enable public key authentication for users yes OK
Checking Admin users
Valid admin users detected no HIGH
WARNING: SSH will not be reconfigured at this time.
Valid admin users detected HIGH
Failed Password authentication is enabled HIGH
Enable privilege separation yes OK
Allow gssapiauthentication no OK
Allow gssapicleanupcredentials no OK
Ssh banner /etc/asl/banner OK
Checking httpd settings
Verify http trace disabled verified OK
Verify sslv2 disabled verified OK
Checking mod_evasive settings
Checking for mod_evasive installation installed OK
Mod_evasive set to enabled OK
Doshashtablesize set to 4096 OK
Dospagecount set to 5 OK
Dossitecount set to 200 OK
Dospageinterval set to 2 OK
Dossiteinterval set to 2 OK
Dosblockingperiod set to 25 OK
Checking mod_security settings
Checking for mod_security installation installed OK
Mod_security set to enabled OK
Server signature set to Apache OK
Secuploaddir set to /var/asl/data/suspicious OK
Secuploadkeepfiles set to off OK
Logfile set to audit_log OK
Logging set to Concurrent OK
Audit logging to /var/asl/data/audit OK
Logging elements set to ABIFHZ OK
Secrequestbodyinmemorylimit set to 131072 OK
Secrequestbodylimit set to 134217728 OK
Secresponsebodylimit set to 2621440 OK
Secresponsebodylimitaction set to ProcessPartial OK
Enable debug log no OK
Secdatadir set to /var/asl/data/msa OK
Sectmpdir set to /tmp OK
Checking rule class settings
Rbl checks off LOW
Upload scanner ruleset on OK
Anti-malware ruleset on OK
Generic attack ruleset on OK
Malicious useragents ruleset on OK
Anti-spam ruleset on OK
Rootkit ruleset on OK
Recon ruleset on OK
Just in time patches on OK
Redactor off INFO
Whitelist off OK
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Checking php settings
Checking for php installation installed OK
Php safe mode enabled MODERATE
Register globals no OK
Allow url fopen yes FIXED
Checking for High-Risk functions
Function dl not allowed OK
Function exec allowed HIGH
Function passthru not allowed OK
Function pcntl_exec not allowed OK
Function pfsockopen not allowed OK
Function popen allowed HIGH
Function posix_kill not allowed OK
Function posix_mkfifo not allowed OK
Function posix_setuid not allowed OK
Function proc_close not allowed OK
Function proc_open not allowed OK
Function proc_terminate not allowed OK
Function shell_exec not allowed OK
Function system not allowed OK
Checking for Moderate-Risk functions
Function leak not allowed OK
Function posix_setpgid not allowed OK
Function posix_setsid not allowed OK
Function proc_get_status not allowed OK
Function proc_nice not allowed OK
Function show_source not allowed OK
Checking for Low-Risk functions
Function escapeshellcmd allowed LOW
Function phpinfo not allowed OK
Checking executable stack flag on PHP extensions
/usr/lib64/php/modules/ioncube_loader_lin_5.1.so OK
Restarting clamav, this could take a moment...
Checking clamav settings
Checking for clamav installation installed OK
Clamav set to enabled OK
Clamd listen address 127.0.0.1 OK
Clamd log to syslog yes OK
Clamav is in: application-only mode
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: [ OK ]
Generating Report: Complete
I am currently looking into fixing these issues myself over command line.
Last edited by bananapar on Fri May 06, 2011 7:23 am, edited 1 time in total.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by scott »

Any chance youve disabled the NX setting in your BIOS?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by mikeshinn »

Exactly, the scanner doesnt lie, if the cpu is configured to not support NX then you're gonna have holes.
bananapar
Forum User
Forum User
Posts: 38
Joined: Fri Jul 23, 2010 10:03 am
Location: UK

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by bananapar »

I'm not entirely sure what I'm looking for here but "egrep '^flags' /proc/cpuinfo | uniq" gives
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca lahf_lm tpr_shadow
pae is mentioned but not nx
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by scott »

Yup, NX is turned off in your bios.
bananapar
Forum User
Forum User
Posts: 38
Joined: Fri Jul 23, 2010 10:03 am
Location: UK

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by bananapar »

We haven't disabled it ourselves, so it must have been default/configured by the company we received our server from.
I guess I better work out if I can enable it remotely or live with it for now.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Using ASL Kernel but still get Kernel-check warnings.

Unread post by scott »

Thats not the first time Ive seen a provider do that. Ask me how I know :P
Post Reply