ASL Status & vulnerability detail

[coolemail]

Can anyone help? I have some outstanding things showing in the vulnerability list:

Critical Risk: Un-Applied updates for your system were detected. A full list of available updates is available in /var/asl/data/updates_pending.log
Critical Risk: ASL is in warn-only mode for detecting and disabling dangerous PHP functions.
High Risk: Kernel check, Main executable randomization (ET_EXEC) failed
High Risk: Allow URL Include is enabled. This allows an attacker to remotely include files into PHP scripts through urls.
High Risk: PHP function exec() allows an attacker to execute shell commands through php.
High Risk: PHP Function popen() allows attacker to execute commands on a system.
High Risk: SSH No Administrative users are defined: Administrative users are the users that maintain this system, that should su or sudo to root. This test verifies that administrative users are defined. It is not recommended to manage the system by directly logging in as root.
High Risk: SSH setting: Password Authentication is allowed. Passwords are easily compromised, lost, and are a poor security model. Implement two factor authentication with SSH keys.
High Risk: SSH setting: The system allows remote root logins

On the first critical one, the list is as shown below. I have rebooted from the Plesk CP, and the list remains the same. Am I being silly?

[root@plesk2 ~]# cat /var/asl/data/updates_pending.log
dbus-python.x86_64 0.70-9.el5_4 updates
httpd.x86_64 2.2.3-31.el5.centos.2 updates
httpd-devel.x86_64 2.2.3-31.el5.centos.2 updates
httpd-manual.x86_64 2.2.3-31.el5.centos.2 updates
libvorbis.i386 1:1.1.2-3.el5_4.4 updates
libvorbis.x86_64 1:1.1.2-3.el5_4.4 updates
libvorbis-devel.i386 1:1.1.2-3.el5_4.4 updates
libvorbis-devel.x86_64 1:1.1.2-3.el5_4.4 updates
mod_ssl.x86_64 1:2.2.3-31.el5.centos.2 updates
[root@plesk2 ~]#

and can someone advise on best practice for the other critical and high vulnerable issues on whether I should change them.

Thanks, as ever, in advance.

[biggles]

What kind of platform are you running? VPS?

[coolemail]

Thanks Biggles,
Physical, dedicated server with Plesk 9.2, ASL 2.2, CentOS 5.2

[breun]

Thanks Biggles,
Physical, dedicated server with Plesk 9.2, ASL 2.2, CentOS 5.2

The current version of CentOS 5 is 5.4, I recommend applying the updates.

[biggles]

And after that, the wiki has a few suggestions: http://www.atomicorp.com/wiki/index.php/ASL_FAQ

and asl -s -f might fix a few...

[mikeshinn]

Critical Risk: Un-Applied updates for your system were detected. A full list of available updates is available in /var/asl/data/updates_pending.log

This means that your system is missing updates that have been released by the OS vendor.

Critical Risk: ASL is in warn-only mode for detecting and disabling dangerous PHP functions.

This means that ASL will only warn you about vulnerable configurations of PHP and ASL will not fix those vulnerabilities.

High Risk: Kernel check, Main executable randomization (ET_EXEC) failed

Ignore this. This will be removed in future tests, its not needed anymore.

High Risk: Allow URL Include is enabled. This allows an attacker to remotely include files into PHP scripts through urls.

Big hole in PHP. ASL will try to protect you from this, but its better to let ASL close this hole. You can do this by changing PHP_CHECKS to "yes". These are the other recommended settings:

PHP_SAFE_MODE="yes"

You may not be able to use on all systems - and it has limited utility, its also going away in PHP 6. The rest are pretty big.

PHP_REGISTER_GLOBALS="off"
PHP_URL_FOPEN="off"
PHP_URL_INCLUDE="off"
PHP_MAGIC_QUOTES_GPC="on"
PHP_MAGIC_QUOTES_RUNTIME="on"
ALLOW_dl="no"
ALLOW_escapeshellcmd="no"
ALLOW_exec="no"
ALLOW_leak="no"
ALLOW_passthru="no"
ALLOW_pfsockopen="no"
ALLOW_phpinfo="yes"
ALLOW_popen="no"
ALLOW_posix_kill="no"
ALLOW_posix_mkfifo="no"
ALLOW_posix_setpgid="no"
ALLOW_posix_setsid="no"
ALLOW_posix_setuid="no"
ALLOW_proc_close="no"
ALLOW_proc_get_status="no"
ALLOW_proc_nice="no"
ALLOW_proc_open="no"
ALLOW_proc_terminate="no"
ALLOW_shell_exec="no"
ALLOW_show_source="no"
ALLOW_system="no"

High Risk: PHP function exec() allows an attacker to execute shell commands through php.

See above. It means PHP is configured to allow people to use the exec function, which creates a big hole in your system.

High Risk: PHP Function popen() allows attacker to execute commands on a system.

Same thing.

High Risk: SSH No Administrative users are defined: Administrative users are the users that maintain this system, that should su or sudo to root. This test verifies that administrative users are defined. It is not recommended to manage the system by directly logging in as root.

This means anyone can ssh into the system. Unless you allow all your users to SSH in you want to setup a list of authorized users.

High Risk: SSH setting: Password Authentication is allowed. Passwords are easily compromised, lost, and are a poor security model. Implement two factor authentication with SSH keys.

Single factor authentication, just username/password is risky. It means one use with a weak password will allow a bad guy to log onto your system. You should use keys if you are concerned about bad passwords.

High Risk: SSH setting: The system allows remote root logins

Allowing root logins is a bad idea. You have no accountability of who logs in. Turn off root logins and make everyone su to root.

[coolemail]

I'm getting confused results. Do I have to reboot the whole server when ASL changes are made? I changed:
PHP_CHECKS to "yes" (I think all others were as I was told they should be by Mike). Then updated the ASL from the web GUI, then restarted Apache.

Then Horde webmail was not sending. So I checked php.ini and removed "popen" and "exec" which had appeared there, despite ASL suggesting that they should not. But a check of that file suggests that "escapeshellcmd" is also there:

Code: Select all

[root@plesk2 ~]# grep -i disable_functions /etc/php.ini
disable_functions =  , dl  , passthru , pfsockopen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd
[root@plesk2 ~]# 

But when I go to edit php.ini, escapeshellcmd is definitely not there and the line ends after show_source!!!!

ASL scan gives:

Starting Atomic Secured Linux scan, please be patient...
Checking Kernel security settings
ASL kernel detected
ASL kernel Ok
Runtime module loading Ok
GRsecurity administrative password Info
GRsecurity ACL database Info
Executable anonymous mapping Ok
Executable bss Ok
Executable data Ok
Executable heap Ok
Executable stack Ok
Executable anonymous mapping (mprotect) Ok
Executable bss (mprotect) Ok
Executable data (mprotect) Ok
Executable heap (mprotect) Ok
Executable shared library bss (mprotect) Ok
Executable shared library data (mprotect) Ok
Executable stack (mprotect) Ok
Anonymous mapping randomisation test Ok
Heap randomisation test (ET_EXEC) Ok
Heap randomisation test (ET_DYN) Ok
Main executable randomisation (ET_EXEC) High
Shared library randomisation test Ok
Stack randomisation test (SEGMEXEC) Ok
Stack randomisation test (PAGEEXEC) Ok
Executable shared library bss Ok
Executable shared library data Ok
Writable text segments Ok
Checking General security settings
Checking for unnecessary services
Service portmap Ok
Service nfs Ok
Service nfslock Ok
Service rpcidmapd Ok
Service cups Ok
Service gpm Ok
Service xfs Ok
Service pcscd Ok
Service mcstrans Ok
Service kdump Ok
Service isdn Ok
Service hplip Ok
Service hidd Ok
Service messagebus Ok
Service haldaemon Ok
Service gpm Ok
Service bluetooth Ok
Service avahi-daemon Ok
Service autofs Ok
Service apmd Ok
Service X11 Ok
Checking for End of Life (EOL) operating systems
centos/5 Ok
Checking for updater Ok
Checking for updates Ok
Checking General Plesk settings
Plesk SQL Injection vulnerability SA26741 Ok
Horde Turba Vulnerability CVE-2008-0807 Ok
Horde Vulnerability SA28382 Ok
Horde Turba Vulnerability SA28382 Ok
Horde Mnemo Vulnerability SA28382 Ok
Horde Kronolith Vulnerability SA28382 Ok
Horde Vulnerability CVE-2007-6018 Ok
Horde Vulnerability CVE-2008-1284 Ok
Horde Kronolith Vulnerabilty BugtraqID 28898 Ok
Proftp Vulnerability SA33842 Ok
Verify TLS enabled in proftp Ok
Verify ClamAV enabled in proftp Ok
Checking for weak SMTP_AUTH passwords Moderate
See/var/asl/reports/password.report for more details
Verify SSLv2 disabled in Qmail Ok
Verify expose_php set to off Ok
Checking psmon settings
Checking for psmon installation Ok
psmon set to Ok
Regenerating configuration from template Ok
Process monitoring enabled Ok
Notifications to Fixed
From line set to Fixed
Checking System services monitored by psmon
clamd Fixed
courier-imap Fixed
crond Fixed
ossec-hids Fixed
sshd Fixed
xinetd Fixed
ossec-dbd Fixed
Checking ossec-hids settings
Checking for ossec-hids installation Ok
ossec-hids set to Ok
OSSEC is configured in server mode.
Checking for server installation Ok
Enable email notification Ok
Notifications to Ok
Notifications from Ok
SMTP server set to Ok
Max emails per hour set to Ok
Verifying Active Response set to Ok
Verifying Active Response set to Ok
Verifying OSSEC whitelists
checking Ok
Excessive whitelists not detected Ok
Monitoring mod_security log Ok
[ OK ] Shutting down ossec-hids
[ OK ] Starting ossec-hids
Checking rkhunter settings
Checking for rkhunter installation Ok
rkhunter set to Ok
Notifications sent to Ok
Allow SSH root logins Ok
Allow SSH Protocol 1 Ok
ftp_psa Ok
poppassd_psa Ok
smtp_psa Ok
smtps_psa Ok
submission_psa Ok
Checking denyhosts settings
Checking for denyhosts installation Ok
denyhosts set to Ok
Notifications sent to Ok
Notifications sent from Ok
Logging set to Ok
Shun period set to Ok
Verifying DenyHosts whitelists
checking Ok
Failed Root login threshold Ok
sent DenyHosts SIGTERM
/usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf Starting denyhosts
Checking ssh settings
Enforce Protocol Version Ok
Strict modes enabled Ok
Ignore .rhosts Ok
Enable Public Key authentication for users Ok
Checking Admin users
Valid Admin users detected High
SSH will not be reconfigured at this time. warning
Valid Admin users detected High
FAILED High
Enable Privilege separation Ok
Allow GSSAPIAuthentication Ok
Allow GSSAPICleanupCredentials Ok
SSH Banner Ok
Checking httpd settings
Verify HTTP TRACE disabled Ok
Verify SSLv2 disabled Ok
Checking mod_evasive settings
Checking for mod_evasive installation Ok
mod_evasive set to Ok
DOSHashTableSize set to Ok
DOSPageCount set to Ok
DOSSiteCount set to Ok
DOSPageInterval set to Ok
DOSSiteInterval set to Ok
DOSBlockingPeriod set to Ok
Checking mod_security settings
Checking for mod_security installation Ok
mod_security set to Ok
Server Signature set to Fixed
SecUploadDir set to Ok
SecUploadKeepFiles set to Ok
Logfile set to Ok
Logging set to Ok
Audit Logging to Ok
Logging elements set to Ok
SecRequestBodyInMemoryLimit set to Ok
SecResponseBodyLimit set to Ok
Enable debug log Ok
SecDataDir set to Fixed
SecTmpDir set to Ok
Checking rule class settings
RBL Checks Low
Upload Scanner ruleset Ok
Anti-Malware ruleset Ok
Generic Attack ruleset Ok
Malicious Useragents ruleset Ok
Anti-Spam ruleset Ok
Apache2 Generic ruleset Ok
Rootkit ruleset Ok
Recon ruleset Ok
Just In Time Patches Ok
Whitelist Ok
[ OK ] Stopping httpd
[ OK ] Starting httpd
Checking php settings
Checking for php installation Ok
php set to Critical
PHP Safe Mode Ok
Register Globals Ok
Allow URL fopen Ok
Allow URL include Ok
Checking for High-Risk functions
Function dl Ok
Function exec High
Function passthru Ok
Function pfsockopen Ok
Function popen High
Function posix_kill Ok
Function posix_mkfifo Ok
Function posix_setuid Ok
Function proc_close Ok
Function proc_open Ok
Function proc_terminate Ok
Function shell_exec Ok
Function system Ok
Checking for Moderate-Risk functions
Function leak Ok
Function posix_setpgid Ok
Function posix_setsid Ok
Function proc_get_status Ok
Function proc_nice Ok
Function show_source Ok
Checking for Low-Risk functions
Function escapeshellcmd Ok
Function phpinfo Low
Checking executable stack flag on PHP extensions
Complete Generating report

Can someone help? I'm not sure what is the definitive guide here, and need to get ASL as Mike thinks it should be, but with php.ini also doing the same and letting Horde send emails.

[breun]

For Horde to work you need popen and escapeshellcmd enabled. *Or* you need to modify the Horde configuration to use SMTP instead of sendmail, because in that case you can also disable popen, which is the safest setup AFAIK. (Sadly Plesk/Horde updates might overwrite this config change.)

In my opinion disabling escapeshellcmd does nothing for security, so you can leave that enabled. Read http://php.net/manual/en/function.escapeshellcmd.php and judge for yourself, AFAIK it's just a function that can be used to escape strings, which hardly sounds like a vulnerability to me.

[coolemail]

Thanks breun,
I rebooted the server anyway and that reported ASL better, and then I enabled those 3 key things, and Horde is now working, but ASL reporting that it is not happy!
Always a balance, I guess!

[breun]

What 3 key things? You only need 2 (popen and escapeshellcmd) if you want to use Horde in the default configuration (using sendmail).

But yeah, enabling popen *is* a vulnerability, so ASL will report that. You can choose to ignore those reports, but for maximum security I recommend configuring Horde to use SMTP instead of sendmail and then disabling popen. This post of mine explains how to do this: http://www.atomicrocketturtle.com/forum ... 959#p19959