Atomicorp

Scott,
I'm a correct that i should probably re-install ASL? For one example i have all the rule-class's on but they say below they are off.

[root@D2540 ~]# asl -s -f

Checking Kernel security settings
ASL kernel: not detected [CRITICAL]
Kernel GRsecurity support: not found [HIGH]
GRsecurity administrative password: not set [INFO]
GRsecurity ACL database: not found [INFO]

General Security Checks

Checking for unnecessary services
Service portmap: disabled [OK]
Service nfs: disabled [OK]
Service nfslock: disabled [OK]
Service rpcidmapd: disabled [OK]
Service cups: disabled [OK]
Service gpm: disabled [OK]
Service xfs: disabled [OK]

Checking for End of Life (EOL) operating systems
centos/5: Supported [OK]

Checking General PSA settings
Plesk SQL Injection vulnerability SA26741: not detected [OK]
Horde Turba Vulnerability CVE-2008-0807: not detected [OK]
Horde Vulnerability SA28382: not detected [OK]
Horde Turba Vulnerability SA28382: not detected [OK]
Horde Mnemo Vulnerability SA28382: not detected [OK]
Horde Kronolith Vulnerability SA28382: not detected [OK]
Horde Vulnerability CVE-2007-6018: not detected [OK]
Horde Vulnerability CVE-2008-1284: not detected [OK]
Horde Kronolith Vulnerabilty BugtraqID 28898: not detecte[OK]
Verify SSLv2 disabled: verified [OK]

Checking psmon settings
Checking for psmon installation: installed [OK]
psmon set to: enabled [OK]
Regenerating configuration from template: psmon.conf-temp[OK]
Process monitoring enabled: yes [OK]
Notifications to: support@blahblahblah.com [FIXED]
From line set to: psmon@D2540.blahblahblah.com [FIXED]

Checking System services monitored by psmon
clamd: monitored [FIXED]
courier-imap: monitored [FIXED]
crond: monitored [FIXED]
ossec-hids: monitored [FIXED]
psa: monitored [FIXED]
psa-spamassassin: monitored [FIXED]
sshd: monitored [FIXED]
xinetd: monitored [FIXED]

Checking General ossec-hids settings
Checking for ossec-hids installation: installed [OK]
ossec-hids set to: enabled [OK]

OSSEC is configured in server mode.
Checking for server installation: installed [OK]
Enable email notification: yes [OK]
Notifications to: support@blahblahblah.com [OK]
Notifications from: ossec@D2540.blahblahblah.com[OK]
SMTP server set to: localhost [OK]
Max emails per hour set to: 200 [OK]
Client connections allowed through firewall: yes [OK]
Verifying Active Response set to: on [OK]
Shun period time set to: 600 [OK]

Verifying OSSEC whitelists
checking: 127.0.0.1 [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]

Monitoring mod_security log: audit_log [OK]
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]

Checking General rkhunter settings
Checking for rkhunter installation: installed [OK]
rkhunter set to: enabled [OK]
Notifications sent to: support@blahblahblah.com [OK]
Allow SSH root logins: yes [OK]
Allow SSH protocol version 1: no [OK]

Checking for whitelist for Plesk services
ftp_psa : enabled [OK]
poppassd_psa : enabled [OK]
smtp_psa : enabled [OK]
smtps_psa : enabled [OK]

Checking Denyhosts settings
Checking for denyhosts installation: installed [OK]
DenyHosts set to: enabled [OK]
Notifications sent to: support@eblahblahblah.com [OK]
Notifications sent from: denyhosts@D2540.eblahblahblah[OK]com
Logging set to: syslog [OK]
Shun period set to: 5m [OK]

Verifying DenyHosts whitelists
checking: 127.0.0.1 [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
checking: blahblahblah [OK]
sent DenyHosts SIGTERM
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf

Checking SSHD configuration
Enforce Protocol Version: 2 [OK]
Strict modes enabled: no [OK]
Ignore .rhosts: yes [OK]
Enable Public Key authentication for users: no [OK]
Checking Admin users
Valid Admin users detected: no [HIGH]
WARNING: SSH will not be reconfigured at this time.

FAILED: Remote root logins are still permitted: [HIGH]
FAILED: Password authentication is enabled: [HIGH]
Enable Privilege separation: no [OK]
Allow GSSAPIAuthentication: no [OK]
Allow GSSAPICleanupCredentials: no [OK]
SSH Banner: /etc/asl/banner [OK]

Checking General httpd settings
Verify .htacces AllowOverride not set to ALL: verified [OK]
Verify HTTP TRACE disabled: verified [OK]
Verify SSLv2 disabled: verified [OK]

Checking general mod_evasive settings.
Checking for mod_evasive installation: installed [OK]
mod_evasive set to: not enabled [MODERATE]

Checking General mod_security settings
Checking for mod_security installation: installed [OK]
mod_security set to: enabled [OK]
Server Signature set to: Apache [OK]
SecUploadDir set to: /var/asl/data/suspicious [OK]
SecUploadKeepFiles set to: Off [OK]
Logfile set to: audit_log [OK]
Logging set to: Concurrent [OK]
Audit Logging to: /var/asl/data/audit [OK]
Logging elements set to: ABIFHZ [OK]
SecRequestBodyInMemoryLimit set to: 131072 [OK]
SecResponseBodyLimit set to: 2621440 [OK]
Enable debug log: yes [OK]
SecDataDir set to: /var/asl/data/msa [OK]
SecTmpDir set to: /tmp [OK]

Checking rule class settings
RBL Checks: off [LOW]
Upload Scanner ruleset: off [HIGH]
Anti-Malware ruleset: off [HIGH]
Generic Attack ruleset: off [HIGH]
Malicious Useragents ruleset: off [LOW]
Anti-Spam ruleset: off [LOW]
Apache2 Generic ruleset: off [LOW]
Rootkit ruleset: off [LOW]
Recon ruleset: off [LOW]
Just In Time Patches: off [HIGH]
Whitelist: off [OK]

Checking General PHP settings
Checking for php installation: installed [OK]
PHP checks: Warn-Only [CRITICAL]
PHP Safe Mode: enabled [HIGH]
Register Globals: off [OK]

Checking for High-Risk functions
Function dl: no [OK]
Function exec: no [OK]
Function furl_open: no [OK]
Function passthru: no [OK]
Function pfsockopen: no [OK]
Function popen: no [OK]
Function posix_kill: no [OK]
Function posix_mkfifo: no [OK]
Function posix_setuid: no [OK]
Function proc_close: no [OK]
Function proc_open: no [OK]
Function proc_terminate: no [OK]
Function shell_exec: no [OK]
Function system: no [OK]

Checking for Moderate-Risk functions
Function leak: no [OK]
Function posix_kill: no [OK]
Function posix_setpgid: no [OK]
Function posix_setsid: no [OK]
Function proc_get_status: no [OK]
Function proc_nice: no [OK]
Function show_source: no [OK]

Checking for Low-Risk functions
Function phpinfo: yes [ALLOWED]

Generating Report: [Done]

Nah, just edit /etc/asl/config and set the classes back to on, like this

MODSEC_05_SCANNER="on"
MODSEC_10_ANTIMALWARE="on"
MODSEC_10_RULES="on"
MODSEC_20_USERAGENTS="on"
MODSEC_30_ANTISPAM="on"
MODSEC_40_APACHE="on"
MODSEC_50_ROOTKITS="on"
MODSEC_60_RECONS="on"
MODSEC_99_JITP="on"


then run asl -s -f to update the policy, and you're done

That worked i assumed the option should have been yes for on and no for off. so atleast i'm heading in the right direction and i appreciate the help everyone has giving this ASL newbie.

I'm still having the issue of "ASL kernel not being found". I went thru the " asl -c " all over again and the rebooted. After that i still get the not found issue.

I then ran rpm -q kernel and i get " package kernel is not installed".

i've tried everything i could think of i even checked th grub and this is what i get.

#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.18.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.1.18.el5PAE ro root=LABEL=/
initrd /boot/initrd-2.6.18-92.1.18.el5PAE.img
title CentOS (2.6.18-92.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5PAE ro root=LABEL=/
initrd /boot/initrd-2.6.18-92.el5PAE.img

Is it safe to say that in fact my install is hosed? What i also noticed was that mod_evasive is not enabled neither and when i go into the ASL gui in plesk and go to configuration it does'nt even show the option for it after the rkhunter options.

Any help would be great i'm stumped on what to do seems half is working and the other half is'nt.

Yeah you're running a PAE kernel, which is still in -testing. You're welcome to give it a try from the -testing channel:

yum --enablerepo=asl-2.0-testing upgrade

Well gave it a shot and this is what i got.

[root@D2540 ~]# yum --enablerepo=asl-2.0-testing upgrade
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* atomic: www.atomicorp.com
* plesk: 3es.atomicrocketturtle.com
* asl-2.0-testing: atomicorp.com
* base: pubmirrors.reflected.net
* updates: mirror.anl.gov
* asl-2.0: atomicorp.com
* addons: mirror.voxitas.com
* extras: mirror.sanctuaryhost.com
asl-2.0-testing 100% |=========================| 951 B 00:00
primary.xml.gz 100% |=========================| 8.7 kB 00:00
asl-2.0-te: ################################################## 30/30
Setting up Upgrade Process
Resolving Dependencies
--> Running transaction check
---> Package asl.noarch 1:2.0.5-1.el5.art set to be updated
--> Processing Dependency: paxtest for package: asl
---> Package ossec-hids-server.i386 0:1.6.1-2.el5.art set to be updated
---> Package iptables.i386 0:1.4.0-1.el5.art set to be updated
---> Package asl-web-gui.noarch 0:1.0.3-2.el5.art set to be updated
---> Package iptables-ipv6.i386 0:1.4.0-1.el5.art set to be updated
---> Package ossec-hids.i386 0:1.6.1-2.el5.art set to be updated
---> Package kernel-PAE.i686 1:2.6.26.6-1.art set to be installed
--> Running transaction check
---> Package paxtest.i386 0:0.9.7-pre5.1.el5.art set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
kernel-PAE i686 1:2.6.26.6-1.art asl-2.0-testing 18 M
Updating:
asl noarch 1:2.0.5-1.el5.art asl-2.0-testing 433 k
asl-web-gui noarch 1.0.3-2.el5.art asl-2.0-testing 187 k
iptables i386 1.4.0-1.el5.art asl-2.0-testing 469 k
iptables-ipv6 i386 1.4.0-1.el5.art asl-2.0-testing 214 k
ossec-hids i386 1.6.1-2.el5.art asl-2.0 45 k
ossec-hids-server i386 1.6.1-2.el5.art asl-2.0 927 k
Installing for dependencies:
paxtest i386 0.9.7-pre5.1.el5.art asl-2.0 45 k

Transaction Summary
=============================================================================
Install 2 Package(s)
Update 6 Package(s)
Remove 0 Package(s)

Total download size: 20 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): kernel-PAE-2.6.26. 100% |=========================| 18 MB 00:22
(2/8): ossec-hids-1.6.1-2 100% |=========================| 45 kB 00:00
(3/8): iptables-ipv6-1.4. 100% |=========================| 214 kB 00:00
(4/8): asl-web-gui-1.0.3- 100% |=========================| 187 kB 00:00
(5/8): iptables-1.4.0-1.e 100% |=========================| 469 kB 00:00
(6/8): paxtest-0.9.7-pre5 100% |=========================| 45 kB 00:00
(7/8): ossec-hids-server- 100% |=========================| 927 kB 00:00
(8/8): asl-2.0.5-1.el5.ar 100% |=========================| 433 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : ossec-hids ####################### [ 1/14]
Updating : iptables ####################### [ 2/14]
Installing: paxtest ####################### [ 3/14]
Updating : asl ####################### [ 4/14]
warning: /etc/asl/config created as /etc/asl/config.rpmnew
Updating : ossec-hids-server ####################### [ 5/14]
Shutting down ossec-hids: [ OK ]
Starting ossec-hids: [ OK ]
warning: /var/ossec/rules/asl_rules.xml saved as /var/ossec/rules/asl_rules.xml.rpmsave
Updating : asl-web-gui ####################### [ 6/14]
Updating : iptables-ipv6 ####################### [ 7/14]
Installing: kernel-PAE ####################### [ 8/14]
FATAL: Could not open '/boot/System.map-2.6.26.6-1.art.i686PAE': No such file or directory
No modules available for kernel "2.6.26.6-1.art.i686PAE".
mkinitrd failed
error: %post(kernel-PAE-2.6.26.6-1.art.i686) scriptlet failed, exit status 1
Cleanup : asl ####################### [ 9/14]
Cleanup : ossec-hids-server ####################### [10/14]
Cleanup : iptables ####################### [11/14]
Cleanup : asl-web-gui ####################### [12/14]
Cleanup : iptables-ipv6 ####################### [13/14]
Cleanup : ossec-hids ####################### [14/14]

Installed: kernel-PAE.i686 1:2.6.26.6-1.art
Dependency Installed: paxtest.i386 0:0.9.7-pre5.1.el5.art
Updated: asl.noarch 1:2.0.5-1.el5.art asl-web-gui.noarch 0:1.0.3-2.el5.art iptables.i386 0:1.4.0-1.el5.art iptables-ipv6.i386 0:1.4.0-1.el5.art ossec-hids.i386 0:1.6.1-2.el5.art ossec-hids-server.i386 0:1.6.1-2.el5.art
Complete!
[root@D2540 ~]#

Also ran rpm -q kernel and still kicks back package kernel is not installed.

Yup, kernel != kernel-PAE. Try rpm -q kernel-PAE

Thanks Scott, As you can see the following kernels are there but they are not booting, I'm i correct to say i need to change the grub.conf for this issue to be resolved? and if so which one should i change it to the ART correct? Last thing i want to do is blow this thing up.

kernel-PAE-2.6.18-92.el5
kernel-PAE-2.6.18-92.1.18.el5
kernel-PAE-2.6.26.6-1.art

Grub File:
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.18-92.1.18.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.1.18.el5PAE ro root=LABEL=/
initrd /boot/initrd-2.6.18-92.1.18.el5PAE.img
title CentOS (2.6.18-92.el5PAE)
root (hd0,0)
kernel /boot/vmlinuz-2.6.18-92.el5PAE ro root=LABEL=/
initrd /boot/initrd-2.6.18-92.el5PAE.img

Ah, are you using lilo for a boot loader? That is /etc/grub.conf right

Semi-related, theres a problem with the 2.6.26 kernels anyway, so it wasn't going to work no matter what! We're moving on to 2.6.27.x

In your case, unless you want to use the non-PAE 2.6.25 kernel, it will be a bit until we've got something for your platform.