ASL Lite is a free unsupported lightweight rule updater and basic
modsecurity setup project designed specifically as an atomicorp.com
mod_security rule downloader for custom apache environments or
non-apache/mixed web server implementations. It will on a standard
system maintain modsecurity rules to the current version automatically,
and upon installation will attempt to determine if modsecurity is
installed on the system, and if so, what version if installed. If
modsecurity is not installed, it will attempt to install it, and if the
installed version is out of date it will attempt to upgrade it to the
latest stable version.
For more info: http://www.atomicorp.com/wiki/index.php/ASL_Lite
1. wget -q -O – http://www.atomicorp.com/installers/asl-lite | shFor more info: http://www.atomicorp.com/wiki/index.php/ASL_Lite
2. Compare the dates to make sure the security module is the latest.
date
ls -l /usr/local/apache/modules/mod_security2.so
3. Make all the required folders and put them in the right permission
mkdir -v /usr/local/apache/conf/modsec_rules/
cp -pv
/home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/util/modsec-clamscan.pl
/usr/local/apache/conf/modsec_rules/modsec-clamscan.pl
chmod -v /var/asl
chmod -v 705 /var/asl/data
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/
chmod ug+rwx -R /var/asl/data/
4. Verify if mod_security is being called correctly.
# cat /usr/local/apache/conf/modsec2.user.conf
=========
=========
SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecRule FILES_TMPNAMES "@inspectFile /usr/local/apache/conf/modsec_rules/modsec-clamscan.pl" "log,auditlog,deny,status:403,severity:2,phase:2,t:none,id:'1010101'"
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec_rules/whitelist.conf
=========
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecRule FILES_TMPNAMES "@inspectFile /usr/local/apache/conf/modsec_rules/modsec-clamscan.pl" "log,auditlog,deny,status:403,severity:2,phase:2,t:none,id:'1010101'"
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec_rules/whitelist.conf
=========
#cat /usr/local/apache/conf/modsec2.conf
====
LoadFile /opt/xml2/lib/libxml2.so
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>
LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>
====
In httpd.conf file, make sure that, following entry is available.
======
Include "/usr/local/apache/conf/modsec2.conf"
======
Configure ASL-Lite, update the rules, and put it in cron and Configure with username “username” and password “password”
======
asl-lite -c
Install the cron “0 5 /var/asl/bin/asl-lite -u”
asl-lite -u
======
Monitor logs for 30 mins to see if there are any errors
tail -f /usr/local/apache/logs/error_log
tail -f /usr/local/apache/logs/modsec_audit.log
Add ASL ClamAV rules and restart ClamD
Check what is the latest clamd signature by going to
www.atomicorp.com/channels/rules/subscriptionDownload the latest rule using
/usr/bin/wget—no-cache -q -P /usr/local/src/
Replace clamav-201107071712.tar.gz with whatever the latest rule is
Untar the file, change ownership and place it in ClamAV rules folder
tar xzvf clamav-201107071712.tar.gz
cd /usr/local/src/clamav
mv -v ASL /usr/share/clamav
cd /usr/share/clamav
chown -v clamav.clamav ASL*
and ASL lite installation is completed successfully!
