Atomic OSSEC Configuration

Introduction

Atomic OSSEC is configured to a secure set of defaults upon installation. Most users do not need to change these settings.

Note

Manual modification of the /var/awp/etc/config file is not supported. Please change these settings via the Atomic OSSEC Web Console unless otherwise instructed by support personnel

Post Installation Configuration

At this point you should have Atomic OSSEC installed on your system. If you do NOT have AEO installed, please follow the installation guide before proceeding.

Configuration via the OSSEC Web Console

Step 1: Log into the Atomic OSSEC Web Console

Step 2: Click on ‘Hub Configuration’

From here you can change Configuration settings, which are broken into classes and are documented below or links are provided to specific documentation pages for those options.

Authentication Information

USERNAME

This is the username AEO will use to download updates. This should b the same username you use to install the software.

Note

If you need to reset your password, you can do so HERE

PASSWORD

This is the password AEO will use to download updates. This should be the same password you use to install the software.

Zendesk support email address

Email address which will be used to contact support

HTTP proxy URL

The URL of the HTTP proxy

Port used by the HTTP proxy

Port used by the HTTP proxy. If no port is set, a default of 80 will be used.

HTTP Proxy username

Username, if required, for the configured HTTP proxy.

HTTP Proxy password

Password, if required, for the configured HTTP proxy.

AWP Web user password complexity specification

AWP Web user password complexity specification

Atomic OSSEC Web Settings

AWP Web Session Timeout

Time, in minutes, AWP Web may be open and idle before the user will be logged out. Set to -1 to disable auto logout. DEFAULT=60

Data Retention Policies

Use simplified records retention setting

Choose whether to use simplified or advanced data retention settings. DEFAULT=no

Consolidated Retention Setting

This setting will be applied to database event archive table retention, HIDS diff file retention and modsec alert file retention.

DEFAULT=3 months

AWP Retention Settings

AWP index file retention period

This controls the number of days AWP will retain index files. [Default: 180]

AWP stat file retention period

This controls the number of days AWP will retain stat files. [Default: 180]

AWP pdf report file retention period

This controls the number of days AWP will retain pdf report files. [Default: 60]

Create archive tables for event data

AWP will store old data in monthly archive tables if this option is selected.

AWP archive table retention period

How long archive tables should be kept. Tables older than the specified period will be deleted automatically.

RBC Max Count

Max number of backups to keep for files modified by AWP

General Settings

HOSTNAME

Hostname for the system. This is also set during installation.

Enable Email Notiffications

Determines if Atomic OSSEC will send event notifications via email

Notification Email address

If the user chooses to receive event notifications via email, this is the email address with which to send emails

Administrative Users

Defines administrative users allowed to SSH to the system. If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be disabled.

System Type

Defines a basic services policy for the system. DEFAULT=webserver

Enable Automatic Updates

Configures the update frequency for rules and signatures downloaded through the awp updater. NOTE: Updates can be run manually with: awp -uf DEFAULT=hourly

Update Type

Configures the behavior of an awp -uf update event. “all” for package and rule updates, “exclude-kernel” to exclude kernel updates, or “rules-only” to exclude yum package and kernel updates.

Apache update policy

Sets the restart policy for actions involving the web server. Updates to mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting allows for the restart event to be disabled (no), enabled (yes), or allow apache to be restarted with the “graceful” command.

Nginx update policy

Sets the restart policy for actions involving the web server. Updates to mod_security, or mod_evasive policies will require a web server restart to go into effect. This setting allows for the restart event to be disabled (no), enabled (yes), or allow nginx to be restarted with the “graceful” command.

Kernel Channel

Select the kernel channel, valid sources are Disabled, Tortix-kernel and tortix-kernel-xen for xen environments. [Default: tortix-kernel]

ALLOW_NFS

Allow/Disallow NFS services. Note this will not enable NFS, it will only disable the security control on this service. [Default: no]

Web Application Firewall rule channel

This setting allows you to toggle between different WAF feeds. [ Default: subscription ]

Send Reputation Reports

Allow sending of statistical information on local events and event sources to Atomicorp.

Reputation Report Frequency

How often reputation reports will be sent.

Maximum days to retain logs

Purge HIDS logs after X days. Note: This erases log files, for archiving see the remote syslog options interface. A value of -1 will retain all hids logs. [Default: -1]

Air-gapped network

Adjusts AWP’s functionality to work within an air-gapped network (This function requires a specialty License)

AUM connection timeout

Adjusts the timeout, in seconds, when connecting for rule updates.

AUM connection timeout

Adjusts the timeout, in seconds, when downloading rule updates.

Firewall Settings

Please see the Firewall page for more information about configuring the AEO firewall.

Kernel Security

Note

The Atomic Kernel has been discontinued. Please use the most up to date kernel that your distro provides

Allow: Kernel module loading

The default configuration for AEO is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by “locking” the kernel and preventing any additional changes to the kernel once it has been configured.

Setting this flag to “yes” and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to “yes”, as a properly configured server should not require the kernel to be dynamically modified. If you need to load custom modules in your kernel, please see this article which explains how to do this securely, and without needing to open this hole in your system.

A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and are used to compromise Linux systems.

Note

The secure and recommended setting is “no”.

Additionally, in Linux when you change this option to allow kernel module loading, that is if you unlock the kernel, you MUST reboot the system. This is a default failsafe that ensures that the Linux kernel is locked.

Inotify: Maximum Watches

Maximum number of inotify watches. [Default: 16384]

ClamAV Settings

Please see the Clam Anti-Virus page for more information about configuring ClamAV.

PSMON Settings

PSMON_ENABLED

Allows the Process monitoring daemon to be enabled/disabled. This will monitor services that are configured to start on boot and are managed by the OS via the chkconfig or systemctl systems. If you want AEO to stop monitoring a process, see the psmon article.

Note

Not supported on systems that does not use package managed PERL installations.

PSMON_NOTIFY

Enable/Disable email notifications for PSMON. The default is to use the $NOTIFY setting.

PSMON_EMAIL

Email address notifications for restart events will be sent to. The default is to use the value set for EMAIL.

PSMON_FROM

From: line used for notifications of restart events. The default if to use psmon@hostname of the system.

OSSEC Settings

OSSEC Notification Settings

OSSEC Database Settings

OSSEC General Settings

OSSEC Internal Settings

Mod Security Settings

Please see the Atomic WAF page for documentation on these settings.

PHP Settings

These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by AEO. This option exists for AEO to manage these functions and settings.

Note

If you want AEO to manage these settings do not change them manually in php.ini, and do not use a third party tool to manage these settings. Additionally, when PHP functions are disabled, and an application tries to use them. Apache will ONLY log that in the domain’s error_log file. It will not log this in the global error_log. Please check the domain’s error_log file if your application is not working properly.

PHP_CHECKS

Enable/Disable PHP check enforcement mode. [Default: No]

If this is set to “no”, AEO will not be configured to manage any PHP settings, and the rest of the PHP settings will no effect. To enable, or disable PHP functions, this must be set to “yes”.

Note

Setting this to “no” will still test for vulnerabilities, but will neither fix them, nor make any changes to your PHP configuration.

PHP_SAFE_MODE

Enable/Disable PHP Safe_Mode

Note

PHP 5.3 and later has deprecated this feature.

PHP_REGISTER_GLOBALS

Enable/Disable register_globals.

PHP_URL_OPEN

Enable/Disable url_fopen. Please see this page for information on this function and a serious vulnerability that can be created by allowing this function in PHP.

PHP_URL_INCLUDE

Enable/Disable URL includes

PHP_EXPOSE_PHP

Enable/Disable expose_php [Default: no]

PHP_DISPLAY_ERRORS

Enable/Disable display_errors [Default: no]

PHP_MAIL_XHEADER

Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes]

ALLOW_curl_exec

Enable/Disable the curl_exec() function

ALLOW_curl_multi_exec

Enable/Disable the curl_multi_exec() function

ALLOW_dl

Enable/Disable the dl() function

ALLOW_escapeshellcmd

Enable/Disable the escapeshellcmd() function

ALLOW_exec

Enable/Disable the exec() function

ALLOW_ftp_exec

Enable/Disable the ftp_exec() function

ALLOW_fsockopen

Enable/Disable the fsockopen() function

ALLOW_leak

Enable/Disable the leak() function

ALLOW_passthru

Enable/Disable the passthru() function

ALLOW_pcntl_exec

Enable/Disable the pcntl_exec() function

ALLOW_pfsockopen

Enable/Disable the pfsockopen() function

ALLOW_phpinfo

Enable/Disable the phpinfo() function

ALLOW_popen

Enable/Disable the popen() function

ALLOW_posix_mkfifo

Enable/Disable the posix_kill() function.

ALLOW_posix_kill

Enable/Disable the posix_kill() function

ALLOW_posix_setpgid

Enable/Disable the setpgid() function

ALLOW_posix_setsid

Enable/Disable the setsid() function

ALLOW_posix_setuid

Enable/Disable the setuid() function

ALLOW_proc_close

Enable/Disable the proc_close() function

ALLOW_proc_get_status

Enable/Disable the proc_get_status() function

ALLOW_proc_nice

Enable/Disable the proc_get_status() function

ALLOW_proc_open

Enable/Disable the proc_open() function

ALLOW_proc_terminate

Enable/Disable the proc_terminate() function

ALLOW_shell_exec

Enable/Disable the shell_exec() function

ALLOW_show_source

Enable/Disable the show_source() function

ALLOW_system

Enable/Disable the system() function

SSH Daemon Settings

Please see the`SSH debugging`_ page in case you can’t log into your AEO server via SSH.

Note

This does not import existing settings from SSH. The purpose of these settings to enforce the sshd configuration settings, based on these settings. Therefore if you change sshd settings, and they do not match what is set in AEO, AEO will set them to the settings defined in AEO. The use of third party products to change these settings is not supported.

SSH_PROTOCOL

Note

Do not change this setting unless you know what you are doing.

SSH supports several legacy protocols (1 and 1.5), along with the current SSH protocol, 2. 1 and 1.5 have fundamental weakenesses that can cause SSH sessions with those protocols to be compromised, therefore we recommend you leave the protocol setting of “2”.

CUSTOM_SSH_PORT

Use a custom ssh port. [Default: no]

SSH_PORT

This will tell SSH to change its default port of 22 to a different port. If you set this to “no”, that will tell SSH to use the default port of 22. For example, if you wanted to change SSHs port to “2222” you would enter “2222” in this field. [Default: no]

Note

This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for AEO to manage this function, if you do not change this option to a port number AEO will not make any changes to this option in sshd

SSH_STRICTMODE

This tells SSH to check the ownership and permissions on ssh public key files. This prevents a user from accidentally setting the permissions on the file so that other users can add their keys to another users key file. We highly recommend you enable strict modes. [Default: yes]

SSH_IGNORE_RHOSTS

This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. [Default: yes]

SSH_PUBKEY

This setting tells SSH to allow the use of public keys, instead of passwords, for authentication. Public keys are more secure than passwords, provided that the public key itself has a strong password. Keys can provide a cheap two factor authentication system (what you have, and what you know). [Default: yes]

SSH_ROOTLOGINS

This setting tells SSH to allow root logins. If you set this to yes, root will be allowed to ssh in, if you set this to no, root will not be allowed to ssh in. We recommend you set this to “no”. [Default: yes]

SSH_PASSWORD_AUTH

This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. [Default: yes]

Options that can be set on this setting:

yes - Allows password authentication

no - Does not allow password authentication, but AEO will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, AEO will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system.

override - Does not allow password authentication, but will NOT check to make sure at least one valid ADMIN_USER exists with keys installed. Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and AEO will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).

SSH_PRIV_SEPARATION

This ensures that SSH runs with privilege separation. [Default: yes]

SSH_GSSAPI_AUTH

Specifies whether user authentication based on GSSAPI is allowed. [Default: no]

SSH_GSSAPI_CLEANUP

Specifies whether to automatically destroy the user’s credentials cache on logout. [Default: yes]

SSH_BANNER

AEO can configure SSH to display a banner to users when they log in. This tells SSH what file to use for the banner. AEO comes with a standard banner you can use that is provided in the /etc/awp/banner file. [Default: /etc/awp/banner]

SSH_USEDNS

Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. [Default: yes]

SSH_ALLOWAGENTFORWARDING

This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine. [Default: no]

THis can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop.

SSH_ALLOWTCPFORWARDING

This setting configures SSH to allow port forwarding from a client. This will allow a client to “tunnel” to a port on the server over an SSH connection. [Default: no]

This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked.

Denial of Service Settings

MODEV_ENABLED

Enable/Disable mod_evasive (DoS protection)

Note

Also see the Mod Evasive page for important documentation about configuring the DOS protection system for Apache.

MODEV_DOSHashTableSize

The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space.

MODEV_DOSPageCount

Threshold for the number of requests for the same page (or URI) per page interval.

MODEV_DOSSiteCount

Threshold for the total number of requests for any object by the same client on the same listener per site interval.

MODEV_DOSPageInterval

Interval for the page count threshold. [Default: 2]

MODEV_DOSSiteInterval

Interval for the site count threshold. [Default: 2]

MODEV_DOSBlockingPeriod

Number of seconds to block a client IP. Clients will be returned a 403 error.

APPINV_CRON

Interval to run the web application inventory engine. [Default: daily]

MySQL Security Settings

MYSQL_CHECKS

Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes]

MYSQL_DISABLE_LOAD_DATA

Enable/Disable mysql local-infile [Default: yes]

MYSQL_ENABLE_LOG_ERRORS

Enable/Disable mysql /var/log/mysqld.log error log [Default: yes]

MYSQL_ENABLE_LOG_WARNINGS

Enable/Disable mysql log warnings [Default: yes]

MYSQL_DISABLE_SYMBOLIC_LINKS

Enable/Disable mysql symbolic links[Default: yes]

MYSQL_QUERY_CACHE

Mysql query cache settings [Default: 32m]

Note

This must be in multiples of 32. For example, 64, 128, etc.

Plesk Security Settings

FW_PLESK_UPDATES

Enable/Disable Plesk keyserver update firewall policy. Default:[no]

PSA_DISABLE_CRONTAB

This setting will disable the ability to manage cron jobs in Plesk. Default: [no]