Atomic OSSEC Configuration

Introduction

AO is configured to a secure set of defaults upon installation. Most users do not need to change these settings.

Note

Manual modification of the /etc/awp/config file is not supported. Please change these setting through the AO Web Console.

Post Installation Configuration

At this point you should have Atomic OSSEC on your system. If you do NOT have AEO installed, please follow the installation steps before proceeding.

Accessing Configuration Settings via AO Web Console

Step 1: Log into the Atomic Web Console

Step 2: Click on Hub Configuration > Hub Configuration

From here you can change all of the Atomic Configuration settings, which are broken into classes and are documented below or links are provided to specific documentation pages for those options.

Accessing Configuration Settings via Command Line

Configuration settings are stored in /var/awp/etc/config. After modifying the configuration file, please save it and run the following command:

awp -s -f

Authentication Information

USERNAME

  • This is the username AO will use to download updates. This should b the same username you use to log into the License Manager.

PASSWORD

  • This is the password AO will use to download updates. This should be the same password you use to log into the License Manager.

UPDATEPATH

  • Default path used to download rule and signature updates.

AOHOME

  • Path to the AO Directory, usually tis is /var/awp.

CONFIGURED

  • Internal flag to force the system through configuration mode.

HTTP_PROXY

  • Type of server that acts as an intermediary between an HTTP client (such as a web browser) and an HTTP server

HTTP_PROXY_PORT

  • A specific network port number designated for communication between a client and a proxy server

HTTP_PROXY_USERNAME

  • Username used to authenticate with a private HTTP proxy server

HTTP_PROXY_PASSWORD

  • A password used to authenticate a client’s request to access a proxy server

AWP Web Settings

AWP_AUTO_LOGOUT

  • Time, in minutes, AO Web may be open and idle before the user will be logged out. Set -l to disable auto logout.

ALERTS_USE_DB

  • Set to ‘yes’ to retrieve security event data from database, ‘no’ to retrieve from files.

AWPWEB_CERTIFICATE

  • Digital certificate that authenticates the identity of a website

AWP_IGNORE_LOCAL

  • Ignores events from HUB

AWP_ENABLE_PUNCHLIST_UI

  • Enables punchlist access in UI. Requires more data

AWPW_MAX_OUTBOUND

  • Max outbound data

Data Retention Policies

RETENTION_USE_CONSOLIDATED

RETENTION_CONSOLIDATED

AWP_CLEAN_INDEXES

AWP_CLEAN_STATS

AWP_CLEAN_REPORTS

DB_USE_ARCHIVE

DB_ARCHIVE_PERIOD

RETENTION_MAX_RBC_COUNT

Data Paths

PATH_EVENT_LOG

  • Path to security event log.

PATH_DISABLED_SIG

  • Path to disable signatures list.

PATH_SEC_MODULE

  • Path to security module status data.

PATH_SIG_UPDATE

  • Path to signature updates status data.

PATH_VULNERABILITY

  • Path to vulnerability status data.

PATH_VULNERABILITY_REPORT

  • Path to vulnerability report data.

PATH_VULNERABILITY_TEMPLATES

  • Path to vulnerability templates.

PATH_VULNERABILITY_XML

PATH_RSS

  • URL to the Atomicorp Security Bulletins RSS feed. You shouldn’t change this unless told to do so by Atomicorp support personnel.

IP_ACCESSLIST

  • Path to file containing whitelisted IP addresses.

PATH_DENYLIST

  • Path to blacklist data.

Path_GEODENYLIST

  • Path to Geo-blocking data.

PATH_TLD

  • Path to TLD list.

PATH_SYSCHECK

  • Path to system file check data.

PATH_WEBAPP_DB

  • Path to web app database.

General

HOSTNAME

  • Hostname for the system. This is also set during installation.

NOTIFY

  • Determines if AO will notify by email or not. Set this to yes if you want AO to email you, and no if you do not.

EMAIL

  • The customer email address set by the user to send alerts to. This is also set by the user during installation.

ADMIN_USERS

  • This defines special SSH users. This is not to be confused with users that can log into the AO web console, or any other “admin” user on the system.

    • This setting allows you define special administrative users that AO will check to make sure they can SSH into the system (users other than root). If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. This list is not used to restrict what users can ssh into the system, its just a list of special users that should always be allowed to ssh into the system. AO uses this list to check these accounts to make sure they are working correctly, to ensure that those users can still log into the system when changes are made to the ssh settings via AO (for example, disabling password authentication, AO will check this list of users to make sure they have SSH keys installed). This is an important fail safe feature, and you should list all your administrative users (other than root) in this list to help ensure they will be able to log into the system.

    • Usernames are separated with spaces. Example:

    joe bob karen

Note

Users are not defined by default. Additionally, this setting has NOTHING to do with AllowUsers in sshd.

  • If an admin user is not defined, AO will NOT allow SSH settings to be modified.

    Note

    For example, if no admin users are defined, AO will not allow password authentication to be disabled nor will it allow root logins to be disabled. This is a critical safeguard to prevent users from accidentally locking themselves out of the system.

  • If an admin user or users are defined, and if password authentication is disabled, AO will also check to make sure the admin user or users have ssh keys installed in the correct place, and that their permissions are valid. If the keys are not installed, the permissions are wrong, or they are not installed in the right place, AO will not allow any SSH configuration changes to take place and will ensure the defaults are used. Again, this is a critical safeguard to prevent users from accidentally locking themselves out of the system. AO can not test the keys themselves for validity as an authentication credential, as it only has access to the public key. Therefore, it is the users responsibility to ensure the SSH key pair works correctly for the account.

    • Please see the article SSH KEYS for courtesy information about using SSH keys with SSH.

SYSTEM_TYPE

  • Defines a basic service policy for the system.

  • Setting the profile to anything other than ‘custom’ will configure AO to disable the following services:

    • portmap

    • nfs

    • nfslock

    • rpcidmapd

    • cups

    • gpm

    • xfs

    • pcscd

    • mcstrans

    • kdump

    • isdn

    • hplip

    • hidd

    • messagebus

    • haldaemon

    • bluetooth

    • avahi-daemon

    • autofs

    • apmd

  • Options associated with this configuration setting:

    • webserver: You should use this setting for all system types except for the three below.

      • cpanel: setting this to cpanel, will configure the system for cpanel.

      • directadmin: setting this to directadmin, will configure the system for directadmin.

      • custom: If this is set to custom, no service will be automatically disabled and no special configuration changes are made to the system to work with non-package managed control panels. Do NOT use this setting with platforms like cpanel or directadmin. It will void support on your system.

AUTOMATIC_UPDATES

  • Configures the update frequency for rules and signatures downloaded through the AO%s/awp/awp/gc updater.

Note

Updates can be run manually with awp -u

UPDATE_TYPE

  • Configures the behavior of AUTOMATIC_UPDATES event. There are three options with this setting:

    • All: This will upgrade all AO software, rule and signatures updates.

    • rules-only: This will exclude all software updates, including updates to AO. This will prevent AO from updating any rpm package updates and kernel updates and will only install rule and signature updates.

RESTART_APACHE

  • Sets the restart policy for actions involving the web server. Updates to mod_security, or mod_evasive policies will require a web server restart to go into effect.

  • This setting has three options:

    • Yes: Restart Apache when needed.

    • Graceful: Use the ‘graceful’ method which tries to wait for all clients to finish being served before restarting Apache. If Apache has a stuck thread or worker Graceful may not complete.

    • No: Do not restart Apache.

      Note

      If you set this to “No”, updates that require apache restarts will not be applied, such as new WAF rules. If you set this to “No” you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.

RESTART_NGINX

*See the settings for Apache and the same options apply here

KERNEL_CHANNEL

*Disabled option

AWP_USER

  • Sets the user to run AO web activity under. This can be either “tortix” for use with AO-Web, or “psaadm” for use with the Plesk AO module. Note: this setting has been deprecated.

FEED_TYPE

  • This setting allows you to toggle between different WAF feeds. Currently this is only used by AO Lite, and supports the following options: [Default: real-time]

    • real-time

    • 90-day delayed feeds

FEED_SOURCE

  • This setting allows you to toggle between different WAF feeds. [ Default: subscription ]

ALLOW_NFS

  • This will disable the service checks that would normally disable NFS services when SYSTEM_TYPE is set to “webserver”, “cpanel” or “directadmin”.

Note

This does not enable or configure NFS service, please consult your vendor for support with configuring NFS.

Note

You will need to reboot your system if you have locked the kernel to prevent kernel modules from loading.

DOWNLOADER

  • Set the downloader backend. Internal or Curl. [Default: curl]

REPUTATION_REPORT

  • Allow sending of statistical information on local events and event sources to Atomicorp.

REPUTATION_FREQUENCY

  • How often reputation reports will be sent.

PURGE_LOGS

  • Maximum days to retain logs. NOTE Once logs are removed, there is no way to retrieve them so use with caution.

AIR_GAPPED

AUM_TIMEOUT_CONNECT

AUM_TIMEOUT_TRANSFER

REPO_MANAGEMENT_POLICY

AO Firewall Settings

Please see the AO Firewall page for more information about configuring the AO firewall.

ClamAV Settings

Please see the Anti asl wiki page for more information about configuring ClamAV.

OSSEC Settings

Mod Security Settings

Please see the Atomic WAF page for documentation on these settings.

PHP Settings

These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by AO. This option exists for AO to manage these functions and settings.

Note

If you want AO to manage these settings do not change them manually in php.ini, and do not use a third party tool to manage these settings. Additionally, when PHP functions are disabled, and an application tries to use them. Apache will ONLY log that in the domain’s error_log file. It will not log this in the global error_log. Please check the domain’s error_log file if your application is not working properly.

PHP_CHECKS

  • Enable/Disable PHP check enforcement mode. [Default: No]

  • If this is set to “no”, Atomic OSSEC will not be configured to manage any PHP settings, and the rest of the PHP settings will no effect. To enable, or disable PHP functions, this must be set to “yes”.

Note

Setting this to “no” will still test for vulnerabilities, but will neither fix them, nor make any changes to your PHP configuration.

PHP_SAFE_MODE

  • Enable/Disable PHP Safe_Mode

Note

PHP 5.3 and later has deprecated this feature.

PHP_REGISTER_GLOBALS

  • Enable/Disable register_globals.

PHP_URL_FOPEN

  • Enable/Disable url_fopen. Please see this page for information on this function and a serious vulnerability that can be created by allowing this function in PHP.

PHP_URL_INCLUDE

  • Enable/Disable URL includes

PHP_EXPOSE_PHP

  • Enable/Disable expose_php [Default: no]

PHP_DISPLAY_ERRORS

  • Enable/Disable display_errors [Default: no]

PHP_MAIL_XHEADER

  • Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes]

ALLOW_curl_exec

  • Enable/Disable the curl_exec() function

ALLOW_curl_multi_exec

  • Enable/Disable the curl_multi_exec() function

ALLOW_dl

  • Enable/Disable the dl() function

ALLOW_escapeshellcmd

  • Enable/Disable the escapeshellcmd() function

ALLOW_exec

  • Enable/Disable the exec() function

ALLOW_ftp_exec

  • Enable/Disable the ftp_exec() function

ALLOW_fsockopen

  • Enable/Disable the fsockopen() function

ALLOW_leak

  • Enable/Disable the leak() function

ALLOW_passthru

  • Enable/Disable the passthru() function

ALLOW_pcntl_exec

  • Enable/Disable the pcntl_exec() function

ALLOW_pfsockopen

  • Enable/Disable the pfsockopen() function

ALLOW_phpinfo

  • Enable/Disable the phpinfo() function

ALLOW_popen

  • Enable/Disable the popen() function

ALLOW_posix_mkfifo

  • Enable/Disable the posix_kill() function.

ALLOW_posix_kill

  • Enable/Disable the posix_kill() function

ALLOW_posix_setpgid

  • Enable/Disable the setpgid() function

ALLOW_posix_setsid

  • Enable/Disable the setsid() function

ALLOW_posix_setuid

  • Enable/Disable the setuid() function

ALLOW_proc_close

  • Enable/Disable the proc_close() function

ALLOW_proc_get_status

  • Enable/Disable the proc_get_status() function

ALLOW_proc_nice

  • Enable/Disable the proc_get_status() function

ALLOW_proc_open

  • Enable/Disable the proc_open() function

ALLOW_proc_terminate

  • Enable/Disable the proc_terminate() function

ALLOW_shell_exec

  • Enable/Disable the shell_exec() function

ALLOW_show_source

  • Enable/Disable the show_source() function

ALLOW_system

  • Enable/Disable the system() function

SSH Daemon Settings

Please see the`SSH debugging`_ page in case you can’t log into your AO server via SSH.

Note

This does not import existing settings from SSH. The purpose of these settings to enforce the sshd configuration settings, based on these settings. Therefore if you change sshd settings, and they do not match what is set in AO, AO will set them to the settings defined in AO. The use of third party products to change these settings is not supported.

SSH_PROTOCOL

Note

Do not change this setting unless you know what you are doing.

  • SSH supports several legacy protocols (1 and 1.5), along with the current SSH protocol, 2. 1 and 1.5 have fundamental weakenesses that can cause SSH sessions with those protocols to be compromised, therefore we recommend you leave the protocol setting of “2”.

CUSTOM_SSH_PORT

  • Use a custom ssh port. [Default: no]

SSH_PORT

  • This will tell SSH to change its default port of 22 to a different port. If you set this to “no”, that will tell SSH to use the default port of 22. For example, if you wanted to change SSHs port to “2222” you would enter “2222” in this field. [Default: no]

Note

This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for AO to manage this function, if you do not change this option to a port number AO will not make any changes to this option in sshd

SSH_STRICTMODE

  • This tells SSH to check the ownership and permissions on ssh public key files. This prevents a user from accidentally setting the permissions on the file so that other users can add their keys to another users key file. We highly recommend you enable strict modes. [Default: yes]

SSH_IGNORE_RHOSTS

  • This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. [Default: yes]

SSH_PUBKEY

  • This setting tells SSH to allow the use of public keys, instead of passwords, for authentication. Public keys are more secure than passwords, provided that the public key itself has a strong password. Keys can provide a cheap two factor authentication system (what you have, and what you know). [Default: yes]

SSH_ROOTLOGINS

  • This setting tells SSH to allow root logins. If you set this to yes, root will be allowed to ssh in, if you set this to no, root will not be allowed to ssh in. We recommend you set this to “no”. [Default: yes]

SSH_PASSWORD_AUTH

  • This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. [Default: yes]

  • Options that can be set on this setting:

    • yes - Allows password authentication

    • no - Does not allow password authentication, but AO will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, AO will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system.

    • override - Does not allow password authentication, but will NOT check to make sure at least one valid ADMIN_USER exists with keys installed. Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and AO will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).

SSH_PRIV_SEPARATION

  • This ensures that SSH runs with privilege separation. [Default: yes]

SSH_GSSAPI_AUTH

  • Specifies whether user authentication based on GSSAPI is allowed. [Default: no]

SSH_GSSAPI_CLEANUP

  • Specifies whether to automatically destroy the user’s credentials cache on logout. [Default: yes]

SSH_BANNER

  • AO can configure SSH to display a banner to users when they log in. This tells SSH what file to use for the banner. AO comes with a standard banner you can use that is provided in the /etc/awp/banner file. [Default: /etc/awp/banner]

SSH_USEDNS

  • Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. [Default: yes]

SSH_ALLOWAGENTFORWARDING

  • This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine. [Default: no]

  • THis can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop.

SSH_ALLOWTCPFORWARDING

  • This setting configures SSH to allow port forwarding from a client. This will allow a client to “tunnel” to a port on the server over an SSH connection. [Default: no]

  • This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked.

Denial of Service Settings

MODEV_ENABLED

  • Enable/Disable mod_evasive (DoS protection)

Note

Also see the Mod Evasive page for important documentation about configuring the DOS protection system for Apache.

MODEV_DOSHashTableSize

  • The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space.

MODEV_DOSPageCount

  • Threshold for the number of requests for the same page (or URI) per page interval.

MODEV_DOSSiteCount

  • Threshold for the total number of requests for any object by the same client on the same listener per site interval.

MODEV_DOSPageInterval

  • Interval for the page count threshold. [Default: 2]

MODEV_DOSSiteInterval

  • Interval for the site count threshold. [Default: 2]

MODEV_DOSBlockingPeriod

  • Number of seconds to block a client IP. Clients will be returned a 403 error.

APPINV_CRON

  • Interval to run the web application inventory engine. [Default: daily]

MySQL Security Settings

MYSQL_CHECKS

  • Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes]

MYSQL_DISABLE_LOAD_DATA

  • Enable/Disable mysql local-infile [Default: yes]

MYSQL_ENABLE_LOG_ERRORS

  • Enable/Disable mysql /var/log/mysqld.log error log [Default: yes]

MYSQL_ENABLE_LOG_WARNINGS

  • Enable/Disable mysql log warnings [Default: yes]

MYSQL_DISABLE_SYMBOLIC_LINKS

  • Enable/Disable mysql symbolic links[Default: yes]

MYSQL_QUERY_CACHE

  • Mysql query cache settings [Default: 32m]

Note

This must be in multiples of 32. For example, 64, 128, etc.

Plesk Security Settings

PSA_DISABLE_CRONTAB

  • This setting will disable the ability to manage cron jobs in Plesk. Default: [no]

PSA_PHP_DOMAIN_POLICY

cPanel Settings

CPANEL_DISABLE_POSTEASYAPACHE

Web App inventory

APPINV_CRON

CGroups

CGROUPS_ENABLE

Clustering

OSSEC_CLUSTER

CLUSTER_NAME

CLUSTER_NODE_NAME

CLUSTER_TYPE

CLUSTER_KEY

CLUSTER_PORT

CLUSTER_BIND_ADDRESS

CLUSTER_MASTER_ADDRESS

CLUSTER_HIDDEN

SSO and 2FA settings

OPENID_CONNECT_INTEGRATION

SSO_AUTH_ONLY_MODE

Rsyslog settings

MODLOAD_IMKLOG

WebAuthn settings

WEBAUTHN_ENABLE

RunSafe Security Settings

RUNSAFE_SECURITY_ENABLED

RUNSAFE_SECURITY_API_KEY