|ASL 2.2.5-0.1 Test build|
|Written by Scott Shinn|
|Monday, 08 March 2010 16:32|
The first cut of ASL 2.2.5 is out in [asl-2.0-testing]. Initially I had planned to make this build all about the new dazuko module for the 2.6.32.x series kernels, but as we all know change is part of the design process. Instead there was a more pressing need for a template based configuration engine for the core utilities. The first module (seen in 0.1) has this in place on the ossec_check module. For testing purposes both methods (find & replace) and templating are still in place, which makes configuration changes completely redundant.
I assure you there is a method to this madness :P The idea was to see if we miss anything between the the two on the automated QA systems, for everyone else this will just mean that the config file for ossec (/var/ossec/etc/ossec.conf) goes through changes twice. The second time completely rewrites everything made the first time.
New features in this build include the aforementioned template engine, templates themselves are located in /var/asl/data/templates/template* and you'll see two for OSSEC, server and client. These files are intended to be modified by the end user for custom configurations. That means that directly modifying /var/ossec/etc/ossec.conf will no longer be supported.
OSSEC rules will now match brute force conditions against SMTP_AUTH, Courier IMAP and POP connections. The default policy is to respond if there are more than 10 failed connections in a 60 second period from the same IP. I suspect that this may need some additional vetting for those environments where multiple users come from the same IP. This is something we'll need some community feedback on to fine tune the rule class.
The only other change is an update to ASL Web from Jim's team to handle custom user layouts. 2.2.4 was not compatible with the custom layouts from 2.2.3 and below, this update sets ASL to just ignore a setting if it doesn't jive with the new engine. Otherwise nothing new there, although I'm hoping they can finish up a reporting module in time for 2.2.5. We'll see!