Today I ran the ASL installer (v3.0.2) on a CentOS 6.0 x86_64 server and compiled the following list of bugs/quirks/strange things/remarks. (I don't believe any of these issues are specific to CentOS 6, but I haven't doublechecked.)
1. [BUG?] When choosing to configure the PHP checks, a couple of functions (kill, mkfifo, setpgid, setsid, setuid, proc_close) don't have a default value. Is this on purpose?
2. [REQ] The functions mentioned under 1, except proc_close but including status, don't actually exist under those names. The actual names are posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid and proc_get_status. I'd love to see the actual, complete names of the functions.
3. [BUG] escapeshellcmd got disabled while I chose the default setting, which is to enable it. I needed to manually enable it in /etc/asl/config after running the installer.
4. [REQ/BUG?] curl_exec, curl_multi_exec, pcntl_exec and ftp_exec got disabled automatically, but the configure process never asked about those functions.
5. [BUG] I ended up with EMAIL="" in /etc/asl/config even though I entered an e-mail address for notifications. I had to manually fix this after running the installer.
6. [BUG] The ASL installer fails when yum-plugin-priorities is installed. /etc/yum.repos.d/atomic.repo has priority = 1, but the atomic channel currently does not contain the ossec-hids-2.6-7 package required by ASL. (Also see viewtopic.php?f=3&t=5360
Some smaller issues:
a. The ASL installer said: "** Horde Webmail or Squirrelmail detected, exec, popen, fsockopen, escapeshellcmd are required **" This is not entirely true. Plesk 10 Horde uses SMTP instead of sendmail when PHP safe_mode is enabled and in that case neither exec or popen are required. Older versions of Plesk may use sendmail by default, but also can be configured to use SMTP instead: set $conf['mailer']['type'] = 'smtp';
in /etc/psa-horde/horde/conf.php (Plesk
or /etc/psa-webmail/horde/horde/conf.php (Plesk 9).
b. [REQ] In the PHP section in /etc/asl/config some values are quoted, others are not. This doesn't really cause a problem, but it looks a bit messy. I'd like some consistency in this area.
c. [REQ] Show the risk level (low/med/high) when asking the user whether or not to disable a PHP function.
d. [???] After running the ASL installer I found /root/asl-application-inventory.log with the following content:
Performing an inventory of web applications
No signatures loaded, skipping checks
e. [???] /etc/asl/config contains both RESTART_APACHE="graceful" and APACHE_RESTART_COMMAND="/etc/init.d/httpd restart". This looks confusing. Are restarts done gracefully or not?
f. [???] /etc/asl/config contains ASL_WEB_CONFIGURED="no", but since ASL 3 the ASL web interface is automatically accessible using the ASL account credentials. Is this setting no longer used?