store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Sep 17, 2014 1:32 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Thu May 05, 2011 9:30 am 
Offline
Forum User
Forum User

Joined: Fri Jul 23, 2010 10:03 am
Posts: 38
Location: UK
After recently acquiring a new server, we installed ASL. After booting into the ASL kernel and setting it as a default we still get kernel check warnings.
asl -f does nothing to fix this. Any suggestions? A couple of things such as popen that can be changed from the control panel are left as is due to requirements of other software on the server.

We are using CentOS 5 x86_64 and also have plesk CP 10 installed.

The entire results of asl -a -f are below:
Quote:
Asl kernel detected OK
Runtime module loading disabled OK
Grsecurity administrative password not set INFO
Grsecurity acl database not found INFO
Executable anonymous mapping yes HIGH
Executable bss yes HIGH
Executable data yes HIGH
Executable heap yes HIGH
Executable stack yes HIGH
Executable anonymous mapping (mprotect) yes HIGH
Executable bss (mprotect) yes HIGH
Executable data (mprotect) yes HIGH
Executable heap (mprotect) yes HIGH
Executable shared library bss (mprotect) yes HIGH
Executable shared library data (mprotect) yes HIGH
Executable stack (mprotect) yes HIGH
Anonymous mapping randomisation test no OK
Heap randomisation test (et_exec) no OK
Heap randomisation test (et_dyn) no OK
Main executable randomisation (et_exec) no OK
Shared library randomisation test no OK
Stack randomisation test (segmexec) no OK
Stack randomisation test (pageexec) no OK
Executable shared library bss yes HIGH
Executable shared library data yes HIGH
Writable text segments no OK
Checking General security settings
Checking for unnecessary services
Service apmd disabled OK
Service autofs disabled OK
Service avahi-daemon disabled OK
Service bluetooth disabled OK
Service cups disabled OK
Service gpm disabled OK
Service haldaemon disabled OK
Service hidd disabled OK
Service hplip disabled OK
Service isdn disabled OK
Service kdump disabled OK
Service mcstrans disabled OK
Service messagebus disabled OK
Service nfs disabled OK
Service nfslock disabled OK
Service pcscd disabled OK
Service portmap disabled OK
Service rpcidmapd disabled OK
Service xfs disabled OK
Service x11 disabled OK
Checking for End of Life (EOL) operating systems
Centos/5 Supported OK
Checking for updater yum detected OK
Checking for updates system is up to date OK
Checking General Plesk settings
Plesk sql injection vulnerability sa26741 not detected OK
Horde turba vulnerability cve-2008-0807 not detected OK
Horde vulnerability sa28382 not detected OK
Horde turba vulnerability sa28382 not detected OK
Horde mnemo vulnerability sa28382 not detected OK
Horde kronolith vulnerability sa28382 not detected OK
Horde vulnerability cve-2007-6018 not detected OK
Horde vulnerability cve-2008-1284 not detected OK
Horde kronolith vulnerabilty bugtraqid 28898 not detected OK
Proftp vulnerability sa33842 not detected OK
Verify tls enabled in proftp enabled OK
Verify clamav enabled in proftp enabled OK
Set proftp scoreboard to default yes OK
Checking for weak smtp_auth passwords 0 found OK
Verify sslv2 disabled in qmail verified OK
Verify sslv2 disabled in courier imap verified OK
Verify sslv2 disabled in courier pop3d verified OK
Verify expose_php set to off OK
Checking psmon settings
Checking for psmon installation installed OK
Psmon set to enabled OK
Notifications to disabled OK
Checking System services monitored by psmon
Clamd monitored OK
Courier-imap monitored OK
Crond monitored OK
Mysqld monitored OK
Sshd monitored OK
Xinetd monitored OK
Ossec-dbd monitored OK
Stopping psmon: [ OK ]
Starting psmon: [ OK ]
Checking ossec-hids settings
Checking for ossec-hids installation installed OK
Ossec-hids set to enabled OK
OSSEC is configured in server mode.
Checking for server installation installed OK
Email notification disabled OK
Active response enabled OK
Active response timeout 600 OK
Verifying OSSEC whitelists
Checking 109.224.207.40 OK
Checking 127.0.0.1 OK
Excessive whitelists not detected 2 OK
Checking for monitored log files
/var/log/messages monitored OK
/var/log/secure monitored OK
/var/log/maillog monitored OK
/var/log/psa/maillog monitored OK
/var/log/httpd/access_log monitored OK
/var/log/httpd/audit_log monitored OK
/var/log/httpd/error_log monitored OK
/var/log/mysqld.log monitored OK
Reloading ossec-hids: [ OK ]
Checking rkhunter settings
Checking for rkhunter installation installed OK
Rkhunter set to enabled OK
Notifications sent to office@emailitis.com OK
Detected Plesk Environment
Ftp_psa enabled OK
Poppassd_psa enabled OK
Smtp_psa enabled OK
Smtps_psa enabled OK
Submission_psa enabled OK
Checking ssh settings
Enforce protocol version 2 OK
Strict modes enabled yes OK
Ignore .rhosts yes OK
Enable public key authentication for users yes OK
Checking Admin users
Valid admin users detected no HIGH
WARNING: SSH will not be reconfigured at this time.
Valid admin users detected HIGH
Failed Password authentication is enabled HIGH
Enable privilege separation yes OK
Allow gssapiauthentication no OK
Allow gssapicleanupcredentials no OK
Ssh banner /etc/asl/banner OK
Checking httpd settings
Verify http trace disabled verified OK
Verify sslv2 disabled verified OK
Checking mod_evasive settings
Checking for mod_evasive installation installed OK
Mod_evasive set to enabled OK
Doshashtablesize set to 4096 OK
Dospagecount set to 5 OK
Dossitecount set to 200 OK
Dospageinterval set to 2 OK
Dossiteinterval set to 2 OK
Dosblockingperiod set to 25 OK
Checking mod_security settings
Checking for mod_security installation installed OK
Mod_security set to enabled OK
Server signature set to Apache OK
Secuploaddir set to /var/asl/data/suspicious OK
Secuploadkeepfiles set to off OK
Logfile set to audit_log OK
Logging set to Concurrent OK
Audit logging to /var/asl/data/audit OK
Logging elements set to ABIFHZ OK
Secrequestbodyinmemorylimit set to 131072 OK
Secrequestbodylimit set to 134217728 OK
Secresponsebodylimit set to 2621440 OK
Secresponsebodylimitaction set to ProcessPartial OK
Enable debug log no OK
Secdatadir set to /var/asl/data/msa OK
Sectmpdir set to /tmp OK
Checking rule class settings
Rbl checks off LOW
Upload scanner ruleset on OK
Anti-malware ruleset on OK
Generic attack ruleset on OK
Malicious useragents ruleset on OK
Anti-spam ruleset on OK
Rootkit ruleset on OK
Recon ruleset on OK
Just in time patches on OK
Redactor off INFO
Whitelist off OK
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Checking php settings
Checking for php installation installed OK
Php safe mode enabled MODERATE
Register globals no OK
Allow url fopen yes FIXED
Checking for High-Risk functions
Function dl not allowed OK
Function exec allowed HIGH
Function passthru not allowed OK
Function pcntl_exec not allowed OK
Function pfsockopen not allowed OK
Function popen allowed HIGH
Function posix_kill not allowed OK
Function posix_mkfifo not allowed OK
Function posix_setuid not allowed OK
Function proc_close not allowed OK
Function proc_open not allowed OK
Function proc_terminate not allowed OK
Function shell_exec not allowed OK
Function system not allowed OK
Checking for Moderate-Risk functions
Function leak not allowed OK
Function posix_setpgid not allowed OK
Function posix_setsid not allowed OK
Function proc_get_status not allowed OK
Function proc_nice not allowed OK
Function show_source not allowed OK
Checking for Low-Risk functions
Function escapeshellcmd allowed LOW
Function phpinfo not allowed OK
Checking executable stack flag on PHP extensions
/usr/lib64/php/modules/ioncube_loader_lin_5.1.so OK
Restarting clamav, this could take a moment...
Checking clamav settings
Checking for clamav installation installed OK
Clamav set to enabled OK
Clamd listen address 127.0.0.1 OK
Clamd log to syslog yes OK
Clamav is in: application-only mode
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: [ OK ]
Generating Report: Complete


I am currently looking into fixing these issues myself over command line.


Last edited by bananapar on Fri May 06, 2011 7:23 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Thu May 05, 2011 11:17 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7899
Location: earth
Any chance youve disabled the NX setting in your BIOS?


Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Thu May 05, 2011 1:29 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
Exactly, the scanner doesnt lie, if the cpu is configured to not support NX then you're gonna have holes.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Fri May 06, 2011 6:25 am 
Offline
Forum User
Forum User

Joined: Fri Jul 23, 2010 10:03 am
Posts: 38
Location: UK
I'm not entirely sure what I'm looking for here but "egrep '^flags' /proc/cpuinfo | uniq" gives

Quote:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca lahf_lm tpr_shadow


pae is mentioned but not nx


Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Fri May 06, 2011 7:56 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7899
Location: earth
Yup, NX is turned off in your bios.


Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Fri May 06, 2011 9:27 am 
Offline
Forum User
Forum User

Joined: Fri Jul 23, 2010 10:03 am
Posts: 38
Location: UK
We haven't disabled it ourselves, so it must have been default/configured by the company we received our server from.
I guess I better work out if I can enable it remotely or live with it for now.


Top
 Profile  
 
 Post subject: Re: Using ASL Kernel but still get Kernel-check warnings.
Unread postPosted: Fri May 06, 2011 11:21 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7899
Location: earth
Thats not the first time Ive seen a provider do that. Ask me how I know :P


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group