Just finished up a little side project for AOOI. Until now its debian support had been somewhat limited if you were in a grub environment. I'm more familiar with the RedHat/CentOS/Fedora way of updating kernels and grub via the command line using the grubby utility. This is the same thing that kernel rpms use to automatically update the menu.lst used by grub to use the newer kernel. Debian has something like this, called update-grub which has a similar role, but without the same command line capabilities as grubby. For example, with grubby I can do this:

/sbin/grubby --add-kernel=/boot/vmlinuz.atomic --initrd /boot/initrd.img.atomic --title "Atomic"  --copy-default --args="ks=http://www.atomicorp.com/installers/AOOI/ks-$ARCH.cfg ip=$IPADDR netmask=$NETMASK gateway=$GATEWAY dns=$DNS"

Which results in adding an entry to  top of menu.lst (or /etc/grub.conf, for those of you that like shortcuts) and passes in additional parameters to the kernel which we need to pass to anaconda. Debian, and I suspect Ubuntu, don't have a native way of doing this, rather relying on the admin to manually make changes to the menu.lst after the fact. You just run update-grub and it will populate the menu.lst with whatever it finds in /boot. Shortcut yes, but not really what I need to re-image a box in AOOI. So taking the short cut as I am want to do, I just generate my own menu.lst a la cat << EOF > menu.lst and viola... I completely hose the old settings. Functional? Yes. Totally uncool, you bet. :P But hey, we were blowing away the original (debian/ubuntu) OS anyway, so its not like we were killing a prod box anyway....

9.2.3 is out, and the Yum repos here have all been updated. A few long standing issues have been resolved in this update.

Changelog: Support for Fedora 11 Improved Updates,  Improved updates functionality provides you with quicker and well-timed hotfixes and component updates.

 Bugfixes:

•  DomainKeys adding an improper comment header to e-mail messages bug is fixed.
•  Inability to update httpd on CentOS 5 and RHEL 5 if psa-tomcat-configurator is installed bug is fixed.
•  Web applications crashing because php.ini was not preconfigured for FastCGI bug is fixed.
•  High CPU load caused by authpsa processes bug is fixed.
•  Passwords of similar e-mail aliases being updated unintentionally bug is fixed.
•  Tomcat Java applications not working after the upgrade bug is fixed.
•  Domains that exceeded resource limits are not suspended on servers with a lot of domains bug is fixed.
•  Statistics utility failing with segmentation fault on openSUSE 10.3 bug is fixed.
•  Mail queue utility mailqueuemng only lists messages from deferred queue when Postfix mail server is used bug is fixed.
•  Files processed by mail handlers are created with random permissions bug is fixed.
•  Mail forwarding not working and reporting broken pipe error when Postfix mail server is used bug is fixed.
•  Local mail delivery not working when Qmail mail server is used bug is fixed.
•  Inability to switch default interface language to another language if Parallels Plesk Panel license key has zero additional languages bug is fixed.
•  Mail malfunctioning due to buffer length limitation in spam handlers bug is fixed.
•  Postfix mail server crashing with segfault error on processing messages with strings larger than 4096 characters bug is fixed.
•  High CPU load caused by relaylock processes bug is fixed.
•  No support for UI pointers in root.controls.lock file bug is fixed.
•  Old credentials still working and error displayed in the Panel if mail name and password are changed at the same time bug is fixed.
•  Automatic removal of mailing lists with names similar to the one actually being removed (or disabled) on qmail bug is fixed.
•  Messages sent to a non-existent user locally (with transport other than SMPTP) were stuck in mail queue instead of being rejected on Postfix bug is fixed.

To Upgrade from yum:

1) Add the atomic repo

wget -q -O - http://www.atomicorp.com/installers/atomic |sh

2) Select the Plesk 9 repo when prompted

3) Upgrade with yum

yum upgrade

By popular demand we've been working on a qmail-scanner like project for Postfix. So far we've looked at clamavsmtpd, amavisd-new, mailscanner, and clapf. To date clapf has been the most successful, and resource efficient with a resident memory footprint less than 5% of the other solutions (you read that right!). The initial prototype of the core daemon is available in the Atomic Testing channel now. Currently it supports clamav and spamassassin, and should drop in to a postfix environment (plesk or otherwise) with no configuration required. To install:

1)  yum install clapf

2) /etc/init.d/clapf start

3)  /etc/init.d/postfix restart

This is the official release for Atomic Secured Linux (ASL), version 2.2. Changelog: * ASL Web, the standalone web gui. A dynamic, resizable open interface to manage security policy and event information. * Kernel 2.6.29.6, with support for vmware's VMI interface, ext4 and btrfs file systems, and much much more * OSSEC upgraded to 2.1 * ASL Core has been completely re-written in C for faster and more flexible capabilities * Added vulnerability checks for simple FTP passwords * Added new dynamic purge events for stale blocklist entries * Added vulnerability checks for excessive whitelists * Whitelisting now handles bitmask based whitelisting across all services

 * Added checks for SSL/TLS usage in qmail
* Added expose_php checks for Plesk daemons
* Command line arguments now support multiple entries (--blacklist 1.2.3.4 4.5.6.7 7.8.9.10)
* Extended firewall module checking in the asl-mod init script
* Added ability to disable SSH Banner checks (for lemonbit)
* Added ability to set Apache "graceful" restarts (for enom)
* PHP checks for safe_mode have been lowered from "high" to "moderate"
* PHP checks for escapeshellcmd have been dropped to "low"
* Added configuration checks for the Plesk 9 /etc/xinet.d/ excludes in rkhunter
* Added vulnerability check for psa-atmail
* Added vulnerability check for psa-proftpd
* Added SSL settings detection between Plesk 8.x and 9.x
* RKHUNTER_SSH_ROOT_LOGIN now defaults to SSH_ROOTLOGINS variable by default
* Added detection for Horde and Squirrelmail during PHP functions check in the configuration phase. This will automatically allow the required PHP functions (popen, etc).
* Added migration routine for plesk environments from the old asl-web-gui to the new asl-web
* update to KERNELS file to support the new 2.6.29.6 kernels
* Updated configuration_setup to detect & start mysql if its not running
* Update on ossec_database_setup to warn on blank passwords
* Added routine to kill stale ossec-dbd processes in ossec_check
* Removed restrictions on the max length of a message field in the Events Display
* New turtle graphics, now with Lensflare!
* Optional: An upgraded psa-proftp for Plesk users to 1.3.2a, which includes SFTP, RBL (real-time black lists), and ClamAV support

Bugfixes

 Bugfixes:
- Bugfix on remove-blacklist
- Bugfix #XXX, fix for vulnerability scanner to show details if there
was only 1 entry
- Bugfix #XXX, fix for ossec excessive whitelists check to show correct
vuln level based on total # of whitelists
- Bugfix #XXX, correctly install the asl-button for plesk environments
- Bugfix #XXX, on ossec_database_setup
- Bugfix #XXX, on asl-mod (adds more modules)
- Bugfix #XXX, on white/black/geoblock/blocking .js files
- Bugfix #XXX, ssh_check, added missing message for GSSAPICleanup test
- Bugfix #XXX, rkhunter_check, added missing message for SSH protocol 1
test
- Bugfix #XXX, multi-arguement/value events
- Bugfix #XXX, in vulnerability stub data for ET_EXEC
- Bugfix #XXX, ssh_check banner test (bareword found issue)
- Bugfix #XXX, Added a condition to detect /var/asl/tmp/VERSION on new
installs
- Bugfix #XXX, --whitelist typo on the asl-shun command
- Bugfix #XXX, ssh_check, Added more logic around allowed root logins,
this will skip the fixed check now and just report it as
allowed/vulnerable if it is fact allowed.
- Bugfix #xxx, mod_security, cleaned up path checking on SecTmpDir
- Bugfix #xxx, php_check, Changed execute flag string to be more clear
on exentions check
- Bugfix #xxx, php_check, disable_functions check will now create the
line if it doesnt exist rather than rewrite it
- Bugfix #XXX, for pending updates check
- Bugfix #XXX, for denyhosts bitmask whitelist
- Bugfix to detect spamassassin before checking its permissions
- Bugfix for ossec_check and web.conf, deprecated dhtml.conf files
- Bugfix for mod_security_check to correctly parse Dir directives
- Bugfix for mod_security_check SecAuditLogStorageDir
- Bugfix, mod_security_check now supports both "on/off" and "yes/no"
values
- Bugfix, mod_security_check copies rulegroups over correctly now
- Bugfix, mod_security_check copies over tertiary configs now
(spam.conf, sql.txt, etc)
- Bugfix, mod_security_check, when the whitelist is enabled, it is now
flagged as a vulnerability
- Bugfix, php_check updated to support yes/no, and on/off conditions
- Bugfix #XXX, corrected condition where ssh vulnerability checks were
not being reported for SSH password authentication being enabled.
- Bugfix #XXX, added a wrapper to lint the config file for the
CONFIGURED flag



Upgrading to 2.2:

1) Ensure that you allow mysql connections from localhost, and that
skip-networking is not set in /etc/my.cnf

2) yum upgrade

3) asl -s -f

4) Log in to the web interface on port 30000 with your web browser with
the credentials:
username: admin
password: setup




To Install on a clean system:
1) wget -q -O - http://www.atomicorp.com/installers/asl |sh

2) Log in to the web interface on port 30000 with your web browser with
the credentials:
username: admin
password: setup