Hi everyone, please subscribe for the updates to this KB article
https://kb.plesk.com/en/129494 as soon as Atomic provide the fix, we'll update it and you will be notified.
This KB article is a work-around, as opposed to the final solution Plesk customers should have.
In essence, the errors with respect to ASL are a blessing, they indicate many other problems, being (amongst others)
A -
big issues with directories and commands
On deb based systems, like Ubuntu, any file or directory location containing the string "httpd" should actually be "apache2".
The same or something similar applies to commands.
Both issues are not really a "bug" (in the true sense of the word), but the result of a remarkably strange setup (let´s put it mildly, shall we?).
The
problems:
- commands are not executed properly AND the wrong or a non-existing script (or binary) is called for,
- proper commands are not executed properly due to the reference to incorrect file or directory paths,
Moreover, in the (remarkably strange) setup, some of these issues have been resolved by creating symlinks.
However, even though these symlinks resolve the issues for ASL partially, the same symlinks can cause problems for other programs, binaries or scripts.
Some of the issues with the (remarkably strange) setup of ASL
have been "solved" by native Plesk "wrappers", such as
modsecurity_ctl.
In general, it is a
big mess and it is not clear at all how the whole ASL setup affects the proper functioning of the entire system.
In summary, I would rather have a
clean install and setup of ASL (read: the aum package), since the current setup does not make any sense at all, given
- the many errors,
- a lot of code that refers to httpd and should hence be deemed obsolete for deb based OSes,
- double directories (like "/etc/httpd/modsecurity.d" and "/etc/apache2/modsecurity.d") containing essentially exactly the same or roughly identical content,
- the danger of specific symlinks that actually should not be there
and so on.
It even seems to be the case that ASL (read: the aum package) is "
accidentally" (what is in a word?) installed AND
should be removed entirely.
I will return to the latter in the next section(s).
B -
a (likely) bug in aum causing the /etc/asl/config to be empty, under circumstances that cannot be replicated if the /etc/asl/config was not empty.
Note that
- the commands
aum -u and
aum -c will not work if /etc/asl/config is empty
- the command
aum -c will create a backup file called /etc/asl/config.bak
- the command
aum -c does NOT use the file /var/asl/data/templates/config.template for creation of the config file
- the command
aum -ck is EXECUTED every hour
- the error notifications are the result of cronjobs, which differ hugely by nature
- the cronjobs (read: commands in those cronjobs) can cause tcprcvbuf related issues on VPSes
implying that
1) one SHOULD NOT EDIT the /etc/asl/config file directly, since that will result in the current issues returning (for many reasons)
2) the /var/asl/data/templates/config.template, normally being the only place to edit the "configuration" ending up in /etc/asl/config, is barely relevant,
whereas a
bug free aum package should not exhibit the above mentioned behaviour.
It seems to be the case that the cronjobs can
be simply altered OR
even deleted, to suppress all annoying error notifications,
Again, note the existence of
modsecurity_ctl, that solves issues with the (strange) setup of ASL.
I will proceed with that in the next section.
C -
ASL and modsecurity_ctl
ASL (Atomic Secured Linux) is associated with the aum package, which package installs a lot of files and directories with the name "asl".
However, not all files and directories are installed with the aum package provided with Plesk, resulting in error notifications when running the cronjobs.
Note that the cronjobs themselves are part of the aum package (and were not present on the OS, before the MU43 update).
Modsecurity_ctl is the Plesk (command line9 tool that allows to operate with the Web Application Firewall (WAF) and, for instance, activate specific rulesets.
In the Plesk Panel, similar functions are present under "Tools & Settings > Web application firewall", but modsecurity_ctl is somewhat different in terms of functionality.
The major (in this case relevant) function is that modsecurity_ctl organises ASL related layout.
The (internal) function
fix_atomic_modsec_layout is of particular interest: without that, a properly configured ASL would not allow you to restart Apache. Bump!
I am really curious about the whole construction, since it seems to be complete madness.
However, as I have indicated before, it seems to be the case that the aum package is "
accidentally" installed AND
should be removed entirely.
It certainly resolves the issues with the annoyance caused by the cronjobs and/or potential bugs in the aum package itself.
D - TEMPORARY
SOLUTION
I did some testing and simply removed all files installed by the aum package manually.
It works fine, but I will give some instructions:
a) remove the files:
- /etc/cron.monthly/asl
- /etc/cron.daily/asl
- /etc/cron.weekly/asl
- /etc/cron.hourly/asl
- /usr/bin/aum (a symlink)
b) remove the directories (please go to the parent directory and use
rm -r to remove the asl related directory):
- /etc/asl
- /var/asl
- /usr/share/doc/aum
c) check status of modsecurity, run the command: /opt/psa/admin/sbin/modsecurity_ctl --status (adjust the path appropriately for rpm based OSes)
d) enable modsecurity (if necessary), run the command: /opt/psa/admin/sbin/modsecurity_ctl --enable (adjust the path appropriately for rpm based OSes)
e) restart apache: service apache2 restart (or /etc/init.d/apache2 start; change "apache2" to "httpd" if you are on a rpm based system)
f) double check settings, run the command: plesk bin server_pref --show-web-app-firewall
g) check the proper functioning of modsecurity, follow the steps (in chronological order)
- run the command: cd /var/log
- run the command: vi modse* (just shows the modsec_audit.log)
- run the command (from SSH): wget
http://<domain on the server>/foo.php?foo=
http://www.example.com (or just past the http URL in a browser)
- run the command: vi modse*
and verify that the wget command has resulted in some additional log lines.
That is all.
E -
Summary
Removing the files associated with the aum package will
- prevent all types of annoying error notifications,
- ascertain that your modsecurity works properly,
- ascertain that the modsecurity_ctl tool can be used properly (without any problems),
and, in essence, it should be safe to remove the aum package completely.
I am not yet confident about the provided solution (see section D), given the obscurity of the relations between ASL rulesets, updates of those rulesets and modsecurity_ctl.
It can be a permanent solution, if somebody from Plesk Team can confirm that the rulesets will be updated on the indicate schedule (daily, weekly or monthly).
At this moment, the solution will resolve all or most of the isses with the error notifications.
Please provide some feedback, if you encounter issues (or even typo´s, grinn)
Regards!