Atomic Rules with EA4

[jimlongo]

I've been using the Atomic Rules for Mod Security for years on cPanel with Easy Apache 3.

What's the consensus about Atomic on EA4? The documentation at Atomic is so confusing, the price has doubled (from $99 to $199), their aum installer doesn't seem to work for me on CentOS7, and I'm not certain that CMC (Config Server Modsec Control) is working properly, at least not with my attempt at installing the Atomic Rules and getting them to work.

Is there some friction between cPanel and Atomic? I mean neither party seems that interested in making things easy. Why doesn't WHM have a way to install Atomic as a Vendor in ModSec Vendors?

It's very tempting at this point to just use the OWSAP rules . . . 1 click and it's done.

Any opinions?

 

[24x7server]

Hi,

You can install the Atomic rule directly via WHM modsecurity vendor section. This is the section which has been specially designed to implement the ModSecurity rules at ease.. Contact the Atomic support and get their yaml file from them that can be loaded directly into this vendor section to load the Atomic rules.

 

[jimlongo]

After a frustrating bit of back and forth and reading their wiki I found that they have an installer "aum" that will install everything and provides automatic updates of the ruleset.

- Removed Subscription based rules installer -

They do not support the yaml method of being added as a vendor.

 

[jimlongo]

What's not clear to me after the aum install . . . is Mod Security processing the Atomic rules?

There is nothing in the WHM interface to let me know what's going on.

Should I disable the OWSAP rules in Security > Mod Security Vendors?

 

[cPanelMichael]

Should I disable the OWSAP rules in Security > Mod Security Vendors?

Disabling the OWASP ruleset is not required, but it may lead to issues if there are duplicate rule IDs. You should be able to see a list of existing rules via:

"WHM Home » Security Center » ModSecurity™ Tools » Rules List"

Thank you.

 

[jimlongo]

But that's only the OWASP rules correct?
There seems to be no indication of Atomic rules or hits anywhere in Security Center.

 

[cPanelMichael]

Hello,

You won't see it listed as a vendor if they do not provide a YAML file. I recommend reaching out to their support team for help setting up their rules if their existing installation method doesn't lead to the addition of new rules.

Thank you.

 

[jimlongo]

The "aum" installer seems to do everything.
It's just that there's no feedback from WHM.

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look at your system to see what's happening.

Thank you.

 

[quizknows]

Atomic has great rules, but IMHO it's really a shame how they package and push them.

Between their pricing model and them trying to push the whole ASL package on me, I gave up on them a while ago. I had nothing but problems with their installers. If they provided just a nice vendor rule set, or even just a reliable feed of flat text config files like they used to, I'd probably pick them back up in a heartbeat.

Best of luck getting it to work. They really are awesome rules if you can pull it off.

 

[jimlongo]

cPanel support says that the rules are being processed, you can see them in the apache error logs, and I get emails from lfd telling me about them. Then suggested I go back to Atomic to see if there's any GUI available.

Atomic has already said they won't support the YAML integration for security and anti-piracy reasons.

 

[quizknows]

I use RPM instead of YAML myself, so I can understand not wanting to use the yaml system. My personal issue with atomic is more their chosen alternative being clunky and the fact that they gave me (multiple) broken install methods for the ASL package some years back, when all I wanted was to buy ModSecurity rules.

The WHM modsecurity GUI itself has a lot of potential but the details seem sorely unpolished, especially if rules are in includes anywhere other than vendor files. For example you'll get errors retrieving rules. It would be really nice to see a good overhaul of that interface, as well as the cPanel user level one, to make it usable so that we can stop relying on CMC by default to let our users make exceptions/customizations.

That said in your case maybe CMC (configserver modsec control) will give you the visibility and tools you need.