On 2023-05-12 08:10:04 -0700 (-0700), Jeffrey Chimene wrote:
[...]
I'd like to propose adding a section that describes ossec.[...]
There's an (ancient) RFP for it which apparently used to be an ITP:
https://bugs.debian.org/361954
There's no ossec-hids package in Debian currently though, so
actually packaging it for inclusion in the distribution seems like
the place to start.
I'd like to propose adding a section that describes ossec.[...]
Agreed. Actually, ossec itself has a debian package, so no ITP for
me :). It made my work significantly easier since the regex
package (pcre2) isn't part of the distro; the absence has a
reason, but it's still an impediment that ossec itself has
addressed with their .deb
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash[...]
On 2023-05-12 09:53:15 -0700 (-0700), Jeffrey Chimene wrote:Agreed.
[...]
Agreed. Actually, ossec itself has a debian package, so no ITP forI'm not sure that official Debian documentation, particularly security-focused documentation, should recommend that sysadmins
me :). It made my work significantly easier since the regex
package (pcre2) isn't part of the distro; the absence has a
reason, but it's still an impediment that ossec itself has
addressed with their .deb
install packages from third party archives. That'll be up to the
maintainers of the documentation to decide, of course.
But beyond that...
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo bash[...]
There's a bit of irony in suggesting that security-conscious
sysadmins should download and run arbitrary scripts, much less with
root privileges. `curl|sudo bash` has virtually become a meme unto
itself these days.
The thing that caught my eye is disabling execution for /tmp. I
managed thousands of Debian servers at one time and I often found hacker scripts in ./tmp because of a Wordpress exploit. This is because /tmp is world writable and presumably people who don't know better are unlikely to look for bad scripts there. While I agree pulling third scripts with curl
is cringe-worthy I think Ossec HIDS is an exception because it is GNU
Public licensed.
On 5/12/23 10:16, Jeremy Stanley wrote:
On 2023-05-12 09:53:15 -0700 (-0700), Jeffrey Chimene wrote:Agreed.
[...]
Agreed. Actually, ossec itself has a debian package, so no ITP forI'm not sure that official Debian documentation, particularly security-focused documentation, should recommend that sysadmins
me :). It made my work significantly easier since the regex
package (pcre2) isn't part of the distro; the absence has a
reason, but it's still an impediment that ossec itself has
addressed with their .deb
install packages from third party archives. That'll be up to the maintainers of the documentation to decide, of course.
But beyond that...bash
wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo
[...]
There's a bit of irony in suggesting that security-conscious
sysadmins should download and run arbitrary scripts, much less with
root privileges. `curl|sudo bash` has virtually become a meme unto
itself these days.
Thank you for your concern. I certainly look at the script before
execution. I think that suitable precautions can be written. I'm
installing on several systems, so I like to have such command as a
record. The example command comes from my notebook.
Thanks for your time!
Cheers,
jec
SInce Ossec HIDS is GNU Public licensed I think this is not a bad idea to include this in the documentation. The referenced article does describe securing Debian with open source tools and I honestly have seen this documentation for the first time tonight and I think it is very high
quality. The thing that caught my eye is disabling execution for /tmp. I
managed thousands of Debian servers at one time and I often found hacker scripts in ./tmp because of a Wordpress exploit. This is because /tmp is world writable and presumably people who don't know better are unlikely to look for bad scripts there.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 02:47:28 |
Calls: | 6,666 |
Calls today: | 4 |
Files: | 12,212 |
Messages: | 5,335,607 |