SInce Ossec HIDS is GNU Public licensed I think this is not a bad idea to include this in the documentation. The referenced article does describe securing Debian with open source tools and I honestly have seen this documentation for the first time tonight and I think it is very high quality. The thing that caught my eye is disabling execution for /tmp. I managed thousands of Debian servers at one time and I often found hacker scripts in ./tmp because of a Wordpress exploit. This is because /tmp is world writable and presumably people who don't know better are unlikely to look for bad scripts there. While I agree pulling third scripts with curl is cringe-worthy I think Ossec HIDS is an exception because it is GNU Public licensed.
Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Fri, May 12, 2023 at 3:33 PM Jeffrey Chimene <j...@systasis.co> wrote: > On 5/12/23 10:16, Jeremy Stanley wrote: > > On 2023-05-12 09:53:15 -0700 (-0700), Jeffrey Chimene wrote: > > [...] > >> Agreed. Actually, ossec itself has a debian package, so no ITP for > >> me :). It made my work significantly easier since the regex > >> package (pcre2) isn't part of the distro; the absence has a > >> reason, but it's still an impediment that ossec itself has > >> addressed with their .deb > > I'm not sure that official Debian documentation, particularly > > security-focused documentation, should recommend that sysadmins > > install packages from third party archives. That'll be up to the > > maintainers of the documentation to decide, of course. > Agreed. > > > > But beyond that... > >> wget -q -O - https://updates.atomicorp.com/installers/atomic | sudo > bash > > [...] > > > > There's a bit of irony in suggesting that security-conscious > > sysadmins should download and run arbitrary scripts, much less with > > root privileges. `curl|sudo bash` has virtually become a meme unto > > itself these days. > > Thank you for your concern. I certainly look at the script before > execution. I think that suitable precautions can be written. I'm > installing on several systems, so I like to have such command as a > record. The example command comes from my notebook. > > > Thanks for your time! > > > Cheers, > jec > > >
