info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Thank you Debian
43 views
Skip to first unread message
Andre Rodier
Feb 21, 2024, 2:20:06 PMFeb 21
to
Dear Debian community,
I love Debian, used it since Potato, both desktop and server, and I'm
not planning to change.
I have been using it to host personal servers, especially emails, since
about 20 years.
A few years ago, I created a set of Ansible scripts to code what I was
already doing manually, so I could rebuild my server from scratch.
The solution is on GitHub, and while there was already a plethora of
existing solutions, none of them implemented everything I wanted and
needed. It was apparently challenging:
1. A DNS server included, with DNSSEC implemented, and SSHFP.
2. Everything from Debian packages, so upgrade can be automatic.
3. No git clone and no zip download for any service.
4. The usual LetsEncrypt, but also the extra like CAA, DANE, etc...
5. All services should be running under AppArmor.
6. No PHP, no RoundCube, NextCloud, OwnCloud, etc please.
7. Jabber server, with c2s and s2s.
8. CardDAV and CalDAV server.
9. WebDAV server.
10. LDAP for authentication, not a MySQL database.
11. IPv6 support
The points #2 and #3 are particularly interesting. I seriously cannot
understand why or how people could trust a server exposed on internet,
without automatic updates from a serious community like Debian. Are they
suppose to receive alerts from GitHub releases to manually download them
as they happen ? How can this be done while they are on vacation ?
Excuse my naive question, if it is, please.
I precise, I am using unattended upgrades, and automatic reboot, and
never had any issue, thanks to Debian packages quality. I just sometimes
receive a nice email saying the server rebooted.
This wouldn't have been possible with the Debian community, so, again,
thank you for that.
We have been happy with this solution, for myself, and a few friends and
family members, but I would like the opinion from the security experts
on this list.
- What is the best approach to check if there is any vulnerability in
the packages configuration ?
- Is there any service that could audit the deployment code or the
configuration files ?
Source code: https://github.com/progmaticltd/homebox
Docs: https://www.homebox.space/index-en.html
Kind regards,
André Rodier
I love Debian, used it since Potato, both desktop and server, and I'm
not planning to change.
I have been using it to host personal servers, especially emails, since
about 20 years.
A few years ago, I created a set of Ansible scripts to code what I was
already doing manually, so I could rebuild my server from scratch.
The solution is on GitHub, and while there was already a plethora of
existing solutions, none of them implemented everything I wanted and
needed. It was apparently challenging:
1. A DNS server included, with DNSSEC implemented, and SSHFP.
2. Everything from Debian packages, so upgrade can be automatic.
3. No git clone and no zip download for any service.
4. The usual LetsEncrypt, but also the extra like CAA, DANE, etc...
5. All services should be running under AppArmor.
6. No PHP, no RoundCube, NextCloud, OwnCloud, etc please.
7. Jabber server, with c2s and s2s.
8. CardDAV and CalDAV server.
9. WebDAV server.
10. LDAP for authentication, not a MySQL database.
11. IPv6 support
The points #2 and #3 are particularly interesting. I seriously cannot
understand why or how people could trust a server exposed on internet,
without automatic updates from a serious community like Debian. Are they
suppose to receive alerts from GitHub releases to manually download them
as they happen ? How can this be done while they are on vacation ?
Excuse my naive question, if it is, please.
I precise, I am using unattended upgrades, and automatic reboot, and
never had any issue, thanks to Debian packages quality. I just sometimes
receive a nice email saying the server rebooted.
This wouldn't have been possible with the Debian community, so, again,
thank you for that.
We have been happy with this solution, for myself, and a few friends and
family members, but I would like the opinion from the security experts
on this list.
- What is the best approach to check if there is any vulnerability in
the packages configuration ?
- Is there any service that could audit the deployment code or the
configuration files ?
Source code: https://github.com/progmaticltd/homebox
Docs: https://www.homebox.space/index-en.html
Kind regards,
André Rodier
Michael Kjörling
Feb 21, 2024, 4:10:06 PMFeb 21
to
On 21 Feb 2024 19:03 +0000, from an...@rodier.me (Andre Rodier):
already-installed systems. If you have your configuration packaged as
Ansible scripts, then deploying that onto a disposable VM based on a
minimal Debian installation should be a reasonably practical way of
auditing the deployment process itself for vulnerabilities.
A web search for something like "linux local vulnerability scanner"
will provide you with additional leads.
Note that any automated tool will use some kind of heuristics so (a)
may find things that are not actually vulnerabilities in your setup,
and (b) might not find something which _is_ a vulnerability in your
setup.
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
> - What is the best approach to check if there is any vulnerability in the
> packages configuration ?
> - Is there any service that could audit the deployment code or the
> configuration files ?
My understanding is that both Lynis and Vuls are popular for
> packages configuration ?
> - Is there any service that could audit the deployment code or the
> configuration files ?
already-installed systems. If you have your configuration packaged as
Ansible scripts, then deploying that onto a disposable VM based on a
minimal Debian installation should be a reasonably practical way of
auditing the deployment process itself for vulnerabilities.
A web search for something like "linux local vulnerability scanner"
will provide you with additional leads.
Note that any automated tool will use some kind of heuristics so (a)
may find things that are not actually vulnerabilities in your setup,
and (b) might not find something which _is_ a vulnerability in your
setup.
--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
Timothy Butterworth
Feb 21, 2024, 4:40:06 PMFeb 21
to
On February 21, 2024, at 4:08 PM, Michael Kjörling <2695bd...@ewoof.net> wrote:
>On 21 Feb 2024 19:03 +0000, from an...@rodier.me (Andre Rodier):
>> - What is the best approach to check if there is any vulnerability in the
>> packages configuration ?
>> - Is there any service that could audit the deployment code or the
>> configuration files ?
>My understanding is that both Lynis and Vuls are popular for
>already-installed systems. If you have your configuration packaged as
>Ansible scripts, then deploying that onto a disposable VM based on a
>minimal Debian installation should be a reasonably practical way of
>auditing the deployment process itself for vulnerabilities.
>A web search for something like "linux local vulnerability scanner"
>will provide you with additional leads.
>Note that any automated tool will use some kind of heuristics so (a)
>may find things that are not actually vulnerabilities in your setup,
>and (b) might not find something which _is_ a vulnerability in your
>setup.
>--
You can install and run Tenable Nessus Vulnerability scanner. The free version can scan like 10 IPs. I use Nessus and it works well.
Security Blanket is a Security hardening tool suite which is nice and not too expensive.
Jeffrey Walton
Feb 21, 2024, 6:00:07 PMFeb 21
to
On Wed, Feb 21, 2024 at 5:47 PM Andre Rodier <an...@rodier.me> wrote:
> [...]
You will probably need to stitch together several different solutions,
based on the context. For example, use an Ansible Linter for your
Ansible scripts, <https://www.google.com/search?q=Ansible+linter>.
Jeff
> [...]
based on the context. For example, use an Ansible Linter for your
Ansible scripts, <https://www.google.com/search?q=Ansible+linter>.
Jeff
Andre Rodier
Feb 22, 2024, 2:40:06 AMFeb 22
to
On 21/02/2024 21:08, Michael Kjörling wrote:
> On 21 Feb 2024 19:03 +0000, from an...@rodier.me (Andre Rodier):
>> - What is the best approach to check if there is any vulnerability in the
>> packages configuration ?
>> - Is there any service that could audit the deployment code or the
>> configuration files ?
>
> My understanding is that both Lynis and Vuls are popular for
> already-installed systems. If you have your configuration packaged as
> Ansible scripts, then deploying that onto a disposable VM based on a
> minimal Debian installation should be a reasonably practical way of
> auditing the deployment process itself for vulnerabilities.
Thanks, I will try this approach, this is a good idea. Yes, using a VM
> On 21 Feb 2024 19:03 +0000, from an...@rodier.me (Andre Rodier):
>> - What is the best approach to check if there is any vulnerability in the
>> packages configuration ?
>> - Is there any service that could audit the deployment code or the
>> configuration files ?
>
> My understanding is that both Lynis and Vuls are popular for
> already-installed systems. If you have your configuration packaged as
> Ansible scripts, then deploying that onto a disposable VM based on a
> minimal Debian installation should be a reasonably practical way of
> auditing the deployment process itself for vulnerabilities.
is easy, that's the approach I used for the development.
> A web search for something like "linux local vulnerability scanner"
> will provide you with additional leads.
make this more readable and integrated with the distribution.
> Note that any automated tool will use some kind of heuristics so (a)
> may find things that are not actually vulnerabilities in your setup,
> and (b) might not find something which _is_ a vulnerability in your
> setup
Thanks for your insights.
André
Andre Rodier
Feb 22, 2024, 2:40:06 AMFeb 22
to
Yes, Ansible lint is configured as a git hook in the distribution.
Kind regards,
André
Michel Verdier
Feb 22, 2024, 7:00:06 AMFeb 22
to
On 2024-02-21, Andre Rodier wrote:
> A few years ago, I created a set of Ansible scripts to code what I was already
> doing manually, so I could rebuild my server from scratch.
What makes you chose ansible instead of a debian package applying your
> A few years ago, I created a set of Ansible scripts to code what I was already
> doing manually, so I could rebuild my server from scratch.
scripts and configurations?
> - What is the best approach to check if there is any vulnerability in the
> packages configuration ?
> - Is there any service that could audit the deployment code or the
> configuration files ?
lynis, checksecurity, john, etc
Also OpenVAS https://openvas.org/ (fork from nessus) and other tools in
Kali Linux (debian-based)
an...@rodier.me
Feb 22, 2024, 8:50:07 AMFeb 22
to
On 22/02/2024 11:58, Michel Verdier <mv...@free.fr> wrote:
> On 2024-02-21, Andre Rodier wrote:
>
> > A few years ago, I created a set of Ansible scripts to code what I was already
> > doing manually, so I could rebuild my server from scratch.
>
> What makes you chose ansible instead of a debian package applying your
> scripts and configurations?
I didn't want to create a new distribution, I wanted scripts to configure a bare distribution, that anyone could maintain using the standard Debian procedures afterwards.
> On 2024-02-21, Andre Rodier wrote:
>
> > A few years ago, I created a set of Ansible scripts to code what I was already
> > doing manually, so I could rebuild my server from scratch.
>
> What makes you chose ansible instead of a debian package applying your
> scripts and configurations?
Also, if you have a look to the solution, you will see that the integration between all the packages is not appropriate to the packages modification.
0 new messages