Comments (5)
@vpetersson Debian Package and Python Package are not runtime environments. They are the way the application was installed. Everything else stays the same, nothing changes in the way the application works.
Docker also shouldn't be in this category, because if we're running Debian in Docker it's still Debian, even though it can't have journald/systemd and may have iptables disabled.
Here's what I think it should look like:
- Debian/Ubuntu app
- Installation:
- Installed debian package
- Installed as python package
- Uninstalled (ran the code directly)
- Virtualisation:
- Live
- Virtual Machine (VirtualBox, VMware, ...)
- Dockerized
- Installation:
- Ubuntu snap
- Virtualization?
from agent.
Debian Package and Python Package are not runtime environments.
Yes, technically speaking, you are right. However, there is a reason why I want to group them like this. That reason is tightly coupled with the capabilities. For Debian runtime, we can do everything we need to do (manage firewall, check passwords, scan ports etc).
For Snaps and Docker (i.e. Balena), the only thing we can really do is credential management. As such, we need to detect this and hide all security features from the dashboard.
The python library is somewhat of an edge case.
from agent.
One can install a Debian package or a Python package in Debian under Docker. Same goes to the “real” Debian.
In Docker we can manage iptables with CAP_NET_ADMIN. We can also check for passwords (inside the container). But if you’re talking about Balena, then we should only consider Balena in this case.
What I’m saying is, the groups you’re speaking of are not mutually exclusive.
from agent.
One can install a Debian package or a Python package in Debian under Docker. Same goes to the “real” Debian.
Yes and no. What we care about is the operating environment (what I referred to loosely as "runtime environment"). If you have a better word for this, I'm all ears.
In Docker we can manage iptables with CAP_NET_ADMIN. We can also check for passwords (inside the container).
Yes, but we don't care about the password inside the docker container because it's unlikely that login services are exposed.
But if you’re talking about Balena, then we should only consider Balena in this case.
Yes, for now we only care about Balena and assume CAP_NET_ADMIN is not enabled (nor is the shadows file volume mounted).
from agent.
note to self: we can detect whether we're running from a Debian package or not using this code:
def is_installed_deb():
try:
import apt
cache = apt.Cache()
return __file__ in cache['wott-agent'].installed_files
except:
return False
from agent.
Related Issues (20)
- Set User-Agent header
- Implement functinality to patch system based on recommended actions HOT 5
- Installation fails on Debian Jessie HOT 2
- Add audit of Docker containers HOT 2
- Add environment/cloud detection HOT 3
- "Automatic security updates" fail to detect on Debian/Aws Linux HOT 2
- Improve sshd detection/logic HOT 3
- Fix self-update script for agent HOT 2
- Detect and send kernel metapacakages HOT 1
- Detect VirtualBox and suppress heartbleed/spectre
- Add support for Ubuntu 18.10 HOT 2
- Fix installation error on Ubuntu 16.04 HOT 4
- Implement CIS Benchmarks for OpenSSH (section 5.2) the Ubuntu guide. HOT 5
- Audit/Detect SSH keys
- Self-update code is broken on AWS Linux
- Certificate renewal broken on AWS Linux HOT 2
- Resolve kernel detection
- 'python-iptables: match "state" already registered' on AWS Linux HOT 5
- Formatting issue in post-install message
- Investigate CPU usage spike on Ubuntu HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agent.