On this note, i wonder if automated tools like this will become more commonplace. I know next to knowing about security[1], but i'd love for there to be some sort of self-updating simple service i can run that constantly updates and checks my router, home servers, IoT devices, all ports, etc. for known exploits.
Surely a lot of this stuff can be automated. The simpler the tool the better - a single binary would be great. Is this a pipe dream?
edit: I feel like part of the problem would be shipping all the exploits. Legal matters aside, it would at the very least mean having to code exploits for thousands/millions of things. Though, perhaps a pluggable/linkable framework for this security could be a sort of proof of work. Ie, whitehats could publish the exploits by writing the plugin.
edit2: I'm aware that this tool is sort of what i'm talking about, but this mainly focuses on a single unix machine, right? Nor does it support windows. I wonder why we can't just make this ultimately simple? Ie, single binary?
[1]: Well, i know enough to know how little i know.. which is nearly nothing heh.
OpenSCAP [0] has made a lot of progress in the last two or three years. The SCAP Security Guide [1] includes security policies for USGCB, DISA STIG, PCI-DSS, CJIS, etc. and it's really easy to get started, scan your host, and generate a nice HTML report of the results for quick consumption. They've also started including "remediation" scripts to fix any problems that are found (n.b.: that can be dangerous).
To scan remote hosts, they simple need a single package installed (I think they actually only need the oscap binary) and an SSH server running.
In recent versions of Anaconda, you can specify a security policy in your kickstart file and have the host configured in accordance with the security policy as part of the installation process. The host is in compliance before you even get that first initial "login" prompt. (For those of us who have to deal with this, this is f'ing awesome.)
Another thing you can do with it is compare a host against, say, Red Hat's security errata and get a report of which security updates a host is missing. This can be automated, ran by cron, and the results e-mailed to you once a week or whatever.
All that said, OpenSCAP isn't a panacea. It's still pretty "rough around the edges", so to speak, but it's much, much better than the tools we had to deal with this stuff just two or three years ago.
Windows isn't a supported platform (yet). There's still a lot of work to do on the Linux side of things to improve the software so I'm not sure when (if?) they'll start working at Windows.
I tried it a few months ago and as far as I could see, it's not just Windows that is unsupported, it only really supports Red Hat. It was packaged for Debian, but the policy files were absent and you could only find old unmaintained ones.
(this is not a critic, I understand that Red Hat prefers to spend money on their own distro)
More like a vulnerability scanner. Signature based antivirus apps are mostly useless nowadays, but being able to tell me I'm running a broken version of OpenSSL is very useful.
Threatstack will do that. Their agent runs on your machine as a kernel mod and will alert you to any libs being used (e.g. openssl, libcurl) whose version matches a known CVE.
Also, beyond what Karunamon mentions, i want to scan my network, my IoT devices, etc.
Besides, virus scanners are heavy and ugly, i've always hated them. Sure, it's nice to have monitoring of a breech, but why do i have to sit with holes in my security waiting for a breech? Some virus scanners try to monitor downloaded files or weird behavior etc, but i'd much rather scan my computer for holes, than things that have already exploited the security vulnerabilities that i had open.
The other option is that you use pre-built images that someone has taken the time to harden for you. The Center for Internet Security [1] have a bunch of pre-built AWS images that you can use for about 2c an hour. https://www.cisecurity.org/
I'm in the same boat as you (especially the part about knowing how little I know) and am on standby for a good tool to come about. It's hard to trust solutions given the security theater reputation in a lot of software.
Think about the headache of remaking the VPS from scratch, rehosting everything on it and having to reset any password that is shared with another environment.
Also consider the cost of dealing with the data falling into the wrong hands. Even data that is not personal can hurt you financially in the long-term.
The cost of running security tools is minimal when you take it all into account.
I think that is a good point. If you can codify your security checks, there is a good chance you can write automation to fix them with configuration management.
I think there may be some cases where you don't feel comfortable automating the full remediation, e.g., requires reboot, so separate audit system might be useful. There is also something nice about writing your audit rules, being able to show auditors "this is what we check for", and then running that across your infrastructure. In that case InSpec (http://inspec.io/) might be more useful for writing custom compliance controls.
It would be nice if there was a $CONGIG_MANAGEMENT_SYSTEM_OF_CHOICE module that did common security fixes, and you could just pick and choose which to apply.
On a side note: Holy ^&$% Lynis has a lot of shell! Like a crazy amount of POSIX shell code!
Surely a lot of this stuff can be automated. The simpler the tool the better - a single binary would be great. Is this a pipe dream?
edit: I feel like part of the problem would be shipping all the exploits. Legal matters aside, it would at the very least mean having to code exploits for thousands/millions of things. Though, perhaps a pluggable/linkable framework for this security could be a sort of proof of work. Ie, whitehats could publish the exploits by writing the plugin.
edit2: I'm aware that this tool is sort of what i'm talking about, but this mainly focuses on a single unix machine, right? Nor does it support windows. I wonder why we can't just make this ultimately simple? Ie, single binary?
[1]: Well, i know enough to know how little i know.. which is nearly nothing heh.