Is this actually something people are willing to do? I.e. pipe from the Internet directly into a root shell? It seems especially crazy since none of the tools (ps, top, uptime, iostat, vmstat) require special privileges.
It is a script that you can audit if you don't pipe it straight away into bash (with sudo!).
I don't know Sealion and they can be amazing and all, so don't get this comment wrong.
If they want to support Linux systems properly, instead of using a script like that, I would recommend them to use packages and add support per distribution. Each distribution has different tools to add and manage services, and there are different ways to boot the system services. It's not just adding symlinks anymore because upstart and systemd, etc.
Also I'd love to cleanly upgrade/uninstall/etc their agent, so add a repo and I'll install your agent with more confidence.
How do I know I don't like how they install their agent? Because I didn't pipe the script directly into bash.
Curl has an option to explicitly disable cert validation:
-k, --insecure
(SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure
by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.
This is way better than downloading a random executable and running it. (I assume you mean running it as root.) With this, you can grab the install script and see exactly what it uses root for. It only takes a couple minutes. You could even modify the install script to comply to whatever installation scheme you wanted, and probably even make a version that runs without root privs if you're willing to do a few things manually. This mechanism is WAY better than a binary executable installer.
As for the product, it looks really good to me. No mention of encryption of stored data in the privacy statement, which might be a concern for some.
Also it wouldn't hurt to make checksums available for the installer and downloaded tar, for more paranoid folks like me.
Yes we wanted to give you the flexibility to see what we are installing on your servers. We understand the importance of checksums and will be realizing checksums for our agents in future releases.
Let's look at the established alternatives: packages. Packages are checked for corruption and validity.
This isn't so much different from downloading a random executable and running it. Hell, it's worse than that (since the download doesn't get stored for future audits)! But who said executing random executables from the internet is good in the first place?
Unfortunate. It's a bad habit to get into. Random forum goer pastes something in, you're used to installing via this method, you'll execute it without thought. Boom. No longer your system.
The command you will be executing is to download and install the SeaLion agent.
SeaLion requires you to use sudo to install it as a service so that it will automatically restart whenever system reboots. All the commands executed by the SeaLion agent are run in the context of Sealion user which is a normal system user.
How can we be sure that the package that's being installed is the one that you intended to be installed?
How can I be sure that the install will be identical across all of my servers?
How can I pin a version that I've vetted for security holes?
How can I distribute this to servers that don't have arbitrary internet access?
How do I configure selinux/apparmor to work with your tool?
How can I uninstall this cleanly?
Curling into a elevated shell is a terrible way to do installs. Packages are cleaner, more secure, and more capable of being trusted. You're making the assumption that your s3 buckets will never be hacked, that your own webservers can never be hacked, and that experienced sysadmins are going to ignore your tool because of the amateur install method.
> How can we be sure that the package that's being installed is the one that you intended to be installed?
We will give "checksums" with our agents in our upcoming releases.
> How can I be sure that the install will be identical across all of my servers?
Whenever you install SeaLion Agent, the most latest binary is installed. The agents in other servers are also updated, hence making them identical always.
> How can I pin a version that I've vetted for security holes?
SeaLion agents are released after rigorous testing, to ensure we do not leave any security holes and features, currently SeaLion Agent is designed for auto update.
> How can I distribute this to servers that don't have arbitrary internet access?
SeaLion agent requires Internet access to send data to its server. Hence internet access is mandatory.
> How do I configure selinux/apparmor to work with your tool?
SeaLion agent works fine with SELinux in enforcing mode without any specific configuration.
> How can I uninstall this cleanly?
sudo /usr/local/sealion-agent/uninstall.sh
> We will give "checksums" with our agents in our upcoming releases.
Checksums are useless if your install script is compromised, as well as if the server hosting the checksums is compromised. Signing everything while using an installer that verifies signatures (like yum, rpm and apt) is more secure, and just relies on you not losing control of your private key, instead of entire servers.
> Whenever you install SeaLion Agent, the most latest binary is installed. The agents in other servers are also updated, hence making them identical always.
Assuming your upgrade location is not compromised. Does your auto-updater check checksums or signatures, or does it rely on your servers always serving up the correct files? What if you push an auto-update that breaks servers?
> SeaLion agents are released after rigorous testing, to ensure we do not leave any security holes and features
No offense, but when I'm responsible for what happens on multiple servers I would like to ensure that myself, by checking the tcp payloads, endpoints connected to, files opened, etc. I'm certainly not alone in this.
> SeaLion agent requires Internet access to send data to its server. Hence internet access is mandatory.
Sending data can be accomplished individual firewall rules to whitelisted IPs. s3 is too broad of a target to allow unlimited access to.
> SeaLion agent works fine with SELinux in enforcing mode without any specific configuration.
If the only requirement is that it be started at boot, there are non-root ways to ensure that. Modern cron implementations have an "at reboot" option (@reboot in vixiecron and cronie). Alternatively, a cronjob that runs every 5 minutes or so and checks if the service is running and starts it if its not is doable.
Yeah, with sudo is especially bad. In the old days (20 years ago), I remember some things (ircII maybe) offered by an easy installer command line like:
telnet host.domain.com 12345 | sh
And then for a very long time that sort of thing fell out of favor because people got appropriately cautious about security. But I've seen it a lot more lately, starting with Homebrew: http://brew.sh/
Is this actually something people are willing to do? I.e. pipe from the Internet directly into a root shell? It seems especially crazy since none of the tools (ps, top, uptime, iostat, vmstat) require special privileges.