[fizzbatter]

On this note, i wonder if automated tools like this will become more commonplace. I know next to knowing about security[1], but i'd love for there to be some sort of self-updating simple service i can run that constantly updates and checks my router, home servers, IoT devices, all ports, etc. for known exploits.

Surely a lot of this stuff can be automated. The simpler the tool the better - a single binary would be great. Is this a pipe dream?

edit: I feel like part of the problem would be shipping all the exploits. Legal matters aside, it would at the very least mean having to code exploits for thousands/millions of things. Though, perhaps a pluggable/linkable framework for this security could be a sort of proof of work. Ie, whitehats could publish the exploits by writing the plugin.

edit2: I'm aware that this tool is sort of what i'm talking about, but this mainly focuses on a single unix machine, right? Nor does it support windows. I wonder why we can't just make this ultimately simple? Ie, single binary?

[1]: Well, i know enough to know how little i know.. which is nearly nothing heh.

[jlgaddis]

OpenSCAP [0] has made a lot of progress in the last two or three years. The SCAP Security Guide [1] includes security policies for USGCB, DISA STIG, PCI-DSS, CJIS, etc. and it's really easy to get started, scan your host, and generate a nice HTML report of the results for quick consumption. They've also started including "remediation" scripts to fix any problems that are found (n.b.: that can be dangerous).

To scan remote hosts, they simple need a single package installed (I think they actually only need the oscap binary) and an SSH server running.

In recent versions of Anaconda, you can specify a security policy in your kickstart file and have the host configured in accordance with the security policy as part of the installation process. The host is in compliance before you even get that first initial "login" prompt. (For those of us who have to deal with this, this is f'ing awesome.)

Another thing you can do with it is compare a host against, say, Red Hat's security errata and get a report of which security updates a host is missing. This can be automated, ran by cron, and the results e-mailed to you once a week or whatever.

All that said, OpenSCAP isn't a panacea. It's still pretty "rough around the edges", so to speak, but it's much, much better than the tools we had to deal with this stuff just two or three years ago.

Windows isn't a supported platform (yet). There's still a lot of work to do on the Linux side of things to improve the software so I'm not sure when (if?) they'll start working at Windows.

[0]: https://www.open-scap.org/

[1]: https://www.open-scap.org/security-policies/scap-security-gu...

[jle17]

> Windows isn't a supported platform (yet).

I tried it a few months ago and as far as I could see, it's not just Windows that is unsupported, it only really supports Red Hat. It was packaged for Debian, but the policy files were absent and you could only find old unmaintained ones.

(this is not a critic, I understand that Red Hat prefers to spend money on their own distro)

[ghostly_s]

Constant monitoring for known exploits? Aren't you just describing an antivirus?

[Karunamon]

More like a vulnerability scanner. Signature based antivirus apps are mostly useless nowadays, but being able to tell me I'm running a broken version of OpenSSL is very useful.

[typicalrunt]

Threatstack will do that. Their agent runs on your machine as a kernel mod and will alert you to any libs being used (e.g. openssl, libcurl) whose version matches a known CVE.

[fizzbatter]

Also, beyond what Karunamon mentions, i want to scan my network, my IoT devices, etc.

Besides, virus scanners are heavy and ugly, i've always hated them. Sure, it's nice to have monitoring of a breech, but why do i have to sit with holes in my security waiting for a breech? Some virus scanners try to monitor downloaded files or weird behavior etc, but i'd much rather scan my computer for holes, than things that have already exploited the security vulnerabilities that i had open.

[dfc]

Your commment makes it seem like you may not be aware of nessus?

[abrookewood]

The other option is that you use pre-built images that someone has taken the time to harden for you. The Center for Internet Security [1] have a bunch of pre-built AWS images that you can use for about 2c an hour. https://www.cisecurity.org/

[yojex]

I'm in the same boat as you (especially the part about knowing how little I know) and am on standby for a good tool to come about. It's hard to trust solutions given the security theater reputation in a lot of software.