I don’t get why he uses docker to capture all the traffic from the host. Why not use tcpdump directly?
docker is the new background job, apparently. Maybe he doesn’t know about nohup.
Maybe systemd doesn’t know about nohup. :(
So I did what any self-respecting security professional would do and spent a Friday night writing a tcpdump container and put it on Docker Hub.
I just don’t know what to say about that… guess I’m not a self-respecting security professional! :(
well, he’s not running systemd-docker (yes really) in the shell script so presumably it’ll get terminated in the same way anyway. What a time to be alive!
I’m not saying it’s a useful consideration for anyone’s threat model, but process isolation is the likeliest answer. If the tcpdump docker image drops privileges and has a small userland it could be difficult to escalate from there.
tcpdump itself can drop privileges:
If you’re spinning up new hosts on a regular basis, wouldn’t you make your provisioning system do all that setup for you? At $EMPLOYER we’ve got Vagrant plumbed into AWS and Ansible, so I can type vagrant up, go and make a cup of tea, and when I get back to my desk everything’s ready.
I really don’t get this. Why shouldn’t use such a thing as Ansible? This software is designed to easy provision new servers. From your base install to very complex installations, Ansible makes your life more easier, then self hacked scripts.
Also the shear ugly-ness of of a curl | sh action. Uggg.
Why shouldn’t use such a thing as Ansible
Ditto. I get that these are throwaway machines for testing purposes but as others have said use a configuration management tool. Oh, and why on earth would you install Ruby like that on an Ubuntu system? It’s frustrating to read articles by “professionals” that promote far-from-ideal practises (FWIW, 65 people have starred the Github repo as of now).
In his defense, it is being served over HTTPS, and has a verifiable SHA. But, if github was compromised, it’d be easy to fake the SHA in the URL. But, if github is compromised, you’re pretty likely f’d anyway, if you rely on them for anything meaningful.
It doesn’t look like the hash of the file is being checked before executing the script.
No. It is not, you are correct. The opportunity is there to do so, of course, which, based on his other articles, he might be doing and hasn’t documented. Maybe not, though!