Skip Navigation

Vulnerability scanning with vuls

h0bbl3s.port0.org Vulnerability scanning with vuls

Table of contents Introduction Summary Considerations Dependencies docker links prereqs vuls Configuration local remote Scan Reports tui vulsrepo Afterword Intro No matter what server OS you run, it can be hard to keep up with what versions of packages you run as well as their vulnerabilities and th...

Vulnerability scanning with vuls

Wrote up a new guide! Hope you folks find it helpful :)

2
/c/cybersecurity - Cybersecurity News & Discussion @lemmy.ml h0bbl3s @lemmy.world
Vulnerability scanning with vuls
2 comments
  • Cool blogs. Thanks for the write ups, especially on your self host setup. I still only understand half of the tools and packages but a solid book mark source none the less.

    Out of curiosity, why the open source focus but still the preference for Docker over podman? I'm not criticising actively/passively. I'm curious when I see the mix of tools and priorities, then some anomaly like this. To me it means you are coming from a different angle and background than myself. Your use of tools I don't fully grasp makes that angle a curiosity.

    Why hasn't the open source community fully conquered the self hosting chain to issue certificates and our own domains on some obscure branch or legal loophole that prevents someone else from interfering? Surely there is some obscure place that one could setup a chain of trust to issue all the needed credentials and DNS. Who cares if the commercial world plays along, just ship the certificate authority with all open source distros and let everyone else figure it out or not. I really don't care if the Windows/Apple/Google world can find or interact with me. I might even spin that as a feature. We should have federated DNS and Certificate authorities right? What about something like crypto where these fundamental aspects of domain hosting are a distributed part of hosting and participating in the scheme. That's been on my mind for awhile, but your blog post surfaced the idea here... sry

    • No offense taken we all have different knowledge and background. I have a general understanding of podman, but now I'm going to go play with it a bit at some point and get more familiar with it.

      Docker is Apache 2.0 licensed. It is open source. Or at least all of the important parts. I'm not sure about docker desktop. It's partly that I just have a lot of experience with docker, and partly just that it's what is supported in most projects' documentation. The fact that a lot of the Linux foundation training uses docker is another reason I've got more experience with it.


      As far as what you are talking about people have been trying for years. The Pirate Bay wanted to develop a new method of being entirely decentralized. Odysee is working on something like blockchain/torrents combined that is very interesting. We have I2P and TOR which have some of the features you mention. I'd love to see it happen where the big companies didn't control things.

      There is progress though. https://letsencrypt.org/ is non-profit, and there are a variety of open source projects using this to automate TLS certificate signing.

      Check out https://www.sigstore.dev/how-it-works and pay special attention to Fulcio and Rekor. It's not for web certs, but it's still a very interesting take on a certificate authority.


      There's no technical reason what you are saying couldn't work. It just comes down to how do you trust it, and if you can't at all, it doesn't do much good anyway. That's the problem to be solved. You could compromise somewhere in the middle but then you have to work out what is acceptable. I suppose the level of trust could be configurable, with different nodes earning a different level of trust, and you could configure your accepted levels for DNS or CA. It's an interesting idea.