Path: csiph.com!1.us.feeder.erje.net!3.us.feeder.erje.net!2.eu.feeder.erje.net!feeder.erje.net!weretis.net!feeder8.news.weretis.net!news.mixmin.net!news2.arglkargh.de!news.karotte.org!fu-berlin.de!bofh.it!news.nic.it!robomod
From: Jeffrey Chimene <jeff@systasis.co>
Newsgroups: linux.debian.security
Subject: sysadmin in training
Date: Fri, 12 May 2023 17:40:01 +0200
Message-ID: <GuD29-8ob1-5@gated-at.bofh.it>
X-Original-To: debian-security@lists.debian.org
X-Mailbox-Line: From debian-security-request@lists.debian.org  Fri May 12 15:33:12 2023
Old-Return-Path: <jeff@systasis.co>
X-Amavis-Spam-Status: No, score=-1.028 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RDNS_DYNAMIC=0.982, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
X-Policyd-Weight: using cached result; rate: -4.6
X-Greylist: delayed 435 seconds by postgrey-1.36 at bendel; Fri, 12 May 2023 15:17:25 UTC
Authentication-Results: mail.salesfunnelmachine.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=salesfunnelmachine.com
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.1
Content-Language: en-US
Disposition-Notification-To: Jeffrey Chimene <jeff@systasis.co>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/29372
List-ID: <debian-security.lists.debian.org>
List-URL: <https://lists.debian.org/debian-security/>
List-Archive: https://lists.debian.org/msgid-search/bae17942-6de1-264d-1421-f17fb64f8f3c@systasis.co
Approved: robomod@news.nic.it
Lines: 21
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Date: Fri, 12 May 2023 08:10:04 -0700
X-Original-Message-ID: <bae17942-6de1-264d-1421-f17fb64f8f3c@systasis.co>
Xref: csiph.com linux.debian.security:6207

Hi,


I'd like to propose a minor change to 
https://www.debian.org/doc/manuals/securing-debian-manual


While I have no argument with intrusion detection, I don't see anything 
for active response. A metaphor would be Peter Cook and Dudley Moore's 
extended joke:
https://www.youtube.com/watch?v=lbnkY1tBvMU

Anyway, I'd like to propose adding a section that describes ossec. While 
I appreciate the detection aspect, I'm just a person who admins a server 
farm of 6 Linodes mostly running WordPress. It took longer than it 
should have to learn about ossec. I think an entry in the guide would be 
helpful. Also, with DEFCON approaching, this seems an appropriate time 
to start this discussion.

Cheers,
jec