Hello Emacs Community!,

As everyone on this community, I’m an Emacs power user and have several niceties configured, gnus for Email, Doom Emacs, and I heavily use org mode, I recently used it for a ‘Incident Playbook’ which was basically making an incident and responding to it following certain steps, more of a Digital Forensics and Incident Response (DFIR) work.

So, I made a server in Ansible, made a test malware that will be ran in this server (delete a log file idk), and proceeded to do everything directly in org-mode, running every command via tramp to the server, getting any info from the disk and getting a dd and such. Finally I made a whole document with full details on the server in that point in time, which was pretty interesting as I could have this as a template for future incidents and have certain commands saved for this.

And I got the idea, wouldn’t it be interesting to have org mode files like these but for testing specific vulnerabilities?, even using a tool like NixOS or Guix to make commands that will get the old version x.x.x of nginx and I could test a vulnerability there, so it is also reproducible and everyone can use the org file and test this vulnerability?, basically more of a study and proof of concept rather than something more ‘heavy’ as in business related.

Does anyone have a similar use case?, I would love to hear for them as I want to go into the DFIR route.

TLDR. Not specific to an emacs programming or library question, but much more of a broader question about a cybersecurity workflow.

  • MinallWchOPB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I see. What I did for this incident specifically was to get a list of all the commands that were ran and of course, directly into the document, so it will be a template for future things but, I would like to make it more formal, as to something I can rely on completely, of course knowing that every incident is different, I would like to make some practices as to an incident or trying to reproduce a specific simple vulnerability.

    Perhaps I’m getting also ahead of myself, as there may be other things for pen testing or to implement environments like docker. I’m just thinking how it could be applied, like an org file that everyone can download and learn how this specific vulnerability is, and how can it be tried with curl against a specific environment also made in the org mode file, in this case the guix command for a container.

    Is this possible with Distros like Debian or Redhat?, in which case I would go for the most faster and simplest route, as I’m not sure if I want this just as a study for me (and having these tests available open source) or it can actually be used for something on the field.

    I haven’t heard about serverspec nor Inspec, I will read about them.

    Its a little hard to get my head around your stack yet, I really appreciate your response.