Hello Emacs Community!,
As everyone on this community, I’m an Emacs power user and have several niceties configured, gnus for Email, Doom Emacs, and I heavily use org mode, I recently used it for a ‘Incident Playbook’ which was basically making an incident and responding to it following certain steps, more of a Digital Forensics and Incident Response (DFIR) work.
So, I made a server in Ansible, made a test malware that will be ran in this server (delete a log file idk), and proceeded to do everything directly in org-mode, running every command via tramp to the server, getting any info from the disk and getting a dd and such. Finally I made a whole document with full details on the server in that point in time, which was pretty interesting as I could have this as a template for future incidents and have certain commands saved for this.
And I got the idea, wouldn’t it be interesting to have org mode files like these but for testing specific vulnerabilities?, even using a tool like NixOS or Guix to make commands that will get the old version x.x.x of nginx and I could test a vulnerability there, so it is also reproducible and everyone can use the org file and test this vulnerability?, basically more of a study and proof of concept rather than something more ‘heavy’ as in business related.
Does anyone have a similar use case?, I would love to hear for them as I want to go into the DFIR route.
TLDR. Not specific to an emacs programming or library question, but much more of a broader question about a cybersecurity workflow.
I do very similar things to document architecture designs (Python Diagrams mermaid), system interactions and configuration (Vagrant, Docker, CM runs, various curl and API interactions). I used to work in InfoSec so a lot of my infrastructure work assumes (preventative) hardening which I will often validate against lab or even live environments using serverspec, InSpec, etc.
It’s all driven by babel code blocks, rendered to Markdown, and then pumped through Pandoc (and LaTeX) filters for nice presentation. Unfortunately it all involves customer data so I can’t really share any examples.
Like you, I have considered how to leverage Guix for reproducible test environments however I don’t have any customers running Guix and so I often have to stick to Linux environments typical in enterprise settings (Ubuntu, RedHat, etc).
From experience, I probably wouldn’t try to write the exploit and validation in Org Mode babel code blocks but running the test harness and collecting the results in Org Mode makes a fair amount of sense.
I see. What I did for this incident specifically was to get a list of all the commands that were ran and of course, directly into the document, so it will be a template for future things but, I would like to make it more formal, as to something I can rely on completely, of course knowing that every incident is different, I would like to make some practices as to an incident or trying to reproduce a specific simple vulnerability.
Perhaps I’m getting also ahead of myself, as there may be other things for pen testing or to implement environments like docker. I’m just thinking how it could be applied, like an org file that everyone can download and learn how this specific vulnerability is, and how can it be tried with curl against a specific environment also made in the org mode file, in this case the guix command for a container.
Is this possible with Distros like Debian or Redhat?, in which case I would go for the most faster and simplest route, as I’m not sure if I want this just as a study for me (and having these tests available open source) or it can actually be used for something on the field.
I haven’t heard about serverspec nor Inspec, I will read about them.
Its a little hard to get my head around your stack yet, I really appreciate your response.