lotuspsychje | good morning | 01:17 |
---|---|---|
marcoagpinto | Heya! | 04:13 |
ducasse | good morning | 06:09 |
lordievader | Good morning | 06:11 |
Deano59 | morning. | 09:50 |
Deano59 | let's change this channel to | 14:41 |
Deano59 | #morninggreeting | 14:41 |
Deano59 | :) | 14:41 |
Ussat | um...suree | 14:41 |
Deano59 | (: | 14:42 |
Deano59 | Maik: you can run but you can't hide. no need to swear. | 14:45 |
Maik | stop bothering me stop trolling and stay off of whatever you're high from | 14:46 |
Deano59 | I'm not trolling and I'm not high. but thanks for your concern. :) | 14:47 |
Maik | ftard | 14:47 |
Deano59 | swearing again, that's not following the CoC. | 14:48 |
Maik | long live ingnore, permanent this time | 14:48 |
Deano59 | yay. :D | 14:48 |
Ussat | um...ok | 14:50 |
Maik | reported too by the way, enough is enough | 14:51 |
Deano59 | reported? you're the one breaking the CoC. | 14:51 |
Deano59 | I'm *not* swearing at you. | 14:52 |
hggdh | Deano59: please stop | 14:56 |
Deano59 | hggdh: ? | 14:58 |
Deano59 | hggdh: so it's okay for him to call me a troll/ftard? | 14:59 |
hggdh | no, it is not. As it is not okay for you to act the way you are acting. One error does not justify another | 14:59 |
Ussat | sigh..... | 15:00 |
tomreyn | so, i did what no normal human wants to do. but $boss wants me to comply, and complying means running a virus scanner. so i set up clamav with on-access scanning,on 20.04. and... it works. | 19:16 |
tomreyn | i didn't actually need on-access scanning for compliance, but wanted to give it a try. i'm positively surprised there. | 19:17 |
tomreyn | sure, clamav's detection is still as terrible as it alwayws was. but the eicar test file is detected and access is prevented. | 19:19 |
sarnold | funny, another channel was just discussing the PCI requirements and a phrase that was added along the lines of "on any platforms where malware is common" or similar :) | 19:19 |
tomreyn | oh, that was recently added? | 19:19 |
sarnold | I think 1.1 | 19:19 |
tomreyn | 1.1 is old, isnt it | 19:19 |
tomreyn | https://security.stackexchange.com/questions/58345/how-to-pass-pci-dss-2-0-anti-virus-requirement-5-1-on-linux | 19:20 |
tomreyn | if this article is correct, you quoted well | 19:21 |
tomreyn | wow, that's an old article | 19:22 |
tomreyn | DSS 3.2.1 (May 018) is current, i think | 19:22 |
tomreyn | *May 2018 | 19:22 |
tomreyn | "5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)." https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1620847412934 | 19:24 |
tomreyn | it's still in there | 19:24 |
TJ- | tomreyn: I told them to go jump off a high building on that, due to them conflating 'virus' (something that can spread itself) with 'malware' | 19:25 |
tomreyn | :) | 19:26 |
tomreyn | actually something that can spread itself would be a worm, though | 19:27 |
TJ- | We have firewalls IN and OUT on each system to guard against network vectors, on top of wireguard links on VLANs. On systems they are read-only immutable file-systems with tmpfs overlays to prevent persistent threats | 19:27 |
Ussat | We use clamav on all LInux servers here, it lightweight, is very tuneable | 19:27 |
Ussat | and if youre gonna pass a PCI audit, you need to | 19:27 |
tomreyn | "firewalls IN and OUT on each system"?! how do you manage those? | 19:28 |
TJ- | Everything except the minimal host OS is unprivileged systemd-nspawn container and we use cgroups v2 | 19:28 |
TJ- | Also, our networks are IPv6 only | 19:28 |
Ussat | Right, because IPV6 makes everythging instrantly secure..... | 19:28 |
TJ- | tomreyn: management tooling we've created (rules that bind/map to each application container). Containers have network namespaces with only wireguard interfaces imported from the host (so no access to keys) | 19:29 |
TJ- | Ussat: nothing to do with secure, it is to do with being able to use simple routing across large estates and make the probe space massive if some scanner did get a toe-hold | 19:30 |
tomreyn | this must be a very homogenic infrastructure, i guess? | 19:30 |
tomreyn | * homogenous | 19:32 |
tomreyn | this sounds like a very nice design, but i'm not sure this would work well with BYOD scenarios | 19:34 |
TJ- | tomreyn: BYOD are on isolated VLANs with very controlled hairpin access through gateway containers | 20:02 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!