[01:17] <lotuspsychje> good morning
[04:13] <marcoagpinto> Heya!
[06:09] <ducasse> good morning
[06:11] <lordievader> Good morning
[09:50] <Deano59> morning.
[14:41] <Deano59> let's change this channel to
[14:41] <Deano59> #morninggreeting
[14:41] <Deano59> :)
[14:41] <Ussat> um...suree
[14:42] <Deano59> (:
[14:45] <Deano59> Maik: you can run but you can't hide. no need to swear.
[14:46] <Maik> stop bothering me stop trolling and stay off of whatever you're high from
[14:47] <Deano59> I'm not trolling and I'm not high. but thanks for your concern. :)
[14:47] <Maik> ftard
[14:48] <Deano59> swearing again, that's not following the CoC.
[14:48] <Maik> long live ingnore, permanent this time
[14:48] <Deano59> yay. :D
[14:50] <Ussat> um...ok
[14:51] <Maik> reported too by the way, enough is enough
[14:51] <Deano59> reported? you're the one breaking the CoC.
[14:52] <Deano59> I'm *not* swearing at you.
[14:56] <hggdh> Deano59: please stop
[14:58] <Deano59> hggdh: ?
[14:59] <Deano59> hggdh: so it's okay for him to call me a troll/ftard?
[14:59] <hggdh> no, it is not. As it is not okay for you to act the way you are acting. One error does not justify another
[15:00] <Ussat> sigh.....
[19:16] <tomreyn> so, i did what no normal human wants to do. but $boss wants me to comply, and complying means running a virus scanner. so i set up clamav with on-access scanning,on 20.04. and... it works.
[19:17] <tomreyn> i didn't actually need on-access scanning for compliance, but wanted to give it a try. i'm positively surprised there.
[19:19] <tomreyn> sure, clamav's detection is still as terrible as it alwayws was. but the eicar test file is detected and access is prevented.
[19:19] <sarnold> funny, another channel was just discussing the PCI requirements and a phrase that was added along the lines of "on any platforms where malware is common" or similar :)
[19:19] <tomreyn> oh, that was recently added?
[19:19] <sarnold> I think 1.1
[19:19] <tomreyn> 1.1 is old, isnt it
[19:20] <tomreyn> https://security.stackexchange.com/questions/58345/how-to-pass-pci-dss-2-0-anti-virus-requirement-5-1-on-linux
[19:21] <tomreyn> if this article is correct, you quoted well
[19:22] <tomreyn> wow, that's an old article
[19:22] <tomreyn> DSS 3.2.1 (May 018) is current, i think
[19:22] <tomreyn> *May 2018
[19:24] <tomreyn> "5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)." https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1620847412934
[19:24] <tomreyn> it's still in there
[19:25] <TJ-> tomreyn: I told them to go jump off a high building on that, due to them conflating 'virus' (something that can spread itself) with 'malware'
[19:26] <tomreyn> :)
[19:27] <tomreyn> actually something that can spread itself would be a worm, though
[19:27] <TJ-> We have firewalls IN and OUT on each system to guard against network vectors, on top of wireguard links on VLANs. On systems they are read-only immutable file-systems with tmpfs overlays to prevent persistent threats
[19:27] <Ussat> We use clamav on all LInux servers here, it lightweight, is very tuneable
[19:27] <Ussat> and if youre gonna pass a PCI audit, you need to
[19:28] <tomreyn> "firewalls IN and OUT on each system"?! how do you manage those?
[19:28] <TJ-> Everything except the minimal host OS is unprivileged systemd-nspawn container and we use cgroups v2
[19:28] <TJ-> Also, our networks are IPv6 only
[19:28] <Ussat> Right, because IPV6 makes everythging instrantly secure.....
[19:29] <TJ-> tomreyn: management tooling we've created (rules that bind/map to each application container). Containers have network namespaces with only wireguard interfaces imported from the host (so no access to keys)
[19:30] <TJ-> Ussat: nothing to do with secure, it is to do with being able to use simple routing across large estates and make the probe space massive if some scanner did get a toe-hold
[19:30] <tomreyn> this must be a very homogenic infrastructure, i guess?
[19:32] <tomreyn> * homogenous
[19:34] <tomreyn> this sounds like a very nice design, but i'm not sure this would work well with BYOD scenarios
[20:02] <TJ-> tomreyn: BYOD are on isolated VLANs with very controlled hairpin access through gateway containers