this post was submitted on 21 Oct 2023
3 points (100.0% liked)
Emacs
311 readers
1 users here now
A community for the timeless and infinitely powerful editor. Want to see what Emacs is capable of?!
Get Emacs
Rules
- Posts should be emacs related
- Be kind please
- Yes, we already know: Google results for "emacs" and "vi" link to each other. We good.
Emacs Resources
Emacs Tutorials
- Beginner’s Guide to Emacs
- Absolute Beginner's Guide to Emacs
- How to Learn Emacs: A Hand-drawn One-pager for Beginners
Useful Emacs configuration files and distributions
Quick pain-saver tip
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I do very similar things to document architecture designs (Python Diagrams mermaid), system interactions and configuration (Vagrant, Docker, CM runs, various curl and API interactions). I used to work in InfoSec so a lot of my infrastructure work assumes (preventative) hardening which I will often validate against lab or even live environments using serverspec, InSpec, etc.
It's all driven by babel code blocks, rendered to Markdown, and then pumped through Pandoc (and LaTeX) filters for nice presentation. Unfortunately it all involves customer data so I can't really share any examples.
Like you, I have considered how to leverage Guix for reproducible test environments however I don't have any customers running Guix and so I often have to stick to Linux environments typical in enterprise settings (Ubuntu, RedHat, etc).
From experience, I probably wouldn't try to write the exploit and validation in Org Mode babel code blocks but running the test harness and collecting the results in Org Mode makes a fair amount of sense.
I see. What I did for this incident specifically was to get a list of all the commands that were ran and of course, directly into the document, so it will be a template for future things but, I would like to make it more formal, as to something I can rely on completely, of course knowing that every incident is different, I would like to make some practices as to an incident or trying to reproduce a specific simple vulnerability.
Perhaps I'm getting also ahead of myself, as there may be other things for pen testing or to implement environments like docker. I'm just thinking how it could be applied, like an org file that everyone can download and learn how this specific vulnerability is, and how can it be tried with curl against a specific environment also made in the org mode file, in this case the guix command for a container.
Is this possible with Distros like Debian or Redhat?, in which case I would go for the most faster and simplest route, as I'm not sure if I want this just as a study for me (and having these tests available open source) or it can actually be used for something on the field.
I haven't heard about serverspec nor Inspec, I will read about them.
Its a little hard to get my head around your stack yet, I really appreciate your response.