Nix-Security-WG / nix-local-security-scanner

Reports on which security advisories may be relevant for a given system or derivation
MIT License
3 stars 0 forks source link

Sending notifications of newly detected local vulnerabilities #26

Open raboof opened 1 year ago

raboof commented 1 year ago

When the local vulnerability scan detects new vulnerabilities, the user should somehow be notified of this.

One approach might be to use systemd's OnFailure option for this: the OnFailure could be configured by the user to send a notification to some oneshot systemd notification service. This notification service could then be 'anything': sending email or posting a message in slack or perhaps even somehow popping up a desktop notification.

Since this is an arguably 'generic' interface, for the first milestone it would be sufficient to show implementing a single notification service, and leave creating more compelling ones for future implementation.

One challenge is how to get the detailed vulnerability information into the notification: it looks like systemd only allows passing along 'specifiers' (section 'Specifiers' in https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html). Perhaps it could just pick it up from a well-known location in /var/lib - since anyone can run the reports its contents shouldn't be sensitive anyway.

06kellyjac commented 1 year ago

Just some thoughts, may or may not be useful:

ClamAV has a VirusEvent config option it can run when it receives an event

For desktop notifications (from clamav output) on our work machines we have a systemd user service that checks for the events instead so that it has access to the user's own dbus without requiring sudo

Desktop notifications themselves aren't great for detailed messages as you can't seem to format them (at least with gnome's presentation of them) It might be necessary to create a detailed report as a document/image/html then have the notification go there.

Or rather than a notification that can just be dismissed by accident maybe a tray item (or an extension in the case of gnome) would be nice where found results can be triaged by the user and potentially marked as ignored etc.

A bunch of this could be implemented later in a complementary tool rather than the initial implementation