Install and configure security tools related to a standard use of ynh

[ketsapiwiq]

We should improve the security model of YunoHost with lightweight and fine-tuned tools for the threat model of a standard YunoHost install (vulnerable web-apps, non-targeted attacks by bots…).

Leads:

• Scanner of wordpress vulns+wordpress plugins: https://github.com/wpscanteam/wpscan
• List of vulnerabilities (CVEs) in installed packages in Debian
  • https://www.blog-libre.org/2014/12/24/debsecan-le-paquet-qui-fait-peur/
  • you can try:

    debsecan --suite stretch --only-fixed | grep "remote" | grep "critical"

• Basic and very light webapp-firewall (WAF) as an Nginx plugin:
  • https://github.com/nbs-system/naxsi
  • https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules
• CVSS score:
  • https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System
  • https://www.first.org/cvss/calculator/3.0
• More complex, OSSEC: an HIDS (host-based intrusion detection system, opposed to network-based that scans packets) with adequate rulesets (adds security-related log events)
  • https://github.com/ossec/ossec-hids
  • https://github.com/wazuh/wazuh-ruleset

[Psycojoker]

A good part of this will be easy to integrate once the diagnosis system will be in place.

At the time where I wanted to handle scheduled configurable automatic updates for YunoHost I've explored the CVE for debian packages and there is actually a json file on debian website that contains all the needed data (don't have the link right now).

I haven't done it yet because we lack a notification system to inform the user that some stuff has happening on their server.