I’m having trouble staying on top of updates for my self hosted applications and infrastructure. Not everything has auto updates baked in and some things you may not want to auto update. How do y’all handle this? How do you keep track of vulnerabilities? Are there e.g. feeds for specific applications I can subscribe to via RSS or email?

  • bigDottee@geekroom.techEnglish
    1·
    2 hours ago

    I’ve just started to delve into Wazuh… but I’m super new to vulnerability management on a home lab level. I don’t do it for work so 🤷🏼‍♂️

    Anyways, best suggestion is to keep all your containers, vms, and hosts updated best you can to remediate vulnerabilities that are discovered by others.

    Otherwise, Wazuh is a good place to start, but there’s a learning curve for sure.

  • tuxec@infosec.pubEnglish
    1·
    5 hours ago

    There are a couple of things to cover here:

    1. Keep your software/containers up to date. You can subscribe to the GitHub repo and configure it to get notified for new releases and security alerts. Complementary, you can use RSS feeds, newteleases.io and/or WUD (What’s Up Docker) and add labels to your docker compose files. Personally, I check the notification once a week and change the version for all minor tools I’m using. If there is a major release (or new Immich version) I read the changelog and update instructions (if it’s the case).

    2. For container security scans, you can use Trivy, but the problem is that you don’t have a centralized overview of your scan results. For this you can use DefectDojo. Depending on the case/threat model, vulnerability management for self-hosted things might be overkill, but highly recommended of you want to learn more about this. It worth mentioning Trufflehog as secrets scanner and sops as a solution to encrypt sensitive data so you can push it to git/SCM.

  • lambalicious@lemmy.sdf.orgEnglish
    1·
    2 days ago

    I don’t.

    Yeah, hot take, but basically there’s no point to me having to keep track of all that stuff and excessively worry about the dangers of modernity and sacrifice the spare time I have on watching update counter go brrrr of all things, when there’s entire peoples and agencies in charge of it.

    I just run unattended-upgrades (on Debian), pin container image tags to only the major version number where available, run rebuild of containers twice a week, and go enjoy the data and media I built the containers and installed for software for.

    • 9488fcea02a9@sh.itjust.worksEnglish
      1·
      2 days ago

      I think the problem is that a lot of people are just running flatpaks, dockers, and third party repos which might not be getting timely updates.

      I try to stick to debian packages for everything as much as possible for this reason.

  • slazer2au@lemmy.worldEnglish
    1·
    3 days ago

    Does badly count as a way?

    I kinda keep an eye on that https://selfh.st/ post that does a weekly roundup of stuff to know when I need to do patching.

    No doubt there is a container I could run that would do it for me. I just can’t remember the name of it.