README needs documentation of script questions

[grempe]

When running the ./algo script the user is prompted for answers to a number of questions. However, neither the docs in the README nor the script tell the user what some of those options might do.

The current questions that seem more undefined and needing clarification to me are:

Do you want to install a local DNS resolver to block ads while surfing?

You might address how you block ads, how you choose which ads to block, how or if that blocklist can be updated, an example how one would go about configuring their local system to make use of this...

Do you want each user to have their own account for SSH tunneling?

Are there security issues with doing so? How are users authenticated? Show an example of how a user would go about using the ssh tunnel.

Do you want to apply operating system security enhancements on the server?

What security enhancements? Why is this not defaulted to yes? What are the pros/cons?

Do you want to use auditd for security monitoring? (requires configurationg in config.cfg)

What is auditd (needs link)? What will it do for me? What would I need to configure? What are the pros/cons?

[grempe]

Looks like at least some of this is in this (rather buried) doc. Should probably be pulled out to the main README.

https://github.com/trailofbits/algo/blob/master/docs/ROLES.md

Also, the security enhancements are shown as 'recommended' in that doc, but they are defaulted to no in the install script. This should probably be consistent.

[dguido]

In general, none of these roles are required to operate a fully functional Algo VPN server and they are therefore optional and default to being turned off. There is limited configuration of them that is possible and some of them are only beta quality. As a user, if you take the non-default step to enable one of these roles then we expect you know what you want and how to use the feature.

You might address how you block ads, how you choose which ads to block, how or if that blocklist can be updated, an example how one would go about configuring their local system to make use of this...

DNS-based adblocking is an all or nothing feature and there is no configuration possible. If you enable this option, then the Apple profile will automatically set your DNS server to use it when you connect. For users on non-Apple platforms, the DNS server IP address is printed out at the end of the install by Ansible.

We plan to continue to enhance this feature. We will document more about it when there are configuration options available.

Are there security issues with doing so? How are users authenticated? Show an example of how a user would go about using the ssh tunnel.

This is documented in our section about connecting to the server over SSH: https://github.com/trailofbits/algo#setup-an-ssh-tunnel

What security enhancements? Why is this not defaulted to yes? What are the pros/cons?

This is an optional role since every service is already wrapped in an AppArmor policy by default. Further, there are few enhancements we can make since Ubuntu has adopted many security defaults and features on its own.

What is auditd (needs link)? What will it do for me? What would I need to configure? What are the pros/cons?

This is a beta quality role that will not function without advanced configuration. If you need security monitoring of your VPN server, then this is a good place to start. We plan to rewrite this entire role from scratch in the near future with go-audit.

Looks like at least some of this is in this (rather buried) doc. Should probably be pulled out to the main README.

I will add a link to the Roles document in the readme.

Also, the security enhancements are shown as 'recommended' in that doc, but they are defaulted to no in the install script. This should probably be consistent.

I removed the "recommended" flag on the security role from the Roles document.

[grempe]

Thanks @dguido for the updates and clarifications. I think everything you wrote above should be incorporated in some fashion in either the README or the ROLES docs.

Regarding the security role you said:

As a user, if you take the non-default step to enable one of these roles then we expect you know what you want and how to use the feature.

Agreed. Hard to be an informed user without some docs though! Alternative is to dig through the code which seems to go against the one-click install goals of this project.

This is an optional role since every service is already wrapped in an AppArmor policy by default. Further, there are few enhancements we can make since Ubuntu has adopted many security defaults and features on its own.

I would suggest then that this should not be an interactive question, at least not phrased how it is. As a user why would I not want the most security hardened install? It seems that one of the major additions of this role is to add the auto-update mechanism. If that is the case then why not always apply all security features by default and provide an option to add auto-update functionality or not as a role?

[auditd] This is a beta quality role that will not function without advanced configuration. If you need security monitoring of your VPN server, then this is a good place to start. We plan to rewrite this entire role from scratch in the near future with go-audit.

Roles doc should say this.

Thanks, great project.

[dguido]

I have a lot of enhancements I'd like to make to the readme and I'll add some of these to the list. In the meantime, I'm happy to accept pull requests!

[TafariD]

Did you ever get around to clearing this up? I just used the install and guessed based on what I saw here. I'm hoping I did it right 😨 if I did it wrong, how can I change the settings?

[dguido]

This is pretty self-explanatory and additional info was added to the runscript itself to better describe what happens when you answer yes or no. There's also a link to ROLES in the readme at the exact moment where you would answer the runscript questions. Where do you think the gaps are?