Endpoint intrusion detection is hard (well, it’s also difficult on the network, but we’re talking hosts in this post). To get really actionable results, we need to minimize the noise, but also be careful not to be fat-fingered on those ignore lists because they might cost us some juicy findings. This is not a trivial task: in most environments we have heterogeneous systems running diverse workloads, which means there’s no one-size-fits-all ruleset that you can just load up and call it a day.

I have a natural urge to secure stuff to the point some might call paranoid. Maybe that’s why I ended up as a security engineer to make a living. But the harsh reality is that in a professional environment, one doesn’t always get the chance to fulfill these dreams of perfectly hardened and all-best-practices-applied tech.

It all started with HomeAssistant. I wanted to deploy it as an LXC container on top of a Promxmox VE hypervisor. This required enabling USB passthru for the container to use my ZigBee controller.