FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-22-2009, 06:17 PM
Stephen John Smoogen
 
Default Antivirus for CentOS? (yuck!)

On Thu, Jan 22, 2009 at 12:01 PM, Adam Tauno Williams
<awilliam@whitemice.org> wrote:
>> Adam Tauno Williams wrote:
>> > > 1. Has anyone here gone though such a procedure and got good arguments
>> > > against the need for anti-virus?
>> > There is no good argument against running malware detection on any
>> > sever.
>> > > 2. Alternatively - what linux anti-virus (oh, the shame of typing this
>> > > word combination ) do you use which doesn't affect our systems
>> > > performance too much.
>> > CLAMAV works well.
>> What do you do with clamav on a linux server?
>
> You scan the server for malware.
>
> There is nothing special about LINUX here. The whole "don't run
> services as root" business is just so much noise. It isn't about
> protecting the *server* it is about protecting the *data* which is
> accesses [hopefully] by services which are *not* root. It is about the
> data and the clients that connect to the server.
>
> I've seen CLAMAV find malware on web servers (maybe it isn't common...
> because no one is checking). Someone's crappy PHP code [is there any
> other kind?] allows malware to get injected into, and served, from the
> server. No root access anywhere, or required. It isn't about
> protecting the OS or the system, it is about protecting the data, the
> applications [from exploit], and the end-users [so the server isn't an
> attack vector]. Assuming none of the services on you server can be
> exploited is just wrong headed; and the exploiter does not need to
> "own" the server (aka have root) in order to do mischief. Access to
> your data is probably more valuable than whacking your server.
>
> The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots
> of malware is served from LINUX servers. Scanning a server for
> signatures is just another way to proof (not prove) that a server has
> not been compromised and that data accessed by the server is secure.
> Which is what things like PCI/DSS is about - protecting the *data*.

I don't know about that last sentence.. I am not familiar enough with
PCI/DSS to say it protects data or protects from lawsuits. Everything
else I can agree with 100%. Linux/Mac/Solaris etc are all good vectors
for serving malware because they are not routinely looked at for
malware (because most Unix admins think it is something that affects
them.) Most malware authors learned that while they may not be able to
get 'root' all they really need is normal permissions for most things
because they can still open up high ports to send/recieve spam or that
most systems have data at o+rw for ease of use.

Does this mean that every Linux machine should have a malware detector
on it that runs and scans every file? No its a matter of risk
management. If you are in a high risk environment, you should know why
or why not it is not in place (having other strong security measures
in place with constant vigilance can be good enough or for something
else it might not be.).


>> What do you think it protects you against on a linux server?
>
> "against a linux server?" ?
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 06:42 PM
"David G. Miller"
 
Default Antivirus for CentOS? (yuck!)

Amos Shapira <amos.shapira@gmail.com> wrote:

> Hi All,
>
> Yes, I know, it's really really embarrassing to have to ask but I'm
> being pushed to the wall with PCI DSS Compliance procedure
> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> we don't need to install an anti-virus or find an anti-virus to run on
> our CentOS 5 servers.
>
> Whatever I do - it needs to be convincing enough to make the PCI
> compliance guy tick the box.
>
> So:
>
> 1. Has anyone here gone though such a procedure and got good arguments
> against the need for anti-virus?
> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> word combination ) do you use which doesn't affect our systems
> performance too much.
>
> The reviewed servers run both Internet-facing web applications and
> internal systems, mostly using proprietary protocol for internal
> communications. They are being administrated remotely via IPSec VPN
> (and possibly in the future also OpenVPN).
>
> Thanks,
>
> --Amos
After reading all of the other replies (including the ones that pointed
out that the PCI DSS requirement had changed the terminology from
"virus" to "malware"), why not claim you are meeting the requirement by
doing something useful like running chkrootkit or rkhunter on a regular
basis? That way you would be scanning the systems for the only malware
known to actually pose a threat to a Linux box. It may be a low
probability of infection (as others have pointed out) but should satisfy
the auditor and hopefully will just be a low cost exercise in futility
as long as reasonable security policies are followed.

Cheers,
Dave

--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 07:04 PM
Stephen John Smoogen
 
Default Antivirus for CentOS? (yuck!)

On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller <dave@davenjudy.org> wrote:
> Amos Shapira <amos.shapira@gmail.com> wrote:
>
>> Hi All,
>>
>> Yes, I know, it's really really embarrassing to have to ask but I'm
>> being pushed to the wall with PCI DSS Compliance procedure
>> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
>> we don't need to install an anti-virus or find an anti-virus to run on
>> our CentOS 5 servers.
>>
>> Whatever I do - it needs to be convincing enough to make the PCI
>> compliance guy tick the box.
>>
>> So:
>>
>> 1. Has anyone here gone though such a procedure and got good arguments
>> against the need for anti-virus?
>> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
>> word combination ) do you use which doesn't affect our systems
>> performance too much.
>>
>> The reviewed servers run both Internet-facing web applications and
>> internal systems, mostly using proprietary protocol for internal
>> communications. They are being administrated remotely via IPSec VPN
>> (and possibly in the future also OpenVPN).
>>
>> Thanks,
>>
>> --Amos
> After reading all of the other replies (including the ones that pointed
> out that the PCI DSS requirement had changed the terminology from
> "virus" to "malware"), why not claim you are meeting the requirement by
> doing something useful like running chkrootkit or rkhunter on a regular
> basis? That way you would be scanning the systems for the only malware
> known to actually pose a threat to a Linux box. It may be a low
> probability of infection (as others have pointed out) but should satisfy
> the auditor and hopefully will just be a low cost exercise in futility
> as long as reasonable security policies are followed.

Any tool will require the need to have a risk assessment against it.
What is the liklihood of it finding malware? How much is updated and
how does it compare to other tools. These will be questions that will
need to be available for auditors to know you did your due-diligence
on selecting a tool.

--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 07:24 PM
Ralph Angenendt
 
Default Antivirus for CentOS? (yuck!)

Adam Tauno Williams wrote:
> > What do you do with clamav on a linux server?
>
> You scan the server for malware.

When? Every day via crontab? That can be much too late. Every hour? That can
be much too late. Every 10 minutes? That can be much too late - and your
server is busy scanning the file system.

> The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots
> of malware is served from LINUX servers. Scanning a server for
> signatures is just another way to proof (not prove) that a server has
> not been compromised and that data accessed by the server is secure.
> Which is what things like PCI/DSS is about - protecting the *data*.

I never said "LINUX doesn't suffer from malware". But clamav itself is not
able to scan in real time. Looks like dazuko has gotten a bit better, I don't
know about clamuko. But by "just installing clamav, you gain nothing
protection wise.

>> What do you think it protects you against on a linux server?
>
> "against a linux server?" ?

When?

Ralph_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 07:55 PM
Adam Tauno Williams
 
Default Antivirus for CentOS? (yuck!)

On Thu, 2009-01-22 at 21:24 +0100, Ralph Angenendt wrote:
> Adam Tauno Williams wrote:
> > > What do you do with clamav on a linux server?
> > You scan the server for malware.
> When? Every day via crontab? That can be much too late. Every hour? That can
> be much too late. Every 10 minutes? That can be much too late - and your
> server is busy scanning the file system.

Verses never??? That's just silly; your making perfect an obstacle of
the good. If it finds something then you KNOW you have a problem and
the time frame in which it occurred: you can then access and respond
and [potentially] notify. Verses what? No knowledge? The alternative
is to host the malware indefinitely in blissful ignorance - or until
someone else detects and reports your server.

CLAMAV, or any package, isn't THE answer, it is part of an answer. And
PCI/DSS requires a server be scanned on a regular basis. Fighting
against that directive just makes no sense. You should scan an entire
system on some interval regardless of OS.

> > The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots
> > of malware is served from LINUX servers. Scanning a server for
> > signatures is just another way to proof (not prove) that a server has
> > not been compromised and that data accessed by the server is secure.
> > Which is what things like PCI/DSS is about - protecting the *data*.
> I never said "LINUX doesn't suffer from malware". But clamav itself is not
> able to scan in real time. Looks like dazuko has gotten a bit better, I don't
> know about clamuko. But by "just installing clamav, you gain nothing
> protection wise.

Yes, you gain the ability to detect a compromised server.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 08:00 PM
Les Mikesell
 
Default Antivirus for CentOS? (yuck!)

Adam Tauno Williams wrote:
>
>> What do you do with clamav on a linux server?
>
> You scan the server for malware.
>
> There is nothing special about LINUX here. The whole "don't run
> services as root" business is just so much noise. It isn't about
> protecting the *server* it is about protecting the *data* which is
> accesses [hopefully] by services which are *not* root. It is about the
> data and the clients that connect to the server.

Yes, but the scan has to be specific for the kind of problem you want to
detect.

> I've seen CLAMAV find malware on web servers (maybe it isn't common...
> because no one is checking). Someone's crappy PHP code [is there any
> other kind?] allows malware to get injected into, and served, from the
> server.

That tends to be more because someone isn't doing updates than that they
aren't checking. Before a scan can help you, the scanner has to know
about the problem. After someone knows about the problem there will
likely be an update to fix it at least as soon as a scanner that will
detect it after the fact. Which makes more sense to install?

> No root access anywhere, or required. It isn't about
> protecting the OS or the system, it is about protecting the data, the
> applications [from exploit], and the end-users [so the server isn't an
> attack vector]. Assuming none of the services on you server can be
> exploited is just wrong headed;

But expecting a scanner to know about the exploit long before the
exploit is known and fixed seems misguided as well.

> and the exploiter does not need to
> "own" the server (aka have root) in order to do mischief. Access to
> your data is probably more valuable than whacking your server.
>
> The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots
> of malware is served from LINUX servers.

That may be true, but the exploit that allowed it to be put there may be
unrelated. For example, you may have virus-laden email being
transported through a Linux server that doesn't have anything else to do
with it. Or you may have a samba share where windows clients can infect
it. Or, someone might get access through brute-force ssh password guessing.

> Scanning a server for
> signatures is just another way to proof (not prove) that a server has
> not been compromised and that data accessed by the server is secure.
> Which is what things like PCI/DSS is about - protecting the *data*.

An occasional clamav scan can't hurt.

>> What do you think it protects you against on a linux server?
>
> "against a linux server?" ?

Doing frequent updates is what keeps you safe - and maybe turning off
ssh password access.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 08:46 PM
Adam Tauno Williams
 
Default Antivirus for CentOS? (yuck!)

> > There is nothing special about LINUX here. The whole "don't run
> > services as root" business is just so much noise. It isn't about
> > protecting the *server* it is about protecting the *data* which is
> > accesses [hopefully] by services which are *not* root. It is about the
> > data and the clients that connect to the server.
> Yes, but the scan has to be specific for the kind of problem you want to
> detect.

The presence of a malware pattern - it is pretty straight forward.

> > I've seen CLAMAV find malware on web servers (maybe it isn't common...
> > because no one is checking). Someone's crappy PHP code [is there any
> > other kind?] allows malware to get injected into, and served, from the
> > server.
> That tends to be more because someone isn't doing updates than that they
> aren't checking.

This doesn't make sense. No amount of updating will protect you from a
flaw in the application code / method. One can't presume that the
hosted application / service is perfect. Applications are compromised
much more frequently than Operating Systems which is why the fact that
it is a LINUX server doesn't matter. A scanner will potentially tell
you when an application has been compromised.

> Before a scan can help you, the scanner has to know
> about the problem. After someone knows about the problem there will
> likely be an update to fix it at least as soon as a scanner that will
> detect it after the fact. Which makes more sense to install?

Someone is going to release an update for your local application and
configuration? Emphasis on the "likely" in "likely be an update to fix
it". And a scanner doesn't detect the security flaw, it detects that
the server has been breached enough to contain malicious patterns. It
has nothing to do with updates; relying on being up-to-date to prove
your system is secure is akin to covering it with stickers of unicorns
to protect it.

> > No root access anywhere, or required. It isn't about
> > protecting the OS or the system, it is about protecting the data, the
> > applications [from exploit], and the end-users [so the server isn't an
> > attack vector]. Assuming none of the services on you server can be
> > exploited is just wrong headed;
> But expecting a scanner to know about the exploit long before the
> exploit is known and fixed seems misguided as well.

This has nothing to do with knowing about exploits in the way you are
using the term "exploit" (as a method of exploiting a service). It is a
way to know about exploits OF a server's service. The scanner doesn't
need to know anything at all about how the malicious content got there -
it alerts you of it's presence.

> > and the exploiter does not need to
> > "own" the server (aka have root) in order to do mischief. Access to
> > your data is probably more valuable than whacking your server.
> > The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots
> > of malware is served from LINUX servers.
> That may be true, but the exploit that allowed it to be put there may be
> unrelated.

So?

> For example, you may have virus-laden email being
> transported through a Linux server that doesn't have anything else to do
> with it. Or you may have a samba share where windows clients can infect
> it. Or, someone might get access through brute-force ssh password guessing.

We are talking about completely different things. I'm talking about
using a scanner to indicate that a server does not contain malware
patterns indicating it has been [potentially] exploited - which is an
*UNEXPECTED* event. You can't perform highly specific tests for
unexpected events. The entire principle of auditing is looking for the
unexpected.

> > Scanning a server for
> > signatures is just another way to proof (not prove) that a server has
> > not been compromised and that data accessed by the server is secure.
> > Which is what things like PCI/DSS is about - protecting the *data*.
> An occasional clamav scan can't hurt.
> >> What do you think it protects you against on a linux server?
> "against a linux server?" ?
> Doing frequent updates is what keeps you safe - and maybe turning off
> ssh password access.

It isn't about "being safe". It is about having configuration and
policies that ***tests*** the integrity of your systems; detecting
malware patterns is a critical component of that.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 09:36 PM
"Les Bell"
 
Default Antivirus for CentOS? (yuck!)

Adam Tauno Williams <awilliam@whitemice.org> wrote:

>>
CLAMAV, or any package, isn't THE answer, it is part of an answer. And
PCI/DSS requires a server be scanned on a regular basis. Fighting
against that directive just makes no sense. You should scan an entire
system on some interval regardless of OS.
<<

It's worth noting that the type of scan required by PCI DSS is not a
filesystem scan by an antivirus product. It is a vulnerability scan
performed by an Approved Scanning Vendor.

Some other miscellanous points triggered by posts in this thread that I've
read this morning:

According to the Verizon 2008 Data Breaches Report, in over 90% of cases
where a successful attack exploited a vulnerability, there was a patch
available for at least six months prior to the breach. So the first thing
we can say is that there is good reason to patch your system - it's
definitely an effective activity.

While the most popular attack methods of cybercriminals are hacking and
malcode (again, the Verizon report confirms this), malcode is much more
popular in the Windows world and hacking is the method of choice against
Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means
that anti-virus products will be less effective in safeguarding the data on
a Linux box, and host intrustion detection systems are correspondingly more
effective.

Most attacks against servers are conducted against the application layer
code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again,
anti-virus products are not effective here, particularly since the original
poster seems to be running custom code (internally-developed or
outsourced). The best controls here will be HIDS like AIDE and Tripwire, as
well as network IDS.

An attacker who exploits a server might upload some recognisable malware,
and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.)
ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites
and other stuff sometimes turns up on compromised hosts. The bulk of the
signature database is undoubtedly Windows malware. However, a determined
attacker, who knows what the server hosts, is much more likely to either
use SQL injection or command injection techniques to extract credit card
info (use NIDS to detect this) or to install a rootkit to allow him to come
and go more easily (and HIDS will detect this).

Remember, there are two problems to be solved here:

a) Get the systems past the PCI-DSS Assessor

b) Do something useful to actually protect the systems

It would be great if both problems had the same solution, but that depends
on how clueful the Assessor is (and how artfully the original poster can
"manage" him). Right now, the original poster's employer is paying him to
solve a), and will probably only worry about b) much later, should the
excrement actually hit the fan. If installing ClamAV is what it takes to
solve a), just do it and then get to work on b).

Best,

--- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security)
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 09:54 PM
Les Mikesell
 
Default Antivirus for CentOS? (yuck!)

Adam Tauno Williams wrote:
>
>> Yes, but the scan has to be specific for the kind of problem you want to
>> detect.
>
> The presence of a malware pattern - it is pretty straight forward.

Only for known instances of malware.
>
> This doesn't make sense. No amount of updating will protect you from a
> flaw in the application code / method.

Of course it will.

> One can't presume that the
> hosted application / service is perfect.

Which is why things are fixed and updated.

> Applications are compromised
> much more frequently than Operating Systems which is why the fact that
> it is a LINUX server doesn't matter. A scanner will potentially tell
> you when an application has been compromised.

No, a scanner will only tell you when known patterns are present.

>> Before a scan can help you, the scanner has to know
>> about the problem. After someone knows about the problem there will
>> likely be an update to fix it at least as soon as a scanner that will
>> detect it after the fact. Which makes more sense to install?
>
> Someone is going to release an update for your local application and
> configuration?

Yes, you can create your own problems that no one else can fix, but you
are also probably running php, ssh, bind and an assortment of standard
services that have known vulnerabilities if not updated.

> Emphasis on the "likely" in "likely be an update to fix
> it". And a scanner doesn't detect the security flaw, it detects that
> the server has been breached enough to contain malicious patterns.

"known" patterns.

> It
> has nothing to do with updates; relying on being up-to-date to prove
> your system is secure is akin to covering it with stickers of unicorns
> to protect it.

That's not quite the way it works. When anyone else has noticed an
exploit and figures out how it happened, or examines some code and finds
how one could happen, it is reported and fixed. And the next update
will prevent it. Not quite the same as stickers - but similar to the
way the known patterns for scanners become known.

>>> Assuming none of the services on you server can be
>>> exploited is just wrong headed;
>> But expecting a scanner to know about the exploit long before the
>> exploit is known and fixed seems misguided as well.
>
> This has nothing to do with knowing about exploits in the way you are
> using the term "exploit" (as a method of exploiting a service). It is a
> way to know about exploits OF a server's service. The scanner doesn't
> need to know anything at all about how the malicious content got there -
> it alerts you of it's presence.

But it does have to know the content itself, and there's not much reason
to think you will know this content without knowing how to stop the
related exploit.

>
> We are talking about completely different things. I'm talking about
> using a scanner to indicate that a server does not contain malware
> patterns indicating it has been [potentially] exploited - which is an
> *UNEXPECTED* event.

No, scanners only scan for known and sort-of expected things.

> You can't perform highly specific tests for
> unexpected events. The entire principle of auditing is looking for the
> unexpected.

But scanning doesn't do that. There is some value in knowing that you
do have those known patterns present, but you can't deduce that you
don't have any unexpected problems if you don't find them.

>> Doing frequent updates is what keeps you safe - and maybe turning off
>> ssh password access.
>
> It isn't about "being safe". It is about having configuration and
> policies that ***tests*** the integrity of your systems; detecting
> malware patterns is a critical component of that.

As long as you realize that it is only a test for certain known patterns
that don't have much to do with linux problems, fine. Just don't assume
that it proves anything about integrity when you don't find them. Your
real problem may be that someone has guessed your ssh password and
installed a rootkit that hides itself from all normal scans (remember,
running programs continue to run even if the filename is erased so scans
don't find it).

--
Les Mikesell
lesmikesell@gmail.com






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 06:40 AM
"Sorin Srbu"
 
Default Antivirus for CentOS? (yuck!)

I run this on a centos-server I have. The machine comes to crawl when I open
up the Symantec-GUI. I think the GUI is built on java, which might make the
machine slower than necessary. Probably the CLI-interface is more responsive.

--
/Sorin


>-----Original Message-----
>From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of
>Morten Torstensen
>Sent: Thursday, January 22, 2009 7:18 PM
>To: CentOS mailing list
>Subject: Re: [CentOS] Antivirus for CentOS? (yuck!)
>
>And just for completeness, Symantec has AV for Linux too... it is better
>there than on the Windows platform, but that doesn't say much. The
>advantage of Symantec is that it is a well-known brand, so in some cases
>it can be a easy option to push through red-tape bureaucrats.
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org