FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-23-2009, 05:10 PM
"David G. Miller"
 
Default Antivirus for CentOS? (yuck!)

Stephen John Smoogen <smooge@gmail.com> wrote:

> On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller <dave@davenjudy.org> wrote:
>
>> > Amos Shapira <amos.shapira@gmail.com> wrote:
>> >
>>
>>> >> Hi All,
>>> >>
>>> >> Yes, I know, it's really really embarrassing to have to ask but I'm
>>> >> being pushed to the wall with PCI DSS Compliance procedure
>>> >> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
>>> >> we don't need to install an anti-virus or find an anti-virus to run on
>>> >> our CentOS 5 servers.
>>> >>
>>> >> Whatever I do - it needs to be convincing enough to make the PCI
>>> >> compliance guy tick the box.
>>>
<SNIP>
>> > After reading all of the other replies (including the ones that pointed
>> > out that the PCI DSS requirement had changed the terminology from
>> > "virus" to "malware"), why not claim you are meeting the requirement by
>> > doing something useful like running chkrootkit or rkhunter on a regular
>> > basis? That way you would be scanning the systems for the only malware
>> > known to actually pose a threat to a Linux box. It may be a low
>> > probability of infection (as others have pointed out) but should satisfy
>> > the auditor and hopefully will just be a low cost exercise in futility
>> > as long as reasonable security policies are followed.
>>
>
> Any tool will require the need to have a risk assessment against it.
> What is the liklihood of it finding malware? How much is updated and
> how does it compare to other tools. These will be questions that will
> need to be available for auditors to know you did your due-diligence
> on selecting a tool.
Answering those questions would provide the arguments for running a root
kit scanner instead of anti-virus software. That is, the risk of
malware affecting the systems in question is low with near zero
likelihood that a true virus will cause a problem but with the
possibility that a rootkit could compromise the systems. Chkrootkit and
rkhunter are arguably the best tools for finding a root kit. The
programs are updated whenever a new threat is identified.

Obviously, the OP would need more than my say so as back up for these
assertions. Said back up would also make the case that scanning for
non-existent threats (Linux viruses) would make no sense while scanning
for a real threat makes the most sense.

Cheers,
Dave

--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 05:52 PM
Ross Walker
 
Default Antivirus for CentOS? (yuck!)

On Fri, Jan 23, 2009 at 1:10 PM, David G. Miller <dave@davenjudy.org> wrote:
> Stephen John Smoogen <smooge@gmail.com> wrote:
>
>> On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller <dave@davenjudy.org> wrote:
>>
>>> > Amos Shapira <amos.shapira@gmail.com> wrote:
>>> >
>>>
>>>> >> Hi All,
>>>> >>
>>>> >> Yes, I know, it's really really embarrassing to have to ask but I'm
>>>> >> being pushed to the wall with PCI DSS Compliance procedure
>>>> >> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
>>>> >> we don't need to install an anti-virus or find an anti-virus to run on
>>>> >> our CentOS 5 servers.
>>>> >>
>>>> >> Whatever I do - it needs to be convincing enough to make the PCI
>>>> >> compliance guy tick the box.
>>>>
> <SNIP>
>>> > After reading all of the other replies (including the ones that pointed
>>> > out that the PCI DSS requirement had changed the terminology from
>>> > "virus" to "malware"), why not claim you are meeting the requirement by
>>> > doing something useful like running chkrootkit or rkhunter on a regular
>>> > basis? That way you would be scanning the systems for the only malware
>>> > known to actually pose a threat to a Linux box. It may be a low
>>> > probability of infection (as others have pointed out) but should satisfy
>>> > the auditor and hopefully will just be a low cost exercise in futility
>>> > as long as reasonable security policies are followed.
>>>
>>
>> Any tool will require the need to have a risk assessment against it.
>> What is the liklihood of it finding malware? How much is updated and
>> how does it compare to other tools. These will be questions that will
>> need to be available for auditors to know you did your due-diligence
>> on selecting a tool.
> Answering those questions would provide the arguments for running a root
> kit scanner instead of anti-virus software. That is, the risk of
> malware affecting the systems in question is low with near zero
> likelihood that a true virus will cause a problem but with the
> possibility that a rootkit could compromise the systems. Chkrootkit and
> rkhunter are arguably the best tools for finding a root kit. The
> programs are updated whenever a new threat is identified.
>
> Obviously, the OP would need more than my say so as back up for these
> assertions. Said back up would also make the case that scanning for
> non-existent threats (Linux viruses) would make no sense while scanning
> for a real threat makes the most sense.

Typically a multi-faceted approach to intrusion detection and
prevention will always be more successful and garner the best support.

Servers that deal with files, whether file servers or wikis, need
anti-virus software. For the best protection a different anti-virus
package should be deployed on the client (say clamav on the Linux file
servers/wikis, and Sophos on the client PCs).

All servers should have monitoring software installed to detect
changes to the environment, both for change management auditing and
intrusion detection. Having an external system collect the monitoring
logs and send alerts is the preferred way as manual collection and
monitoring isn't timely enough, nor reliable. A good system monitoring
platform like one from SolarWinds would be good here.

A change management platform to receive these alerts and match them up
against change requests or flag them as unauthorized events should
also be in place. A platform such as Numara Footprints or even a help
desk system or a bug tracking system on the low end could do this.

With those in place you should be in good shape. You should then do
routine vulneribility scans, penetration tests and if necessary buy
into an intrusion prevention system where it scans the network
activity looking for anything out of the ordinary where it can alert
you to it, or alert and drop it or whatever you see fit.

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 06:30 PM
Scott Silva
 
Default Antivirus for CentOS? (yuck!)

on 1-22-2009 4:33 AM Ralph Angenendt spake the following:
> Anne Wilson wrote:
>> On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
>>> What do you do with clamav on a linux server? Especially: How is it run
>>> by you? What do you think it protects you against on a linux server?
>> 1 - it protects you against passing on any windows viruses to windows users
>
> Yes, but how is it run? Hourly via cron? On which files? What does it
> protect against? Mind you, I'm not talking about workstations, but about
> servers.
>
> Ralph
Cron a "clamscan -ir /"
It will check the entire filesystem and report infected files.
You probably don't want to automatically delete what you find, though.

You can also scan for things like ssn's in datafiles laying around.


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org