Buster > He is the former head of our IT department, is a Windows guy, and dislikes > and distrusts anything Linux. His specific concern is security. Namely, he > is worried someone can hack into our system and steal patron information. He > is also concerned about mal-ware in general and wants us to install > antivirus software on it. > > So I guess my questions are, how do I answer the patron information concern, > and how do I answer the malware concern? How do the rest of you handle Linux > security concerns? What antivirus software do you use and from whence do you > get it? > > Please explain it to me in a way even a Windows guy with zero understanding > of Linux will understand it.
Sorry, he's going to need to get some understanding of Linux to understand why it's different. Here are some headlines to get you started: * There are millions of pieces of malware for Windows, while there's some debate whether Linux malware has reached the thousands even now. http://www.securelist.com/en/analysis?pubid=204792070 * The security model is different and the Unix-style root account is really discouraged. root use is usually initiated by users, rather than the often-imitated Administrator password pop-ups initiated by programs on Windows (some recent desktop Linux versions have gained those pop-ups, which is a bug IMO). There's a longer discussion of privileges in http://www.pcworld.com/businesscenter/article/202452/why_linux_is_more_secure_than_windows.html * We do have antivirus installed on most servers (ClamAV and others) but most of their job is fighting Windows malware which passes through our servers wasting our electricity, disk and bandwidth. * Most tools we use came with the distributions but I've written at least one scanner myself (for a specific piece of PHP malware that won't affect a typical Koha server) and configured some others. There are good guides like the Securing Debian Manual if you want to be more secure than a typical workstation. http://www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html * We handle most of our security concerns by setting fairly tight policies and then following security alert services from distributors at least daily. You can automate updates, but there are pros and cons to that, as with any platform. * How you handle patron information is probably subject to your local laws and the biggest risk will probably be staff terminals. That's a matter for local IT policy: GNU/Linux will support whatever you do, as standard, through things like SELinux, or otherwise. At least with Koha on MySQL and Linux, it's in your control, rather than asking you to trust a black box from another ILS provider. Can you present it as a relative improvement over other options? Hope that helps, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/ _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha