Re: [CentOS] Antivirus for CentOS? (yuck!)
On Wed, 21 Jan 2009 21:06:38 -0500, Adam Tauno Williams wrote: There is no good argument against running malware detection on any sever. Except when the malware it can detect is extremely unlikely to be an issue, because you are now running yet another process for no good reason that might have a vulnerability itself. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote: An occasional clamav scan can't hurt. You are absolutely, completely wrong. Clamav has had vulnerabilities that could be used to cause it to execute arbitrary code in the scanned files. I don't doubt for one second that proprietary AVs have the same kind of problem, except that you can't look at the code to check for yourself. While the risk is worth taking when you are implementing a mail server or a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a proprietary product) installed on every single one of our servers in the PCI scope, even though there is not a single Windows machine in the scope. The likelyhood of an actual _virus_ infection is 0 for us. I don't mean malware -- I mean virus. The problem is that while PCI-DSS 1.2 now mentions malware as a whole, it still requires antivirus software, while only giving a weak if applicable exception. We are told we can't use it since there is at least a handful of known Linux viruses (nevermind that they are never seen in the wild) which could simply *not* infect us, since they require, by definition, that we run an infected binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but it doesn't cover the antivirus requirement, we are told. So we're going to go ahead and weaken our security just to check a PCI- DSS checkbox. This is simply ridiculous. PS: I want to emphasize that by virus I mean virus, not worm or rootkit or malware or exploit. There are sploits, worms and rootkits on Linux, some are/have been quite nasty; there has *never* been an actual virus threat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote: Cron a clamscan -ir / It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though. You can also scan for things like ssn's in datafiles laying around. Congratulations, anyone who can write to /tmp is all set to pwn you on the next ClamAV vuln. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 14:01:26 -0500, Adam Tauno Williams wrote: You scan the server for malware. You run a useless process widening your attack surface. Hint: Security is a trade-off -- Schneier. Don't trade actual security for cargo cult systems administration. There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. There is something special about Linux, it's called RPM. We don't run arbitrary binaries. We don't let strange .exe put files wherever they please. Bonus: rpmverify, free of charge. That doesn't mean that there aren't vulnerabilities or malware. It means that *viruses* are not a problem. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 15:55:11 -0500, Adam Tauno Williams wrote: Yes, you gain the ability to detect a compromised server. Absolutely not, you don't gain that ability at all. Again we're talking *viruses* not all malware. An antivirus will never detect a good rootkit; modern rootkit employ sophisticated stealth techniques and hide themselves and their files from all other processes. They typically insert an invisible kernel module. An antivirus can't do squat about that ... because that's not a virus anyway. On the other hand an antivirus is yet another piece of useless garbage running on your server, and one more opportunity for an attacker to pwn you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 09:32:16 -0600, Matt wrote: FYI, clamav also detects linux based viruses. There are linux based viruses. Rkhunter is also good to run on a linux server as well. http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses Of course if you keep your passwords secure and up to date on patches you 'should' not get any viruses on a linux box. Nothing is certain though. Its very little effort to install clamav and rkhunter. Viruses have nothing to do with passwords. Viruses get passed around by infected binaries. You might be thinking of worms. Antiviruses don't protect against worms, IDSs do. Unfortunately PCI-DSS requires an AV *as well* as an IDS. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos