Re: [CentOS] Antivirus for CentOS? (yuck!)
On 4/24/09 8:05 AM, NM n...@altiva.fr wrote: On Thu, 23 Apr 2009 18:10:38 -0400, Ross Walker wrote: How about running it as the untrusted user 'clamav'? How's that user going to check anything that's not o+r? How about selinux? You could make a context that allows clamav read rights to everything, and write to none. You could even develop your own PCI compliant selinux security framework that can be applied to all PCI hosts. I know there is a lot of boilerplate regulation out there, I have my fair share to deal with myself. Often hidden in the BS there is a good intention it just requires a little give and take. Give in to a little BS here to get a little break on the BS there. What the consultant should be working off of is an accurate risk assessment of the OS and the applications installed on it, not some dumb checklist. Yeah, well, problem is, you don't get to choose who's going to assess you. Well you can either go with the compliance flow, or you can let the compliance flow take you kicking and screaming. Either way your regulated now and there isn't anything you can do about it. It's the world we live in today I'm afraid. If you don't like the way the consultant is doing things, then after this cycle is complete, take control of the process. Do your own risk assessments on the hardware and software and develop your own PCI compliant controls that more accurately reflects the true threats and vulnerabilities of your environment instead of the perceived threats and vulnerabilities being used now. Having your own regular in-house risk assessment performed can only help you in both developing and supporting your decisions for which controls are applied to which systems. And even if you need a token install of anti-virus everywhere to appease the regulator gods, it isn't the end of the world. If your risk analysis of the software determines it poses a great enough risk, you can impose controls on it like I mentioned above. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Wed, 21 Jan 2009 21:06:38 -0500, Adam Tauno Williams wrote: There is no good argument against running malware detection on any sever. Except when the malware it can detect is extremely unlikely to be an issue, because you are now running yet another process for no good reason that might have a vulnerability itself. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote: An occasional clamav scan can't hurt. You are absolutely, completely wrong. Clamav has had vulnerabilities that could be used to cause it to execute arbitrary code in the scanned files. I don't doubt for one second that proprietary AVs have the same kind of problem, except that you can't look at the code to check for yourself. While the risk is worth taking when you are implementing a mail server or a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a proprietary product) installed on every single one of our servers in the PCI scope, even though there is not a single Windows machine in the scope. The likelyhood of an actual _virus_ infection is 0 for us. I don't mean malware -- I mean virus. The problem is that while PCI-DSS 1.2 now mentions malware as a whole, it still requires antivirus software, while only giving a weak if applicable exception. We are told we can't use it since there is at least a handful of known Linux viruses (nevermind that they are never seen in the wild) which could simply *not* infect us, since they require, by definition, that we run an infected binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but it doesn't cover the antivirus requirement, we are told. So we're going to go ahead and weaken our security just to check a PCI- DSS checkbox. This is simply ridiculous. PS: I want to emphasize that by virus I mean virus, not worm or rootkit or malware or exploit. There are sploits, worms and rootkits on Linux, some are/have been quite nasty; there has *never* been an actual virus threat. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote: Cron a clamscan -ir / It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though. You can also scan for things like ssn's in datafiles laying around. Congratulations, anyone who can write to /tmp is all set to pwn you on the next ClamAV vuln. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 14:01:26 -0500, Adam Tauno Williams wrote: You scan the server for malware. You run a useless process widening your attack surface. Hint: Security is a trade-off -- Schneier. Don't trade actual security for cargo cult systems administration. There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. There is something special about Linux, it's called RPM. We don't run arbitrary binaries. We don't let strange .exe put files wherever they please. Bonus: rpmverify, free of charge. That doesn't mean that there aren't vulnerabilities or malware. It means that *viruses* are not a problem. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 15:55:11 -0500, Adam Tauno Williams wrote: Yes, you gain the ability to detect a compromised server. Absolutely not, you don't gain that ability at all. Again we're talking *viruses* not all malware. An antivirus will never detect a good rootkit; modern rootkit employ sophisticated stealth techniques and hide themselves and their files from all other processes. They typically insert an invisible kernel module. An antivirus can't do squat about that ... because that's not a virus anyway. On the other hand an antivirus is yet another piece of useless garbage running on your server, and one more opportunity for an attacker to pwn you. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 22 Jan 2009 09:32:16 -0600, Matt wrote: FYI, clamav also detects linux based viruses. There are linux based viruses. Rkhunter is also good to run on a linux server as well. http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses Of course if you keep your passwords secure and up to date on patches you 'should' not get any viruses on a linux box. Nothing is certain though. Its very little effort to install clamav and rkhunter. Viruses have nothing to do with passwords. Viruses get passed around by infected binaries. You might be thinking of worms. Antiviruses don't protect against worms, IDSs do. Unfortunately PCI-DSS requires an AV *as well* as an IDS. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Apr 23, 2009, at 3:00 PM, NM n...@altiva.fr wrote: On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote: Cron a clamscan -ir / It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though. You can also scan for things like ssn's in datafiles laying around. Congratulations, anyone who can write to /tmp is all set to pwn you on the next ClamAV vuln. How about running it as the untrusted user 'clamav'? I know there is a lot of boilerplate regulation out there, I have my fair share to deal with myself. Often hidden in the BS there is a good intention it just requires a little give and take. Give in to a little BS here to get a little break on the BS there. What the consultant should be working off of is an accurate risk assessment of the OS and the applications installed on it, not some dumb checklist. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Stephen John Smoogen smo...@gmail.com wrote: On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote: Amos Shapira amos.shap...@gmail.com wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. SNIP After reading all of the other replies (including the ones that pointed out that the PCI DSS requirement had changed the terminology from virus to malware), why not claim you are meeting the requirement by doing something useful like running chkrootkit or rkhunter on a regular basis? That way you would be scanning the systems for the only malware known to actually pose a threat to a Linux box. It may be a low probability of infection (as others have pointed out) but should satisfy the auditor and hopefully will just be a low cost exercise in futility as long as reasonable security policies are followed. Any tool will require the need to have a risk assessment against it. What is the liklihood of it finding malware? How much is updated and how does it compare to other tools. These will be questions that will need to be available for auditors to know you did your due-diligence on selecting a tool. Answering those questions would provide the arguments for running a root kit scanner instead of anti-virus software. That is, the risk of malware affecting the systems in question is low with near zero likelihood that a true virus will cause a problem but with the possibility that a rootkit could compromise the systems. Chkrootkit and rkhunter are arguably the best tools for finding a root kit. The programs are updated whenever a new threat is identified. Obviously, the OP would need more than my say so as back up for these assertions. Said back up would also make the case that scanning for non-existent threats (Linux viruses) would make no sense while scanning for a real threat makes the most sense. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Fri, Jan 23, 2009 at 1:10 PM, David G. Miller d...@davenjudy.org wrote: Stephen John Smoogen smo...@gmail.com wrote: On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote: Amos Shapira amos.shap...@gmail.com wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. SNIP After reading all of the other replies (including the ones that pointed out that the PCI DSS requirement had changed the terminology from virus to malware), why not claim you are meeting the requirement by doing something useful like running chkrootkit or rkhunter on a regular basis? That way you would be scanning the systems for the only malware known to actually pose a threat to a Linux box. It may be a low probability of infection (as others have pointed out) but should satisfy the auditor and hopefully will just be a low cost exercise in futility as long as reasonable security policies are followed. Any tool will require the need to have a risk assessment against it. What is the liklihood of it finding malware? How much is updated and how does it compare to other tools. These will be questions that will need to be available for auditors to know you did your due-diligence on selecting a tool. Answering those questions would provide the arguments for running a root kit scanner instead of anti-virus software. That is, the risk of malware affecting the systems in question is low with near zero likelihood that a true virus will cause a problem but with the possibility that a rootkit could compromise the systems. Chkrootkit and rkhunter are arguably the best tools for finding a root kit. The programs are updated whenever a new threat is identified. Obviously, the OP would need more than my say so as back up for these assertions. Said back up would also make the case that scanning for non-existent threats (Linux viruses) would make no sense while scanning for a real threat makes the most sense. Typically a multi-faceted approach to intrusion detection and prevention will always be more successful and garner the best support. Servers that deal with files, whether file servers or wikis, need anti-virus software. For the best protection a different anti-virus package should be deployed on the client (say clamav on the Linux file servers/wikis, and Sophos on the client PCs). All servers should have monitoring software installed to detect changes to the environment, both for change management auditing and intrusion detection. Having an external system collect the monitoring logs and send alerts is the preferred way as manual collection and monitoring isn't timely enough, nor reliable. A good system monitoring platform like one from SolarWinds would be good here. A change management platform to receive these alerts and match them up against change requests or flag them as unauthorized events should also be in place. A platform such as Numara Footprints or even a help desk system or a bug tracking system on the low end could do this. With those in place you should be in good shape. You should then do routine vulneribility scans, penetration tests and if necessary buy into an intrusion prevention system where it scans the network activity looking for anything out of the ordinary where it can alert you to it, or alert and drop it or whatever you see fit. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
on 1-22-2009 4:33 AM Ralph Angenendt spake the following: Anne Wilson wrote: On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote: What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? 1 - it protects you against passing on any windows viruses to windows users Yes, but how is it run? Hourly via cron? On which files? What does it protect against? Mind you, I'm not talking about workstations, but about servers. Ralph Cron a clamscan -ir / It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though. You can also scan for things like ssn's in datafiles laying around. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Am 22.01.2009 02:19, schrieb Amos Shapira: 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. http://www.f-prot.com/products/corporate_users/unix/ has some Linux AV products. Rainer ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams wrote: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? There is no good argument against running malware detection on any sever. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. CLAMAV works well. What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? Curious, Ralph pgpN4uJnaN7di.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote: What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? 1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report: - clam-update Begin Last ClamAV update process started at Wed Jan 21 04:02:23 2009 Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes) -- clam-update End - - Clamav Begin **Unmatched Entries** Database correctly reloaded (936952 signatures) -- Clamav End - That should satisfy and auditor. Anne signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Anne Wilson wrote: On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote: What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? 1 - it protects you against passing on any windows viruses to windows users Yes, but how is it run? Hourly via cron? On which files? What does it protect against? Mind you, I'm not talking about workstations, but about servers. Ralph pgpotwFz9gh2d.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 2009-01-22 at 12:16 +, Anne Wilson wrote: On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote: What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? 1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report: - clam-update Begin Last ClamAV update process started at Wed Jan 21 04:02:23 2009 Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes) -- clam-update End - - Clamav Begin **Unmatched Entries** Database correctly reloaded (936952 signatures) -- Clamav End - That should satisfy and auditor. the above suggests that clamav signature files were updated and the database reloaded but nowhere does it suggest that any scanning of the file system occurred nor the output of such scanning which probably never occurred. What you have demonstrated is a gymnastic exercise which accomplishes little. clamd might be able to do something useful but it is not indicated above. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thursday 22 January 2009 12:46:46 Craig White wrote: On Thu, 2009-01-22 at 12:16 +, Anne Wilson wrote: On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote: What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server? 1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report: - clam-update Begin Last ClamAV update process started at Wed Jan 21 04:02:23 2009 Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes) -- clam-update End - - Clamav Begin **Unmatched Entries** Database correctly reloaded (936952 signatures) -- Clamav End - That should satisfy and auditor. the above suggests that clamav signature files were updated and the database reloaded but nowhere does it suggest that any scanning of the file system occurred nor the output of such scanning which probably never occurred. What you have demonstrated is a gymnastic exercise which accomplishes little. clamd might be able to do something useful but it is not indicated above. True. As I have no windows boxes on the LAN I only run it manually, and it wasn't done on the day that that reported. The one area that I am vulnerable to is email-borne viruses, and since I am not serving those to windows boxes it is only out of curiosity that I need clamav. I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently. I was merely demonstrating how easy it is to show that you keep the database up to date. You are quite right,of course, they will want to see evidence that it is scanning as well. Anne signature.asc Description: This is a digitally signed message part. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Anne Wilson wrote: I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently. Sorry, I do not want to know how to use clamav efficiently, I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those. But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty). As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it. So again: If you want to be PCI-DSS compliant - what's the use of clamav? Ralph pgpVhme9RlXAD.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt ra+cen...@br-online.dera%2bcen...@br-online.de wrote: Anne Wilson wrote: I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently. Sorry, I do not want to know how to use clamav efficiently, I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those. But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty). As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it. So again: If you want to be PCI-DSS compliant - what's the use of clamav? Ralph Check out BitDefender http://www.bitdefender.com -matt http://www.sysadminvalley.com http://www.beantownhost.com http://www.linkedin.com/in/mattboston ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 2009-01-22 at 14:15 +0100, Ralph Angenendt wrote: Anne Wilson wrote: I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently. Sorry, I do not want to know how to use clamav efficiently, I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those. But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty). As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it. So again: If you want to be PCI-DSS compliant - what's the use of clamav? re: the last question, I simply don't know. I do know that I have an 'unsupported' version of Symantec Anti-Virus for Linux which came with their 'End Point Protection' package which I gather is a 'real-time' package but I am not interested in finding out what that would do to performance of the system. I also know that samba has a 'vfs' option for using clamd on your samba/Windows file server. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
I use AVG, they have a nice and clean Real Time Scanning piece of software for Linux see http://www.grisoft.com for general info http://www.avg.com/download-7?prd=avl to download for the different flavors of Linux I use it on my Linux boxes as well as all of my Windows Clients and Servers as well, bang for buck its one of the best out and much better than that crappy Symantic brand AV john plemons ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Matt Shields wrote: On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt ra+cen...@br-online.dera%2bcen...@br-online.de As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it. Check out BitDefender http://www.bitdefender.com Bitdefender for Samba which only scans stuff on network shares and Bitdefender for Mail Servers which does the same clamav and amavisd/exiscan/whatever can do. No security products which protect servers itself, just hooks into the windows world. Supports the point I tried to make :) Ralph pgpcr4xvOZOfz.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
John Plemons wrote: I use AVG, they have a nice and clean Real Time Scanning piece of software for Linux Oh. So maybe dazuko now isn't a resource hog anymore? Thanks, that is the first time I've heard about a component like that. Cheers, Ralph pgpZ9MNNThjn6.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? We are going through the same thing. The initial rollout was planned for only PCI critical systems, but has been expanded to SOX and business-critical servers. Given the extreme rarity of Unix/Linux related viruses, we did question why we needed to run an AV solution at all. However, we do have shares that are accessible via Windows and Mac users, so these were targeted. Per our compliance officer, though a rigid interpretation of the PCI documentation might not require full scans of every server, or even scanning every server, we would go beyond the spec. Thus, at some point we're expecting that all servers will require some sort of AV product. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. The AV solution we were told to use was Sophos AV. Our environment is primarily AIX with a few Linux systems. Though the Linux systems had (mostly) equivalent features to the Windows product, the AIX solution was essentially a command line driven scan similar to ClamAV. Now, SophosAV on Linux requires some kernel hooks for the on-access scan. If Sophos-compiled binaries are not available for your kernel then you'd need to build them on the machine. I.e., you'd require GCC and the kernel-dev packages. Per our security requirements (not PCI specific), we do not have compilers and dev libraries on anything but development servers. Sophos also did not have an SLA as to when new binaries would be released after a new kernel. Which leads to an interesting conundrum. The Sophos product cannot do on-demand scanning without a dev environment (and compiling elsewhere was not a documented process from Sophos). So we were left with the command line, cron driven scanner. Given that the files we would target were often temporary (e.g., uploaded documents, files to be pushed into a doc manager), it made little sense to scan daily. Instead, you'd need to script processes to watch directories and holding areas. The rest of the problems were primarily with the AIX client. Anyhoo, the AV products don't put too much load on the system, depending on your scan requirements. They can do so though. E.g., if you scan compressed files, do on demand, scan across shares, etc.. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the FYI, clamav also detects linux based viruses. There are linux based viruses. Rkhunter is also good to run on a linux server as well. http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses Of course if you keep your passwords secure and up to date on patches you 'should' not get any viruses on a linux box. Nothing is certain though. Its very little effort to install clamav and rkhunter. Matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Amos Shapira wrote: 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. I highly recommend Sophos antivirus: http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/linux/ They seem to cost more than the competition but it's because they have a better product. Glad I don't have to deal with credit card numbers anymore the security around that stuff was a pain. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Rainer Traut wrote: Am 22.01.2009 02:19, schrieb Amos Shapira: 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. http://www.f-prot.com/products/corporate_users/unix/ has some Linux AV products. And just for completeness, Symantec has AV for Linux too... it is better there than on the Windows platform, but that doesn't say much. The advantage of Symantec is that it is a well-known brand, so in some cases it can be a easy option to push through red-tape bureaucrats. -- //Morten Torstensen //Email: mor...@mortent.org //IM: morten.torsten...@gmail.com I can't listen to that much Wagner. I start getting the urge to conquer Poland. -- Woody Allen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
But again you said it, Symantic is trash With my history of machine crashes caused by their I can do it better altitude, Run don't walk from Symantic John Plemons ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams wrote: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? There is no good argument against running malware detection on any sever. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. CLAMAV works well. What do you do with clamav on a linux server? You scan the server for malware. There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; and the exploiter does not need to own the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. What do you think it protects you against on a linux server? against a linux server? ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, Jan 22, 2009 at 12:01 PM, Adam Tauno Williams awill...@whitemice.org wrote: Adam Tauno Williams wrote: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? There is no good argument against running malware detection on any sever. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. CLAMAV works well. What do you do with clamav on a linux server? You scan the server for malware. There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; and the exploiter does not need to own the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. I don't know about that last sentence.. I am not familiar enough with PCI/DSS to say it protects data or protects from lawsuits. Everything else I can agree with 100%. Linux/Mac/Solaris etc are all good vectors for serving malware because they are not routinely looked at for malware (because most Unix admins think it is something that affects them.) Most malware authors learned that while they may not be able to get 'root' all they really need is normal permissions for most things because they can still open up high ports to send/recieve spam or that most systems have data at o+rw for ease of use. Does this mean that every Linux machine should have a malware detector on it that runs and scans every file? No its a matter of risk management. If you are in a high risk environment, you should know why or why not it is not in place (having other strong security measures in place with constant vigilance can be good enough or for something else it might not be.). What do you think it protects you against on a linux server? against a linux server? ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Amos Shapira amos.shap...@gmail.com wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Thanks, --Amos After reading all of the other replies (including the ones that pointed out that the PCI DSS requirement had changed the terminology from virus to malware), why not claim you are meeting the requirement by doing something useful like running chkrootkit or rkhunter on a regular basis? That way you would be scanning the systems for the only malware known to actually pose a threat to a Linux box. It may be a low probability of infection (as others have pointed out) but should satisfy the auditor and hopefully will just be a low cost exercise in futility as long as reasonable security policies are followed. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote: Amos Shapira amos.shap...@gmail.com wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Thanks, --Amos After reading all of the other replies (including the ones that pointed out that the PCI DSS requirement had changed the terminology from virus to malware), why not claim you are meeting the requirement by doing something useful like running chkrootkit or rkhunter on a regular basis? That way you would be scanning the systems for the only malware known to actually pose a threat to a Linux box. It may be a low probability of infection (as others have pointed out) but should satisfy the auditor and hopefully will just be a low cost exercise in futility as long as reasonable security policies are followed. Any tool will require the need to have a risk assessment against it. What is the liklihood of it finding malware? How much is updated and how does it compare to other tools. These will be questions that will need to be available for auditors to know you did your due-diligence on selecting a tool. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. The Merchant of Venice ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams wrote: What do you do with clamav on a linux server? You scan the server for malware. When? Every day via crontab? That can be much too late. Every hour? That can be much too late. Every 10 minutes? That can be much too late - and your server is busy scanning the file system. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. I never said LINUX doesn't suffer from malware. But clamav itself is not able to scan in real time. Looks like dazuko has gotten a bit better, I don't know about clamuko. But by just installing clamav, you gain nothing protection wise. What do you think it protects you against on a linux server? against a linux server? ? When? Ralph pgpMvZ2ycn0Oi.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 2009-01-22 at 21:24 +0100, Ralph Angenendt wrote: Adam Tauno Williams wrote: What do you do with clamav on a linux server? You scan the server for malware. When? Every day via crontab? That can be much too late. Every hour? That can be much too late. Every 10 minutes? That can be much too late - and your server is busy scanning the file system. Verses never??? That's just silly; your making perfect an obstacle of the good. If it finds something then you KNOW you have a problem and the time frame in which it occurred: you can then access and respond and [potentially] notify. Verses what? No knowledge? The alternative is to host the malware indefinitely in blissful ignorance - or until someone else detects and reports your server. CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. I never said LINUX doesn't suffer from malware. But clamav itself is not able to scan in real time. Looks like dazuko has gotten a bit better, I don't know about clamuko. But by just installing clamav, you gain nothing protection wise. Yes, you gain the ability to detect a compromised server. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams wrote: What do you do with clamav on a linux server? You scan the server for malware. There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. Yes, but the scan has to be specific for the kind of problem you want to detect. I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. That tends to be more because someone isn't doing updates than that they aren't checking. Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install? No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well. and the exploiter does not need to own the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. That may be true, but the exploit that allowed it to be put there may be unrelated. For example, you may have virus-laden email being transported through a Linux server that doesn't have anything else to do with it. Or you may have a samba share where windows clients can infect it. Or, someone might get access through brute-force ssh password guessing. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. An occasional clamav scan can't hurt. What do you think it protects you against on a linux server? against a linux server? ? Doing frequent updates is what keeps you safe - and maybe turning off ssh password access. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
There is nothing special about LINUX here. The whole don't run services as root business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server. Yes, but the scan has to be specific for the kind of problem you want to detect. The presence of a malware pattern - it is pretty straight forward. I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. That tends to be more because someone isn't doing updates than that they aren't checking. This doesn't make sense. No amount of updating will protect you from a flaw in the application code / method. One can't presume that the hosted application / service is perfect. Applications are compromised much more frequently than Operating Systems which is why the fact that it is a LINUX server doesn't matter. A scanner will potentially tell you when an application has been compromised. Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install? Someone is going to release an update for your local application and configuration? Emphasis on the likely in likely be an update to fix it. And a scanner doesn't detect the security flaw, it detects that the server has been breached enough to contain malicious patterns. It has nothing to do with updates; relying on being up-to-date to prove your system is secure is akin to covering it with stickers of unicorns to protect it. No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well. This has nothing to do with knowing about exploits in the way you are using the term exploit (as a method of exploiting a service). It is a way to know about exploits OF a server's service. The scanner doesn't need to know anything at all about how the malicious content got there - it alerts you of it's presence. and the exploiter does not need to own the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server. The mantra LINUX doesn't suffer from malware is just bollocks. Lots of malware is served from LINUX servers. That may be true, but the exploit that allowed it to be put there may be unrelated. So? For example, you may have virus-laden email being transported through a Linux server that doesn't have anything else to do with it. Or you may have a samba share where windows clients can infect it. Or, someone might get access through brute-force ssh password guessing. We are talking about completely different things. I'm talking about using a scanner to indicate that a server does not contain malware patterns indicating it has been [potentially] exploited - which is an *UNEXPECTED* event. You can't perform highly specific tests for unexpected events. The entire principle of auditing is looking for the unexpected. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*. An occasional clamav scan can't hurt. What do you think it protects you against on a linux server? against a linux server? ? Doing frequent updates is what keeps you safe - and maybe turning off ssh password access. It isn't about being safe. It is about having configuration and policies that ***tests*** the integrity of your systems; detecting malware patterns is a critical component of that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams awill...@whitemice.org wrote: CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS. It's worth noting that the type of scan required by PCI DSS is not a filesystem scan by an antivirus product. It is a vulnerability scan performed by an Approved Scanning Vendor. Some other miscellanous points triggered by posts in this thread that I've read this morning: According to the Verizon 2008 Data Breaches Report, in over 90% of cases where a successful attack exploited a vulnerability, there was a patch available for at least six months prior to the breach. So the first thing we can say is that there is good reason to patch your system - it's definitely an effective activity. While the most popular attack methods of cybercriminals are hacking and malcode (again, the Verizon report confirms this), malcode is much more popular in the Windows world and hacking is the method of choice against Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means that anti-virus products will be less effective in safeguarding the data on a Linux box, and host intrustion detection systems are correspondingly more effective. Most attacks against servers are conducted against the application layer code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again, anti-virus products are not effective here, particularly since the original poster seems to be running custom code (internally-developed or outsourced). The best controls here will be HIDS like AIDE and Tripwire, as well as network IDS. An attacker who exploits a server might upload some recognisable malware, and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.) ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites and other stuff sometimes turns up on compromised hosts. The bulk of the signature database is undoubtedly Windows malware. However, a determined attacker, who knows what the server hosts, is much more likely to either use SQL injection or command injection techniques to extract credit card info (use NIDS to detect this) or to install a rootkit to allow him to come and go more easily (and HIDS will detect this). Remember, there are two problems to be solved here: a) Get the systems past the PCI-DSS Assessor b) Do something useful to actually protect the systems It would be great if both problems had the same solution, but that depends on how clueful the Assessor is (and how artfully the original poster can manage him). Right now, the original poster's employer is paying him to solve a), and will probably only worry about b) much later, should the excrement actually hit the fan. If installing ClamAV is what it takes to solve a), just do it and then get to work on b). Best, --- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security) [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Adam Tauno Williams wrote: Yes, but the scan has to be specific for the kind of problem you want to detect. The presence of a malware pattern - it is pretty straight forward. Only for known instances of malware. This doesn't make sense. No amount of updating will protect you from a flaw in the application code / method. Of course it will. One can't presume that the hosted application / service is perfect. Which is why things are fixed and updated. Applications are compromised much more frequently than Operating Systems which is why the fact that it is a LINUX server doesn't matter. A scanner will potentially tell you when an application has been compromised. No, a scanner will only tell you when known patterns are present. Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install? Someone is going to release an update for your local application and configuration? Yes, you can create your own problems that no one else can fix, but you are also probably running php, ssh, bind and an assortment of standard services that have known vulnerabilities if not updated. Emphasis on the likely in likely be an update to fix it. And a scanner doesn't detect the security flaw, it detects that the server has been breached enough to contain malicious patterns. known patterns. It has nothing to do with updates; relying on being up-to-date to prove your system is secure is akin to covering it with stickers of unicorns to protect it. That's not quite the way it works. When anyone else has noticed an exploit and figures out how it happened, or examines some code and finds how one could happen, it is reported and fixed. And the next update will prevent it. Not quite the same as stickers - but similar to the way the known patterns for scanners become known. Assuming none of the services on you server can be exploited is just wrong headed; But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well. This has nothing to do with knowing about exploits in the way you are using the term exploit (as a method of exploiting a service). It is a way to know about exploits OF a server's service. The scanner doesn't need to know anything at all about how the malicious content got there - it alerts you of it's presence. But it does have to know the content itself, and there's not much reason to think you will know this content without knowing how to stop the related exploit. We are talking about completely different things. I'm talking about using a scanner to indicate that a server does not contain malware patterns indicating it has been [potentially] exploited - which is an *UNEXPECTED* event. No, scanners only scan for known and sort-of expected things. You can't perform highly specific tests for unexpected events. The entire principle of auditing is looking for the unexpected. But scanning doesn't do that. There is some value in knowing that you do have those known patterns present, but you can't deduce that you don't have any unexpected problems if you don't find them. Doing frequent updates is what keeps you safe - and maybe turning off ssh password access. It isn't about being safe. It is about having configuration and policies that ***tests*** the integrity of your systems; detecting malware patterns is a critical component of that. As long as you realize that it is only a test for certain known patterns that don't have much to do with linux problems, fine. Just don't assume that it proves anything about integrity when you don't find them. Your real problem may be that someone has guessed your ssh password and installed a rootkit that hides itself from all normal scans (remember, running programs continue to run even if the filename is erased so scans don't find it). -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
I run this on a centos-server I have. The machine comes to crawl when I open up the Symantec-GUI. I think the GUI is built on java, which might make the machine slower than necessary. Probably the CLI-interface is more responsive. -- /Sorin -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Morten Torstensen Sent: Thursday, January 22, 2009 7:18 PM To: CentOS mailing list Subject: Re: [CentOS] Antivirus for CentOS? (yuck!) And just for completeness, Symantec has AV for Linux too... it is better there than on the Windows platform, but that doesn't say much. The advantage of Symantec is that it is a well-known brand, so in some cases it can be a easy option to push through red-tape bureaucrats. smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Antivirus for CentOS? (yuck!)
Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Thanks, --Amos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;) Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? Yep - on the wikipedia page you referenced, look in the Requirements section, section 5. It says: Use and regularly update anti-virus software on all systems commonly affected by malware Note that CentOS isn't commonly affected by malware. So you should be okay here. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.) The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over... PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor... -I ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
2009/1/22 Ian Forde i...@duckland.org: On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;) Thanks. We are paying some guy ~$US2000 a day to do this officially. But any preperation we can make to shorten the time he spends with us might save us a lot of money. And your advise below looks very reasonable. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? Yep - on the wikipedia page you referenced, look in the Requirements section, section 5. It says: Use and regularly update anti-virus software on all systems commonly affected by malware Note that CentOS isn't commonly affected by malware. So you should be okay here. :) Thanks. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the e.g. in situations where the Linux box is the internet-facing SMTP server, right? same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.) Rightso. You reminded me - we have a couple of Windows servers there as well (running software we didn't get around to port to Linux yet). They only talk to internal systems and we'll install BitDefender on them (that's what we have around here). They talk to a couple of the Linux servers internally using our proprietary protocol. Is this the sort of situation that triggers requirement for AV on linux? The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over... Yes. We defined the PCI Zone as the remote data centre and have a border between it and the rest of the world, including our offices. PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor... This requirement came from management, though the vendor we picked gives an impression that he knows his stuff about security and will help with real pen-testing rather than just tick boxes on papers. Thanks very much for your help! Cheers, --Amos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. Eset has a current linux client, though their product *AND* support suck the biggest one. https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk- for more HTH, jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? There is no good argument against running malware detection on any sever. 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. CLAMAV works well. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Ian Forde i...@duckland.org wrote: Yep - on the wikipedia page you referenced, look in the Requirements section, section 5. It says: Use and regularly update anti-virus software on all systems commonly affected by malware I doubt Amos's QSA is using Wikipedia as his reference, unfortunately. The PCI DSS Ver 1.2 standard (of Oct. 2008 - get it from https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html) actually states: 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). but then goes on, under Testing Procedures to state: 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Unfortunately, both open-source and commercial anti-virus software that will run on Centos do exist, which gives the assessor some wiggle-room. Even worse, the Summary of Changes from 1.1 to 1.2 says: Requirement Testing Procedure: Clarified requirement applies to all operating systems types commonly affected by malicious software, if applicable anti-virus technology exists. Besides use of the term anti-virus software, changed the term virus to malicious software. Deleted note stating Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. That last sentence is a killer, unfortunately - it means they have been tightening up on *ix systems. Looks like you could be in for a battle if the QSA is an intransigent sort. You could argue that while anti-virus programs do exist, their purpose is to detect infected files which could harm connected Windows systems, and are therefore not applicable in your specific case, particularly since you are using proprietary protocols and not running Windows file-sharing software (e.g. Samba, FTP, etc.) It really comes down to whether your Assessor is clueful, or a box-ticking droid. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Amos Shapira wrote: 2009/1/22 Ian Forde i...@duckland.org: same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.) Rightso. You reminded me - we have a couple of Windows servers there as well (running software we didn't get around to port to Linux yet). They only talk to internal systems and we'll install BitDefender on them (that's what we have around here). IF AV is needed, then BitDefender used to do a free command line based package for Linux. I don't know if it's still available, but if that's what you're using then might be worth looking into for evaluation purposes. The free version might not be available for commercial use though, but if you're already purchasing licences from them... The joke of this is that when I tested a bunch of Linux based AVs a few years back, most of them didn't actually detect any Linux virus samples in my corpus - they only detected Windows-based samples. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
ClamAV is probably your best bet. That said, the question is, what do you scan? It can be used several ways, typically scanning files on demand... its not an intrusion detection system like most MS Windows scanners, where it automatically scans every file being read or written (while slowing the system down 300%).If your system isn't handling 'files', it becomes harder to figure out what to do with it... I suppose you could crontab a nightly scan of all files on the system with clamscan, or something. of course, you want to run freshclam once or twice a day to pick up new definitions. I most typically use ClamAV in my email flow, where MailScanner runs every inbound (and outbound) email through it. I've also run it periodically against file systems used as a file server. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. Sophos AV if you have to get something on. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Thu, Jan 22, 2009 at 12:19:27PM +1100, Amos Shapira wrote: Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? Amos - the best argument I have ever seen along those lines is here : (And its a good one ) http://linuxmafia.com/~rick/faq/index.php?page=virus All UNIX/Linux aficionados should be familiar with its content. FAIR WARNING, It is long and complex. Because it is comprehensive and detailed. Those among you familiar with Rick Moen will understand and appreciate why. A portion pasted here: The most recent version of these essays can be found at http://linuxmafia.com/~rick/faq/. Rick's Rants Virus . . . o Should I get anti-virus software for my Linux box? o But didn't security expert Simson Garfinkel say that all Linux systems need virus checkers? o Don't the rise of Linux worms show that Linux now has a virus problem? o Isn't Microsoft Corporation's market dominance, making Linux an insignificant target, the only reason it doesn't have a virus problem? o But how can you say there's no virus problem, when there have been several dozen Linux viruses? Should I get anti-virus software for my Linux box? The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Javascripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is. Here's the short version of the answer: No. If you simply never run untrusted executables while logged in as the root user (or equivalent), all the virus checkers in the world will be at best superfluous; at worst, downright harmful. Hostile executables (including viruses) are almost unfindable in the Linux world — and no real threat to it — because they lack root-user authority, and because Linux admins are seldom stupid enough to run untrusted executables as root, and because Linux users' sources for privileged executables enjoy paranoid-grade scrutiny (such that any unauthorised changes would be detected and remedied). Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run. Because of the distinction between privileged (root-run) processes and user-owned processes, a hostile executable that a non-root user receives (or creates) and then executes (runs) cannot infect or otherwise manipulate the system as a whole. Just as you can delete only your own files (i.e., those you have write permission to), executables you run cannot affect other users' (or root's) files. Therefore, although you can create (or retrieve), and then run, a virus, worm, trojan horse, etc., it can't do much. Unless you do so as root. Which it's simple to avoid doing. == This is just the beginning - it continues on to cover every aspect of the issue in a mere 1100 lines All of it well worth reading. Jeff Kinz. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
On Wed, 2009-01-21 at 21:06 -0500, Adam Tauno Williams wrote: Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? There is no good argument against running malware detection on any sever. That depends upon how you define malware detection. Antivirus software for Linux typically scans for Windows viruses and malware. On the other hand, if you're talking about detection in the sense of Tripwire, or a cron job that runs a 'rpm -V' every night, I completely agree that this is something that should be done. CLAMAV works well. For detecting Windows malware, which isn't really the point... -I ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Antivirus for CentOS? (yuck!)
Ian Forde i...@duckland.org wrote: That depends upon how you define malware detection. Antivirus software for Linux typically scans for Windows viruses and malware. On the other hand, if you're talking about detection in the sense of Tripwire, or a cron job that runs a 'rpm -V' every night, I completely agree that this is something that should be done. Bingo. The changes made in PCI DSS v 1.2 broaden the scope of section 5 from viruses to malicious software. This covers viruses, worms, trojans, spyware, rootkits, etc. Use of AIDE or Open-Source Tripwire, with a carefully set up policy, should meet the requirements. I would write an explanation of non-applicability that states that CentOS is at low risk of infection by viruses and only slightly higher risk of infection by worms, and that implementation of a host filesystem integrity verification system (or host intrusion detection system) provides an appropriate control to alert administrators to unauthorised changes of any kind on the system. Add appropriate verbiage about SELinux, etc. if appropriate. I'd say that should get the job done. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
