Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-25 Thread Ross Walker
On 4/24/09 8:05 AM, NM n...@altiva.fr wrote:

 On Thu, 23 Apr 2009 18:10:38 -0400, Ross Walker wrote:
 
 How about running it as the untrusted user 'clamav'?
 
 How's that user going to check anything that's not o+r?

How about selinux? You could make a context that allows clamav read rights
to everything, and write to none. You could even develop your own PCI
compliant selinux security framework that can be applied to all PCI hosts.

 I know there is a lot of boilerplate regulation out there, I have my
 fair share to deal with myself. Often hidden in the BS there is a good
 intention it just requires a little give and take. Give in to a little
 BS here to get a little break on the BS there.
 
 What the consultant should be working off of is an accurate risk
 assessment of the OS and the applications installed on it, not some dumb
 checklist.
 
 Yeah, well, problem is, you don't get to choose who's going to assess you.

Well you can either go with the compliance flow, or you can let the
compliance flow take you kicking and screaming. Either way your regulated
now and there isn't anything you can do about it. It's the world we live in
today I'm afraid.

If you don't like the way the consultant is doing things, then after this
cycle is complete, take control of the process. Do your own risk assessments
on the hardware and software and develop your own PCI compliant controls
that more accurately reflects the true threats and vulnerabilities of your
environment instead of the perceived threats and vulnerabilities being
used now.

Having your own regular in-house risk assessment performed can only help you
in both developing and supporting your decisions for which controls are
applied to which systems. And even if you need a token install of anti-virus
everywhere to appease the regulator gods, it isn't the end of the world. If
your risk analysis of the software determines it poses a great enough risk,
you can impose controls on it like I mentioned above.

-Ross


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Wed, 21 Jan 2009 21:06:38 -0500, Adam Tauno Williams wrote:

 There is no good argument against running malware detection on any
 sever.

Except when the malware it can detect is extremely unlikely to be an 
issue, because you are now running yet another process for no good reason 
that might have a vulnerability itself.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote:

 An occasional clamav scan can't hurt.

You are absolutely, completely wrong.

Clamav has had vulnerabilities that could be used to cause it to execute 
arbitrary code in the scanned files. I don't doubt for one second that 
proprietary AVs have the same kind of problem, except that you can't look 
at the code to check for yourself.

While the risk is worth taking when you are implementing a mail server or 
a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a 
proprietary product) installed on every single one of our servers in the 
PCI scope, even though there is not a single Windows machine in the 
scope. 

The likelyhood of an actual _virus_ infection is 0 for us. I don't mean 
malware -- I mean virus. The problem is that while PCI-DSS 1.2 now 
mentions malware as a whole, it still requires antivirus software, 
while only giving a weak if applicable exception. We are told we can't 
use it since there is at least a handful of known Linux viruses 
(nevermind that they are never seen in the wild) which could simply *not* 
infect us, since they require, by definition, that we run an infected 
binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but 
it doesn't cover the antivirus requirement, we are told. 

So we're going to go ahead and weaken our security just to check a PCI-
DSS checkbox. This is simply ridiculous.

PS: I want to emphasize that by virus I mean virus, not worm or 
rootkit or malware or exploit. There are sploits, worms and 
rootkits on Linux, some are/have been quite nasty; there has *never* been 
an actual virus threat. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote:

 Cron a clamscan -ir /
 It will check the entire filesystem and report infected files. You
 probably don't want to automatically delete what you find, though.
 
 You can also scan for things like ssn's in datafiles laying around.

Congratulations, anyone who can write to /tmp is all set to pwn you on 
the next ClamAV vuln. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Thu, 22 Jan 2009 14:01:26 -0500, Adam Tauno Williams wrote:

 You scan the server for malware.

You run a useless process widening your attack surface. 

Hint: Security is a trade-off -- Schneier.

Don't trade actual security for cargo cult systems administration.

 There is nothing special about LINUX here.  The whole don't run
 services as root business is just so much noise.  It isn't about
 protecting the *server* it is about protecting the *data* which is
 accesses [hopefully] by services which are *not* root.  It is about the
 data and the clients that connect to the server.

There is something special about Linux, it's called RPM. We don't run 
arbitrary binaries. We don't let strange .exe put files wherever they 
please. Bonus: rpmverify, free of charge.

That doesn't mean that there aren't vulnerabilities or malware. It means 
that *viruses* are not a problem.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Thu, 22 Jan 2009 15:55:11 -0500, Adam Tauno Williams wrote:

 Yes, you gain the ability to detect a compromised server.

Absolutely not, you don't gain that ability at all. Again we're talking 
*viruses* not all malware. An antivirus will never detect a good rootkit; 
modern rootkit employ sophisticated stealth techniques and hide 
themselves and their files from all other processes. They typically 
insert an invisible kernel module. An antivirus can't do squat about 
that ... because that's not a virus anyway.

On the other hand an antivirus is yet another piece of useless garbage 
running on your server, and one more opportunity for an attacker to pwn 
you. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread NM
On Thu, 22 Jan 2009 09:32:16 -0600, Matt wrote:

 FYI, clamav also detects linux based viruses.  There are linux based
 viruses.  Rkhunter is also good to run on a linux server as well.
 
 http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses
 
 Of course if you keep your passwords secure and up to date on patches
 you 'should' not get any viruses on a linux box.  Nothing is certain
 though. Its very little effort to install clamav and rkhunter.


Viruses have nothing to do with passwords. Viruses get passed around by 
infected binaries. You might be thinking of worms. Antiviruses don't 
protect against worms, IDSs do. Unfortunately PCI-DSS requires an AV *as 
well* as an IDS. 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-04-23 Thread Ross Walker
On Apr 23, 2009, at 3:00 PM, NM n...@altiva.fr wrote:

 On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote:

 Cron a clamscan -ir /
 It will check the entire filesystem and report infected files. You
 probably don't want to automatically delete what you find, though.

 You can also scan for things like ssn's in datafiles laying around.

 Congratulations, anyone who can write to /tmp is all set to pwn you on
 the next ClamAV vuln.

How about running it as the untrusted user 'clamav'?

I know there is a lot of boilerplate regulation out there, I have my  
fair share to deal with myself. Often hidden in the BS there is a good  
intention it just requires a little give and take. Give in to a little  
BS here to get a little break on the BS there.

What the consultant should be working off of is an accurate risk  
assessment of the OS and the applications installed on it, not some  
dumb checklist.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-23 Thread David G. Miller
Stephen John Smoogen smo...@gmail.com wrote:

 On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote:
   
  Amos Shapira amos.shap...@gmail.com wrote:
 
 
  Hi All,
 
  Yes, I know, it's really really embarrassing to have to ask but I'm
  being pushed to the wall with PCI DSS Compliance procedure
  (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
  we don't need to install an anti-virus or find an anti-virus to run on
  our CentOS 5 servers.
 
  Whatever I do - it needs to be convincing enough to make the PCI
  compliance guy tick the box.
   
SNIP
  After reading all of the other replies (including the ones that pointed
  out that the PCI DSS requirement had changed the terminology from
  virus to malware), why not claim you are meeting the requirement by
  doing something useful like running chkrootkit or rkhunter on a regular
  basis?  That way you would be scanning the systems for the only malware
  known to actually pose a threat to a Linux box.  It may be a low
  probability of infection (as others have pointed out) but should satisfy
  the auditor and hopefully will just be a low cost exercise in futility
  as long as reasonable security policies are followed.
 

 Any tool will require the need to have a risk assessment against it.
 What is the liklihood of it finding malware? How much is updated and
 how does it compare to other tools. These will be questions that will
 need to be available for auditors to know you did your due-diligence
 on selecting a tool.
Answering those questions would provide the arguments for running a root 
kit scanner instead of anti-virus software.  That is, the risk of 
malware affecting the systems in question is low with near zero 
likelihood that a true virus will cause a problem but with the 
possibility that a rootkit could compromise the systems.  Chkrootkit and 
rkhunter are arguably the best tools for finding a root kit.  The 
programs are updated whenever a new threat is identified. 

Obviously, the OP would need more than my say so as back up for these 
assertions.  Said back up would also make the case that scanning for 
non-existent threats (Linux viruses) would make no sense while scanning 
for a real threat makes the most sense.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-23 Thread Ross Walker
On Fri, Jan 23, 2009 at 1:10 PM, David G. Miller d...@davenjudy.org wrote:
 Stephen John Smoogen smo...@gmail.com wrote:

 On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote:

  Amos Shapira amos.shap...@gmail.com wrote:
 

  Hi All,
 
  Yes, I know, it's really really embarrassing to have to ask but I'm
  being pushed to the wall with PCI DSS Compliance procedure
  (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
  we don't need to install an anti-virus or find an anti-virus to run on
  our CentOS 5 servers.
 
  Whatever I do - it needs to be convincing enough to make the PCI
  compliance guy tick the box.

 SNIP
  After reading all of the other replies (including the ones that pointed
  out that the PCI DSS requirement had changed the terminology from
  virus to malware), why not claim you are meeting the requirement by
  doing something useful like running chkrootkit or rkhunter on a regular
  basis?  That way you would be scanning the systems for the only malware
  known to actually pose a threat to a Linux box.  It may be a low
  probability of infection (as others have pointed out) but should satisfy
  the auditor and hopefully will just be a low cost exercise in futility
  as long as reasonable security policies are followed.


 Any tool will require the need to have a risk assessment against it.
 What is the liklihood of it finding malware? How much is updated and
 how does it compare to other tools. These will be questions that will
 need to be available for auditors to know you did your due-diligence
 on selecting a tool.
 Answering those questions would provide the arguments for running a root
 kit scanner instead of anti-virus software.  That is, the risk of
 malware affecting the systems in question is low with near zero
 likelihood that a true virus will cause a problem but with the
 possibility that a rootkit could compromise the systems.  Chkrootkit and
 rkhunter are arguably the best tools for finding a root kit.  The
 programs are updated whenever a new threat is identified.

 Obviously, the OP would need more than my say so as back up for these
 assertions.  Said back up would also make the case that scanning for
 non-existent threats (Linux viruses) would make no sense while scanning
 for a real threat makes the most sense.

Typically a multi-faceted approach to intrusion detection and
prevention will always be more successful and garner the best support.

Servers that deal with files, whether file servers or wikis, need
anti-virus software. For the best protection a different anti-virus
package should be deployed on the client (say clamav on the Linux file
servers/wikis, and Sophos on the client PCs).

All servers should have monitoring software installed to detect
changes to the environment, both for change management auditing and
intrusion detection. Having an external system collect the monitoring
logs and send alerts is the preferred way as manual collection and
monitoring isn't timely enough, nor reliable. A good system monitoring
platform like one from SolarWinds would be good here.

A change management platform to receive these alerts and match them up
against change requests or flag them as unauthorized events should
also be in place. A platform such as Numara Footprints or even a help
desk system or a bug tracking system on the low end could do this.

With those in place you should be in good shape. You should then do
routine vulneribility scans, penetration tests and if necessary buy
into an intrusion prevention system where it scans the network
activity looking for anything out of the ordinary where it can alert
you to it, or alert and drop it or whatever you see fit.

-Ross
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-23 Thread Scott Silva
on 1-22-2009 4:33 AM Ralph Angenendt spake the following:
 Anne Wilson wrote:
 On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
 What do you do with clamav on a linux server? Especially: How is it run
 by you? What do you think it protects you against on a linux server?
 1 - it protects you against passing on any windows viruses to windows users
 
 Yes, but how is it run? Hourly via cron? On which files? What does it
 protect against? Mind you, I'm not talking about workstations, but about
 servers.
 
 Ralph
Cron a clamscan -ir /
It will check the entire filesystem and report infected files.
You probably don't want to automatically delete what you find, though.

You can also scan for things like ssn's in datafiles laying around.


-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Rainer Traut
Am 22.01.2009 02:19, schrieb Amos Shapira:

 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

http://www.f-prot.com/products/corporate_users/unix/
has some Linux AV products.

Rainer


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
Adam Tauno Williams wrote:
  1. Has anyone here gone though such a procedure and got good arguments
  against the need for anti-virus?
 
 There is no good argument against running malware detection on any
 sever.
 
  2. Alternatively - what linux anti-virus (oh, the shame of typing this
  word combination :() do you use which doesn't affect our systems
  performance too much.
 
 CLAMAV works well.

What do you do with clamav on a linux server? Especially: How is it run
by you? What do you think it protects you against on a linux server? 

Curious,

Ralph


pgpN4uJnaN7di.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Anne Wilson
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
 What do you do with clamav on a linux server? Especially: How is it run
 by you? What do you think it protects you against on a linux server?

1 - it protects you against passing on any windows viruses to windows users
2 - it satisfied those auditors who can't think beyond what they have been 
told, especially if you have log proof.  Logwatch's daily report:

 - clam-update Begin  

 Last ClamAV update process started at Wed Jan 21 04:02:23 2009
 
 Last Status:
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: 
sven)
daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: 
ccordes)
 
 -- clam-update End - 

 
 - Clamav Begin  

 
 **Unmatched Entries**
 Database correctly reloaded (936952 signatures) 
 
 -- Clamav End -

That should satisfy and auditor.

Anne


signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
Anne Wilson wrote:
 On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
  What do you do with clamav on a linux server? Especially: How is it run
  by you? What do you think it protects you against on a linux server?
 
 1 - it protects you against passing on any windows viruses to windows users

Yes, but how is it run? Hourly via cron? On which files? What does it
protect against? Mind you, I'm not talking about workstations, but about
servers.

Ralph


pgpotwFz9gh2d.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Craig White
On Thu, 2009-01-22 at 12:16 +, Anne Wilson wrote:
 On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
  What do you do with clamav on a linux server? Especially: How is it run
  by you? What do you think it protects you against on a linux server?
 
 1 - it protects you against passing on any windows viruses to windows users
 2 - it satisfied those auditors who can't think beyond what they have been 
 told, especially if you have log proof.  Logwatch's daily report:
 
  - clam-update Begin  
 
  Last ClamAV update process started at Wed Jan 21 04:02:23 2009
  
  Last Status:
 main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: 
 sven)
 daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, 
 builder: 
 ccordes)
  
  -- clam-update End - 
 
  
  - Clamav Begin  
 
  
  **Unmatched Entries**
  Database correctly reloaded (936952 signatures) 
  
  -- Clamav End -
 
 That should satisfy and auditor.

the above suggests that clamav signature files were updated and the
database reloaded but nowhere does it suggest that any scanning of the
file system occurred nor the output of such scanning which probably
never occurred. What you have demonstrated is a gymnastic exercise which
accomplishes little. clamd might be able to do something useful but it
is not indicated above.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Anne Wilson
On Thursday 22 January 2009 12:46:46 Craig White wrote:
 On Thu, 2009-01-22 at 12:16 +, Anne Wilson wrote:
  On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
   What do you do with clamav on a linux server? Especially: How is it run
   by you? What do you think it protects you against on a linux server?
 
  1 - it protects you against passing on any windows viruses to windows
  users 2 - it satisfied those auditors who can't think beyond what they
  have been told, especially if you have log proof.  Logwatch's daily
  report:
 
   - clam-update Begin 
 
   Last ClamAV update process started at Wed Jan 21 04:02:23 2009
 
   Last Status:
  main.cvd is up to date (version: 49, sigs: 437972, f-level: 35,
  builder: sven)
  daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38,
  builder: ccordes)
 
   -- clam-update End -
 
 
   - Clamav Begin 
 
 
   **Unmatched Entries**
   Database correctly reloaded (936952 signatures)
 
   -- Clamav End -
 
  That should satisfy and auditor.

 
 the above suggests that clamav signature files were updated and the
 database reloaded but nowhere does it suggest that any scanning of the
 file system occurred nor the output of such scanning which probably
 never occurred. What you have demonstrated is a gymnastic exercise which
 accomplishes little. clamd might be able to do something useful but it
 is not indicated above.

True.  As I have no windows boxes on the LAN I only run it manually, and it 
wasn't done on the day that that reported.  The one area that I am vulnerable 
to is email-borne viruses, and since I am not serving those to windows boxes 
it is only out of curiosity that I need clamav.

I'm sure there are plenty of people that can give Ralph detailed information 
about using it efficiently.  I was merely demonstrating how easy it is to show 
that you keep the database up to date.  You are quite right,of course, they 
will want to see evidence that it is scanning as well.

Anne


signature.asc
Description: This is a digitally signed message part.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
Anne Wilson wrote:
 I'm sure there are plenty of people that can give Ralph detailed information 
 about using it efficiently. 

Sorry, I do not want to know how to use clamav efficiently, I am just
wondering what good clamav will do on a server, as there aren't really
any hooks into file writing or reading. Sure, I can hook up clamav into
my email stream or into my proxy on that machine for filtering out
requests to people who use windows boxes behind those.

But I do not understand which sense clamav makes on a linux server, if
there are no hooks into the kernel (I know about dazuko, but a) we don't
ship it and b) last time I looked at it I couldn't get it to run
properly without a *huge* speed penalty). 

As far as I know there is no AntiVirus solution for Linux which works
the same as all the solutions under Windows do. And if you do not have
real time scanning on a server/workstation, an anti virus scanner
doesn't do you any good, as the time frame for attacks is just too
large. Either you get it on the first shot or you can just forget about
it. 

So again: If you want to be PCI-DSS compliant - what's the use of
clamav?

Ralph


pgpVhme9RlXAD.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Matt Shields
On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt
ra+cen...@br-online.dera%2bcen...@br-online.de
 wrote:

 Anne Wilson wrote:
  I'm sure there are plenty of people that can give Ralph detailed
 information
  about using it efficiently.

 Sorry, I do not want to know how to use clamav efficiently, I am just
 wondering what good clamav will do on a server, as there aren't really
 any hooks into file writing or reading. Sure, I can hook up clamav into
 my email stream or into my proxy on that machine for filtering out
 requests to people who use windows boxes behind those.

 But I do not understand which sense clamav makes on a linux server, if
 there are no hooks into the kernel (I know about dazuko, but a) we don't
 ship it and b) last time I looked at it I couldn't get it to run
 properly without a *huge* speed penalty).

 As far as I know there is no AntiVirus solution for Linux which works
 the same as all the solutions under Windows do. And if you do not have
 real time scanning on a server/workstation, an anti virus scanner
 doesn't do you any good, as the time frame for attacks is just too
 large. Either you get it on the first shot or you can just forget about
 it.

 So again: If you want to be PCI-DSS compliant - what's the use of
 clamav?

 Ralph


Check out BitDefender http://www.bitdefender.com

-matt
http://www.sysadminvalley.com
http://www.beantownhost.com
http://www.linkedin.com/in/mattboston
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Craig White
On Thu, 2009-01-22 at 14:15 +0100, Ralph Angenendt wrote:
 Anne Wilson wrote:
  I'm sure there are plenty of people that can give Ralph detailed 
  information 
  about using it efficiently. 
 
 Sorry, I do not want to know how to use clamav efficiently, I am just
 wondering what good clamav will do on a server, as there aren't really
 any hooks into file writing or reading. Sure, I can hook up clamav into
 my email stream or into my proxy on that machine for filtering out
 requests to people who use windows boxes behind those.
 
 But I do not understand which sense clamav makes on a linux server, if
 there are no hooks into the kernel (I know about dazuko, but a) we don't
 ship it and b) last time I looked at it I couldn't get it to run
 properly without a *huge* speed penalty). 
 
 As far as I know there is no AntiVirus solution for Linux which works
 the same as all the solutions under Windows do. And if you do not have
 real time scanning on a server/workstation, an anti virus scanner
 doesn't do you any good, as the time frame for attacks is just too
 large. Either you get it on the first shot or you can just forget about
 it. 
 
 So again: If you want to be PCI-DSS compliant - what's the use of
 clamav?

re: the last question, I simply don't know.

I do know that I have an 'unsupported' version of Symantec Anti-Virus
for Linux which came with their 'End Point Protection' package which I
gather is a 'real-time' package but I am not interested in finding out
what that would do to performance of the system.

I also know that samba has a 'vfs' option for using clamd on your
samba/Windows file server.

Craig

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread John Plemons
I use AVG, they have a nice and clean Real Time Scanning piece of 
software for Linux

see http://www.grisoft.com for general info

http://www.avg.com/download-7?prd=avl

to download for the different flavors of Linux

I use it on my Linux boxes as well as all of my Windows Clients and 
Servers as well, bang for buck its one of the best out and much better 
than that crappy Symantic brand AV

john plemons

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
Matt Shields wrote:
 On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt
 ra+cen...@br-online.dera%2bcen...@br-online.de
  As far as I know there is no AntiVirus solution for Linux which works
  the same as all the solutions under Windows do. And if you do not have
  real time scanning on a server/workstation, an anti virus scanner
  doesn't do you any good, as the time frame for attacks is just too
  large. Either you get it on the first shot or you can just forget about
  it.
 
 Check out BitDefender http://www.bitdefender.com

Bitdefender for Samba which only scans stuff on network shares and
Bitdefender for Mail Servers which does the same clamav and
amavisd/exiscan/whatever can do. No security products which protect
servers itself, just hooks into the windows world.

Supports the point I tried to make :)

Ralph


pgpcr4xvOZOfz.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
John Plemons wrote:
 I use AVG, they have a nice and clean Real Time Scanning piece of 
 software for Linux

Oh. So maybe dazuko now isn't a resource hog anymore?

Thanks, that is the first time I've heard about a component like that.

Cheers,

Ralph


pgpZ9MNNThjn6.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Kwan Lowe
 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.

 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.

 So:

 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?

We are going through the same thing. The initial rollout was planned
for only PCI critical systems, but has been expanded to SOX and
business-critical servers.  Given the extreme rarity of Unix/Linux
related viruses, we did question why we needed to run an AV solution
at all. However, we do have shares that are accessible via Windows and
Mac users, so these were targeted.  Per our compliance officer, though
a rigid interpretation of the PCI documentation might not require full
scans of every server, or even scanning every server, we would go
beyond the spec. Thus, at some point we're expecting that all servers
will require some sort of AV product.


 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.


The AV solution we were told to use was Sophos AV. Our environment is
primarily AIX with a few Linux systems. Though the Linux systems had
(mostly) equivalent features to the Windows product, the AIX solution
was essentially a command line driven scan similar to ClamAV.

Now, SophosAV on Linux requires some kernel hooks for the on-access
scan. If Sophos-compiled binaries are not available for your kernel
then you'd need to build them on the machine. I.e., you'd require GCC
and the kernel-dev packages. Per our security requirements (not PCI
specific), we do not have compilers and dev libraries on anything but
development servers. Sophos also did not have an SLA as to when new
binaries would be released after a new kernel.

Which leads to an interesting conundrum. The Sophos product cannot do
on-demand scanning without a dev environment (and compiling elsewhere
was not a documented process from Sophos). So we were left with the
command line, cron driven scanner.  Given that the files we would
target were often temporary (e.g., uploaded documents, files to be
pushed into a doc manager), it made little sense to scan daily.
Instead, you'd need to script processes to watch directories and
holding areas.

The rest of the problems were primarily with the AIX client.

Anyhoo, the AV products don't put too much load on the system,
depending on your scan requirements. They can do so though. E.g., if
you scan compressed files, do on demand, scan across shares, etc..


 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Matt
 None... clamav, amavis, etc... are used for protecting Windows boxes
 behind the Linux boxes.  If you aren't running any Windows hosts on the

FYI, clamav also detects linux based viruses.  There are linux based
viruses.  Rkhunter is also good to run on a linux server as well.

http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses

Of course if you keep your passwords secure and up to date on patches
you 'should' not get any viruses on a linux box.  Nothing is certain
though.  Its very little effort to install clamav and rkhunter.

Matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread nate
Amos Shapira wrote:

 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

I highly recommend Sophos antivirus:

http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/linux/

They seem to cost more than the competition but it's because they
have a better product.

Glad I don't have to deal with credit card numbers anymore the
security around that stuff was a pain.

nate


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Morten Torstensen
Rainer Traut wrote:
 Am 22.01.2009 02:19, schrieb Amos Shapira:
 
 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.
 
 http://www.f-prot.com/products/corporate_users/unix/
 has some Linux AV products.

And just for completeness, Symantec has AV for Linux too... it is better 
there than on the Windows platform, but that doesn't say much. The 
advantage of Symantec is that it is a well-known brand, so in some cases 
it can be a easy option to push through red-tape bureaucrats.

-- 

//Morten Torstensen
//Email: mor...@mortent.org
//IM: morten.torsten...@gmail.com

I can't listen to that much Wagner. I start getting the urge to conquer 
Poland.
-- Woody Allen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread John Plemons
But again you said it, Symantic is trash

With my history of machine crashes caused by their I can do it better 
altitude, Run don't walk from Symantic

John Plemons

 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Adam Tauno Williams
 Adam Tauno Williams wrote:
   1. Has anyone here gone though such a procedure and got good arguments
   against the need for anti-virus?
  There is no good argument against running malware detection on any
  sever.
   2. Alternatively - what linux anti-virus (oh, the shame of typing this
   word combination :() do you use which doesn't affect our systems
   performance too much.
  CLAMAV works well.
 What do you do with clamav on a linux server? 

You scan the server for malware.  

There is nothing special about LINUX here.  The whole don't run
services as root business is just so much noise.  It isn't about
protecting the *server* it is about protecting the *data* which is
accesses [hopefully] by services which are *not* root.  It is about the
data and the clients that connect to the server.   

I've seen CLAMAV find malware on web servers (maybe it isn't common...
because no one is checking).  Someone's crappy PHP code [is there any
other kind?] allows malware to get injected into, and served, from the
server.  No root access anywhere, or required.  It isn't about
protecting the OS or the system, it is about protecting the data, the
applications [from exploit], and the end-users [so the server isn't an
attack vector].   Assuming none of the services on you server can be
exploited is just wrong headed;  and the exploiter does not need to
own the server (aka have root) in order to do mischief.   Access to
your data is probably more valuable than whacking your server.

The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
of malware is served from LINUX servers.   Scanning a server for
signatures is just another way to proof (not prove) that a server has
not been compromised and that data accessed by the server is secure.
Which is what things like PCI/DSS is about - protecting the *data*. 

  What do you think it protects you against on a linux server? 

against a linux server? ?


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Stephen John Smoogen
On Thu, Jan 22, 2009 at 12:01 PM, Adam Tauno Williams
awill...@whitemice.org wrote:
 Adam Tauno Williams wrote:
   1. Has anyone here gone though such a procedure and got good arguments
   against the need for anti-virus?
  There is no good argument against running malware detection on any
  sever.
   2. Alternatively - what linux anti-virus (oh, the shame of typing this
   word combination :() do you use which doesn't affect our systems
   performance too much.
  CLAMAV works well.
 What do you do with clamav on a linux server?

 You scan the server for malware.

 There is nothing special about LINUX here.  The whole don't run
 services as root business is just so much noise.  It isn't about
 protecting the *server* it is about protecting the *data* which is
 accesses [hopefully] by services which are *not* root.  It is about the
 data and the clients that connect to the server.

 I've seen CLAMAV find malware on web servers (maybe it isn't common...
 because no one is checking).  Someone's crappy PHP code [is there any
 other kind?] allows malware to get injected into, and served, from the
 server.  No root access anywhere, or required.  It isn't about
 protecting the OS or the system, it is about protecting the data, the
 applications [from exploit], and the end-users [so the server isn't an
 attack vector].   Assuming none of the services on you server can be
 exploited is just wrong headed;  and the exploiter does not need to
 own the server (aka have root) in order to do mischief.   Access to
 your data is probably more valuable than whacking your server.

 The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
 of malware is served from LINUX servers.   Scanning a server for
 signatures is just another way to proof (not prove) that a server has
 not been compromised and that data accessed by the server is secure.
 Which is what things like PCI/DSS is about - protecting the *data*.

I don't know about that last sentence.. I am not familiar enough with
PCI/DSS to say it protects data or protects from lawsuits. Everything
else I can agree with 100%. Linux/Mac/Solaris etc are all good vectors
for serving malware because they are not routinely looked at for
malware (because most Unix admins think it is something that affects
them.) Most malware authors learned that while they may not be able to
get 'root' all they really need is normal permissions for most things
because they can still open up high ports to send/recieve spam or that
most systems have data at o+rw for ease of use.

Does this mean that every Linux machine should have a malware detector
on it that runs and scans every file? No its a matter of risk
management. If you are in a high risk environment, you should know why
or why not it is not in place (having other strong security measures
in place with constant vigilance can be good enough or for something
else it might not be.).


  What do you think it protects you against on a linux server?

 against a linux server? ?


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos




-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. The Merchant of Venice
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread David G. Miller
Amos Shapira amos.shap...@gmail.com wrote:

 Hi All,

 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.

 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.

 So:

 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?
 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

 Thanks,

 --Amos
After reading all of the other replies (including the ones that pointed 
out that the PCI DSS requirement had changed the terminology from 
virus to malware), why not claim you are meeting the requirement by 
doing something useful like running chkrootkit or rkhunter on a regular 
basis?  That way you would be scanning the systems for the only malware 
known to actually pose a threat to a Linux box.  It may be a low 
probability of infection (as others have pointed out) but should satisfy 
the auditor and hopefully will just be a low cost exercise in futility 
as long as reasonable security policies are followed.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Stephen John Smoogen
On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller d...@davenjudy.org wrote:
 Amos Shapira amos.shap...@gmail.com wrote:

 Hi All,

 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.

 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.

 So:

 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?
 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

 Thanks,

 --Amos
 After reading all of the other replies (including the ones that pointed
 out that the PCI DSS requirement had changed the terminology from
 virus to malware), why not claim you are meeting the requirement by
 doing something useful like running chkrootkit or rkhunter on a regular
 basis?  That way you would be scanning the systems for the only malware
 known to actually pose a threat to a Linux box.  It may be a low
 probability of infection (as others have pointed out) but should satisfy
 the auditor and hopefully will just be a low cost exercise in futility
 as long as reasonable security policies are followed.

Any tool will require the need to have a risk assessment against it.
What is the liklihood of it finding malware? How much is updated and
how does it compare to other tools. These will be questions that will
need to be available for auditors to know you did your due-diligence
on selecting a tool.

-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. The Merchant of Venice
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Ralph Angenendt
Adam Tauno Williams wrote:
  What do you do with clamav on a linux server? 
 
 You scan the server for malware.  

When? Every day via crontab? That can be much too late. Every hour? That can
be much too late. Every 10 minutes? That can be much too late - and your 
server is busy scanning the file system.

 The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
 of malware is served from LINUX servers.   Scanning a server for
 signatures is just another way to proof (not prove) that a server has
 not been compromised and that data accessed by the server is secure.
 Which is what things like PCI/DSS is about - protecting the *data*. 

I never said LINUX doesn't suffer from malware. But clamav itself is not
able to scan in real time. Looks like dazuko has gotten a bit better, I don't
know about clamuko. But by just installing clamav, you gain nothing 
protection wise.
 
  What do you think it protects you against on a linux server? 
 
 against a linux server? ?

When?

Ralph

pgpMvZ2ycn0Oi.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Adam Tauno Williams
On Thu, 2009-01-22 at 21:24 +0100, Ralph Angenendt wrote:
 Adam Tauno Williams wrote:
   What do you do with clamav on a linux server? 
  You scan the server for malware.  
 When? Every day via crontab? That can be much too late. Every hour? That can
 be much too late. Every 10 minutes? That can be much too late - and your 
 server is busy scanning the file system.

Verses never???  That's just silly;  your making perfect an obstacle of
the good.  If it finds something then you KNOW you have a problem and
the time frame in which it occurred:  you can then access and respond
and [potentially] notify.  Verses what?  No knowledge?  The alternative
is to host the malware indefinitely in blissful ignorance - or until
someone else detects and reports your server.

CLAMAV, or any package, isn't THE answer, it is part of an answer.  And
PCI/DSS requires a server be scanned on a regular basis.  Fighting
against that directive just makes no sense.  You should scan an entire
system on some interval regardless of OS.

  The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
  of malware is served from LINUX servers.   Scanning a server for
  signatures is just another way to proof (not prove) that a server has
  not been compromised and that data accessed by the server is secure.
  Which is what things like PCI/DSS is about - protecting the *data*. 
 I never said LINUX doesn't suffer from malware. But clamav itself is not
 able to scan in real time. Looks like dazuko has gotten a bit better, I don't
 know about clamuko. But by just installing clamav, you gain nothing 
 protection wise.

Yes, you gain the ability to detect a compromised server.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Les Mikesell
Adam Tauno Williams wrote:

 What do you do with clamav on a linux server? 
 
 You scan the server for malware.  
 
 There is nothing special about LINUX here.  The whole don't run
 services as root business is just so much noise.  It isn't about
 protecting the *server* it is about protecting the *data* which is
 accesses [hopefully] by services which are *not* root.  It is about the
 data and the clients that connect to the server.   

Yes, but the scan has to be specific for the kind of problem you want to 
detect.

 I've seen CLAMAV find malware on web servers (maybe it isn't common...
 because no one is checking).  Someone's crappy PHP code [is there any
 other kind?] allows malware to get injected into, and served, from the
 server.

That tends to be more because someone isn't doing updates than that they 
aren't checking.  Before a scan can help you, the scanner has to know 
about the problem.  After someone knows about the problem there will 
likely be an update to fix it at least as soon as a scanner that will 
detect it after the fact.  Which makes more sense to install?

 No root access anywhere, or required.  It isn't about
 protecting the OS or the system, it is about protecting the data, the
 applications [from exploit], and the end-users [so the server isn't an
 attack vector].   Assuming none of the services on you server can be
 exploited is just wrong headed;

But expecting a scanner to know about the exploit long before the 
exploit is known and fixed seems misguided as well.

  and the exploiter does not need to
 own the server (aka have root) in order to do mischief.   Access to
 your data is probably more valuable than whacking your server.
 
 The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
 of malware is served from LINUX servers.

That may be true, but the exploit that allowed it to be put there may be 
unrelated.  For example, you may have virus-laden email being 
transported through a Linux server that doesn't have anything else to do 
with it.  Or you may have a samba share where windows clients can infect 
it.  Or, someone might get access through brute-force ssh password guessing.

 Scanning a server for
 signatures is just another way to proof (not prove) that a server has
 not been compromised and that data accessed by the server is secure.
 Which is what things like PCI/DSS is about - protecting the *data*. 

An occasional clamav scan can't hurt.

  What do you think it protects you against on a linux server? 
 
 against a linux server? ?

Doing frequent updates is what keeps you safe - and maybe turning off 
ssh password access.

-- 
   Les Mikesell
 lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Adam Tauno Williams
  There is nothing special about LINUX here.  The whole don't run
  services as root business is just so much noise.  It isn't about
  protecting the *server* it is about protecting the *data* which is
  accesses [hopefully] by services which are *not* root.  It is about the
  data and the clients that connect to the server.   
 Yes, but the scan has to be specific for the kind of problem you want to 
 detect.

The presence of a malware pattern - it is pretty straight forward.

  I've seen CLAMAV find malware on web servers (maybe it isn't common...
  because no one is checking).  Someone's crappy PHP code [is there any
  other kind?] allows malware to get injected into, and served, from the
  server.
 That tends to be more because someone isn't doing updates than that they 
 aren't checking.

This doesn't make sense.  No amount of updating will protect you from a
flaw in the application code / method.  One can't presume that the
hosted application / service is perfect.  Applications are compromised
much more frequently than Operating Systems which is why the fact that
it is a LINUX server doesn't matter.  A scanner will potentially tell
you when an application has been compromised.

   Before a scan can help you, the scanner has to know 
 about the problem.  After someone knows about the problem there will 
 likely be an update to fix it at least as soon as a scanner that will 
 detect it after the fact.  Which makes more sense to install?

Someone is going to release an update for your local application and
configuration?  Emphasis on the likely in likely be an update to fix
it.  And a scanner doesn't detect the security flaw, it detects that
the server has been breached enough to contain malicious patterns.  It
has nothing to do with updates;  relying on being up-to-date to prove
your system is secure is akin to covering it with stickers of unicorns
to protect it.

  No root access anywhere, or required.  It isn't about
  protecting the OS or the system, it is about protecting the data, the
  applications [from exploit], and the end-users [so the server isn't an
  attack vector].   Assuming none of the services on you server can be
  exploited is just wrong headed;
 But expecting a scanner to know about the exploit long before the 
 exploit is known and fixed seems misguided as well.

This has nothing to do with knowing about exploits in the way you are
using the term exploit (as a method of exploiting a service).  It is a
way to know about exploits OF a server's service.  The scanner doesn't
need to know anything at all about how the malicious content got there -
it alerts you of it's presence.

   and the exploiter does not need to
  own the server (aka have root) in order to do mischief.   Access to
  your data is probably more valuable than whacking your server.
  The mantra LINUX doesn't suffer from malware is just bollocks.  Lots
  of malware is served from LINUX servers.
 That may be true, but the exploit that allowed it to be put there may be 
 unrelated.  

So?

 For example, you may have virus-laden email being 
 transported through a Linux server that doesn't have anything else to do 
 with it.  Or you may have a samba share where windows clients can infect 
 it.  Or, someone might get access through brute-force ssh password guessing.

We are talking about completely different things.  I'm talking about
using a scanner to indicate that a server does not contain malware
patterns indicating it has been [potentially] exploited - which is an
*UNEXPECTED* event.  You can't perform highly specific tests for
unexpected events.  The entire principle of auditing is looking for the
unexpected.

  Scanning a server for
  signatures is just another way to proof (not prove) that a server has
  not been compromised and that data accessed by the server is secure.
  Which is what things like PCI/DSS is about - protecting the *data*. 
 An occasional clamav scan can't hurt.
   What do you think it protects you against on a linux server? 
 against a linux server? ?
 Doing frequent updates is what keeps you safe - and maybe turning off 
 ssh password access.

It isn't about being safe.  It is about having configuration and
policies that ***tests*** the integrity of your systems;  detecting
malware patterns is a critical component of that.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Les Bell

Adam Tauno Williams awill...@whitemice.org wrote:


CLAMAV, or any package, isn't THE answer, it is part of an answer.  And
PCI/DSS requires a server be scanned on a regular basis.  Fighting
against that directive just makes no sense.  You should scan an entire
system on some interval regardless of OS.


It's worth noting that the type of scan required by PCI DSS is not a
filesystem scan by an antivirus product. It is a vulnerability scan
performed by an Approved Scanning Vendor.

Some other miscellanous points triggered by posts in this thread that I've
read this morning:

According to the Verizon 2008 Data Breaches Report, in over 90% of cases
where a successful attack exploited a vulnerability, there was a patch
available for at least six months prior to the breach. So the first thing
we can say is that there is good reason to patch your system - it's
definitely an effective activity.

While the most popular attack methods of cybercriminals are hacking and
malcode (again, the Verizon report confirms this), malcode is much more
popular in the Windows world and hacking is the method of choice against
Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means
that anti-virus products will be less effective in safeguarding the data on
a Linux box, and host intrustion detection systems are correspondingly more
effective.

Most attacks against servers are conducted against the application layer
code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again,
anti-virus products are not effective here, particularly since the original
poster seems to be running custom code (internally-developed or
outsourced). The best controls here will be HIDS like AIDE and Tripwire, as
well as network IDS.

An attacker who exploits a server might upload some recognisable malware,
and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.)
ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites
and other stuff sometimes turns up on compromised hosts. The bulk of the
signature database is undoubtedly Windows malware. However, a determined
attacker, who knows what the server hosts, is much more likely to either
use SQL injection or command injection techniques to extract credit card
info (use NIDS to detect this) or to install a rootkit to allow him to come
and go more easily (and HIDS will detect this).

Remember, there are two problems to be solved here:

a) Get the systems past the PCI-DSS Assessor

b) Do something useful to actually protect the systems

It would be great if both problems had the same solution, but that depends
on how clueful the Assessor is (and how artfully the original poster can
manage him). Right now, the original poster's employer is paying him to
solve a), and will probably only worry about b) much later, should the
excrement actually hit the fan. If installing ClamAV is what it takes to
solve a), just do it and then get to work on b).

Best,

--- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security)
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Les Mikesell
Adam Tauno Williams wrote:

 Yes, but the scan has to be specific for the kind of problem you want to 
 detect.
 
 The presence of a malware pattern - it is pretty straight forward.

Only for known instances of malware.
 
 This doesn't make sense.  No amount of updating will protect you from a
 flaw in the application code / method. 

Of course it will.

 One can't presume that the
 hosted application / service is perfect.

Which is why things are fixed and updated.

 Applications are compromised
 much more frequently than Operating Systems which is why the fact that
 it is a LINUX server doesn't matter.  A scanner will potentially tell
 you when an application has been compromised.

No, a scanner will only tell you when known patterns are present.

   Before a scan can help you, the scanner has to know 
 about the problem.  After someone knows about the problem there will 
 likely be an update to fix it at least as soon as a scanner that will 
 detect it after the fact.  Which makes more sense to install?
 
 Someone is going to release an update for your local application and
 configuration? 

Yes, you can create your own problems that no one else can fix, but you 
are also probably running php, ssh, bind and an assortment of standard 
services that have known vulnerabilities if not updated.

 Emphasis on the likely in likely be an update to fix
 it.  And a scanner doesn't detect the security flaw, it detects that
 the server has been breached enough to contain malicious patterns.

known patterns.

 It
 has nothing to do with updates;  relying on being up-to-date to prove
 your system is secure is akin to covering it with stickers of unicorns
 to protect it.

That's not quite the way it works.  When anyone else has noticed an 
exploit and figures out how it happened, or examines some code and finds 
how one could happen, it is reported and fixed.  And the next update 
will prevent it.  Not quite the same as stickers - but similar to the 
way the known patterns for scanners become known.

 Assuming none of the services on you server can be
 exploited is just wrong headed;
 But expecting a scanner to know about the exploit long before the 
 exploit is known and fixed seems misguided as well.
 
 This has nothing to do with knowing about exploits in the way you are
 using the term exploit (as a method of exploiting a service).  It is a
 way to know about exploits OF a server's service.  The scanner doesn't
 need to know anything at all about how the malicious content got there -
 it alerts you of it's presence.

But it does have to know the content itself, and there's not much reason 
to think you will know this content without knowing how to stop the 
related exploit.

 
 We are talking about completely different things.  I'm talking about
 using a scanner to indicate that a server does not contain malware
 patterns indicating it has been [potentially] exploited - which is an
 *UNEXPECTED* event.

No, scanners only scan for known and sort-of expected things.

  You can't perform highly specific tests for
 unexpected events.  The entire principle of auditing is looking for the
 unexpected.

But scanning doesn't do that.  There is some value in knowing that you 
do have those known patterns present, but you can't deduce that you 
don't have any unexpected problems if you don't find them.

 Doing frequent updates is what keeps you safe - and maybe turning off 
 ssh password access.
 
 It isn't about being safe.  It is about having configuration and
 policies that ***tests*** the integrity of your systems;  detecting
 malware patterns is a critical component of that.

As long as you realize that it is only a test for certain known patterns 
that don't have much to do with linux problems, fine.  Just don't assume 
that it proves anything about integrity when you don't find them.  Your 
real problem may be that someone has guessed your ssh password and 
installed a rootkit that hides itself from all normal scans (remember, 
running programs continue to run even if the filename is erased so scans 
don't find it).

-- 
   Les Mikesell
 lesmikes...@gmail.com






___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-22 Thread Sorin Srbu
I run this on a centos-server I have. The machine comes to crawl when I open
up the Symantec-GUI. I think the GUI is built on java, which might make the
machine slower than necessary. Probably the CLI-interface is more responsive.

-- 
/Sorin


-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf
Of
Morten Torstensen
Sent: Thursday, January 22, 2009 7:18 PM
To: CentOS mailing list
Subject: Re: [CentOS] Antivirus for CentOS? (yuck!)

And just for completeness, Symantec has AV for Linux too... it is better
there than on the Windows platform, but that doesn't say much. The
advantage of Symantec is that it is a well-known brand, so in some cases
it can be a easy option to push through red-tape bureaucrats.




smime.p7s
Description: S/MIME cryptographic signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


[CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Amos Shapira
Hi All,

Yes, I know, it's really really embarrassing to have to ask but I'm
being pushed to the wall with PCI DSS Compliance procedure
(http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
we don't need to install an anti-virus or find an anti-virus to run on
our CentOS 5 servers.

Whatever I do - it needs to be convincing enough to make the PCI
compliance guy tick the box.

So:

1. Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
2. Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems
performance too much.

The reviewed servers run both Internet-facing web applications and
internal systems, mostly using proprietary protocol for internal
communications. They are being administrated remotely via IPSec VPN
(and possibly in the future also OpenVPN).

Thanks,

--Amos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Ian Forde
On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
 Hi All,
 
 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.

Note - I am *NOT* a lawyer.  This advice is freely given, and may be
worth exactly what you paid for it... ;)

 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.
 
 So:
 
 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?

Yep - on the wikipedia page you referenced, look in the Requirements
section, section 5.  It says: Use and regularly update anti-virus
software on all systems commonly affected by malware

Note that CentOS isn't commonly affected by malware.  So you should be
okay here.

 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

None... clamav, amavis, etc... are used for protecting Windows boxes
behind the Linux boxes.  If you aren't running any Windows hosts on the
same network as the Linux hosts, that should take care of the sweet spot
of the AV argument.  (Though if you're connected to a site via VPN or
private link that has Windows boxes, that may be a different story.)

 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

Yep - then you want to make sure that since you're using a VPN, nothing
(like say, an Apache worm) can jump over...

PCI Compliance can be a bear.  Just make sure that you have management
buy-in, and good external scanning vendor...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Amos Shapira
2009/1/22 Ian Forde i...@duckland.org:
 On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
 Hi All,

 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.

 Note - I am *NOT* a lawyer.  This advice is freely given, and may be
 worth exactly what you paid for it... ;)

Thanks. We are paying some guy ~$US2000 a day to do this officially.
But any preperation we can make to shorten the time he spends with us
might save us a lot of money. And your advise below looks very
reasonable.


 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.

 So:

 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?

 Yep - on the wikipedia page you referenced, look in the Requirements
 section, section 5.  It says: Use and regularly update anti-virus
 software on all systems commonly affected by malware

 Note that CentOS isn't commonly affected by malware.  So you should be
 okay here.

:) Thanks.


 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

 None... clamav, amavis, etc... are used for protecting Windows boxes
 behind the Linux boxes.  If you aren't running any Windows hosts on the

e.g. in situations where the Linux box is the internet-facing SMTP
server, right?

 same network as the Linux hosts, that should take care of the sweet spot
 of the AV argument.  (Though if you're connected to a site via VPN or
 private link that has Windows boxes, that may be a different story.)

Rightso. You reminded me - we have a couple of Windows servers there
as well (running software we didn't get around to port to Linux yet).
They only talk to internal systems and we'll install BitDefender on
them (that's what we have around here).

They talk to a couple of the Linux servers internally using our
proprietary protocol.

Is this the sort of situation that triggers requirement for AV on linux?


 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

 Yep - then you want to make sure that since you're using a VPN, nothing
 (like say, an Apache worm) can jump over...

Yes. We defined the PCI Zone as the remote data centre and have a
border between it and the rest of the world, including our offices.


 PCI Compliance can be a bear.  Just make sure that you have management
 buy-in, and good external scanning vendor...

This requirement came from management, though the vendor we picked
gives an impression that he knows his stuff about security and will
help with real pen-testing rather than just tick boxes on papers.

Thanks very much for your help!

Cheers,

--Amos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Joseph L. Casale
Whatever I do - it needs to be convincing enough to make the PCI
compliance guy tick the box.

Eset has a current linux client, though their product *AND* support
suck the biggest one.

https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-

for more

HTH,
jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Adam Tauno Williams
 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.
 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.
 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?

There is no good argument against running malware detection on any
sever.

 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.

CLAMAV works well.

 The reviewed servers run both Internet-facing web applications and
 internal systems, mostly using proprietary protocol for internal
 communications. They are being administrated remotely via IPSec VPN
 (and possibly in the future also OpenVPN).

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Les Bell

Ian Forde i...@duckland.org wrote:


Yep - on the wikipedia page you referenced, look in the Requirements
section, section 5.  It says: Use and regularly update anti-virus
software on all systems commonly affected by malware


I doubt Amos's QSA is using Wikipedia as his reference, unfortunately. The
PCI DSS Ver 1.2 standard (of Oct. 2008 - get it from
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html)
 actually states:

5.1 Deploy anti-virus software on all
systems commonly affected by
malicious software (particularly personal
computers and servers).

but then goes on, under Testing Procedures to state:

5.1 For a sample of system components including all
operating system types commonly affected by malicious
software, verify that anti-virus software is deployed if
applicable anti-virus technology exists.

Unfortunately, both open-source and commercial anti-virus software that
will run on Centos do exist, which gives the assessor some wiggle-room.
Even worse, the Summary of Changes from 1.1 to 1.2 says:

Requirement  Testing Procedure: Clarified
requirement applies to all operating systems types
commonly affected by malicious software, if applicable
anti-virus technology exists.
Besides use of the term anti-virus software, changed
the term virus to malicious software.
Deleted note stating Systems commonly affected by
viruses typically do not include UNIX-based operating
systems or mainframes.

That last sentence is a killer, unfortunately - it means they have been
tightening up on *ix systems. Looks like you could be in for a battle if
the QSA is an intransigent sort. You could argue that while anti-virus
programs do exist, their purpose is to detect infected files which could
harm connected Windows systems, and are therefore not applicable in your
specific case, particularly since you are using proprietary protocols and
not running Windows file-sharing software (e.g. Samba, FTP, etc.)

It really comes down to whether your Assessor is clueful, or a box-ticking
droid.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Ned Slider
Amos Shapira wrote:
 2009/1/22 Ian Forde i...@duckland.org:
 
 same network as the Linux hosts, that should take care of the sweet spot
 of the AV argument.  (Though if you're connected to a site via VPN or
 private link that has Windows boxes, that may be a different story.)
 
 Rightso. You reminded me - we have a couple of Windows servers there
 as well (running software we didn't get around to port to Linux yet).
 They only talk to internal systems and we'll install BitDefender on
 them (that's what we have around here).
 

IF AV is needed, then BitDefender used to do a free command line based 
package for Linux. I don't know if it's still available, but if that's 
what you're using then might be worth looking into for evaluation 
purposes. The free version might not be available for commercial use 
though, but if you're already purchasing licences from them...

The joke of this is that when I tested a bunch of Linux based AVs a few 
years back, most of them didn't actually detect any Linux virus samples 
in my corpus - they only detected Windows-based samples.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread John R Pierce

ClamAV is probably your best bet.

That said, the question is, what do you scan?  It can be used several 
ways, typically scanning files on demand...  its not an intrusion 
detection system like most MS Windows scanners, where it automatically 
scans every file being read or written (while slowing the system down 
300%).If your system isn't handling 'files', it becomes harder to 
figure out what to do with it...  I suppose you could crontab a nightly 
scan of all files on the system with clamscan, or something.  of course, 
you want to run freshclam once or twice a day to pick up new definitions.

I most typically use ClamAV in my email flow, where MailScanner runs 
every inbound (and outbound) email through it.  I've also run it 
periodically against file systems used as a file server.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Christopher Chan

 2. Alternatively - what linux anti-virus (oh, the shame of typing this
 word combination :() do you use which doesn't affect our systems
 performance too much.
 

Sophos AV if you have to get something on.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread jkinz
On Thu, Jan 22, 2009 at 12:19:27PM +1100, Amos Shapira wrote:
 Hi All,
 
 Yes, I know, it's really really embarrassing to have to ask but I'm
 being pushed to the wall with PCI DSS Compliance procedure
 (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
 we don't need to install an anti-virus or find an anti-virus to run on
 our CentOS 5 servers.
 
 Whatever I do - it needs to be convincing enough to make the PCI
 compliance guy tick the box.
 
 So:
 
 1. Has anyone here gone though such a procedure and got good arguments
 against the need for anti-virus?

Amos - the best argument I have ever seen along those lines is
here :  (And its a good one )

http://linuxmafia.com/~rick/faq/index.php?page=virus

All UNIX/Linux aficionados should be familiar with its content.

FAIR WARNING, It is long and complex. Because it is 
comprehensive and detailed. Those among you familiar with Rick
Moen will understand and appreciate why.

A portion pasted here: 

The most recent version of these essays can be found at
http://linuxmafia.com/~rick/faq/.
Rick's Rants

  Virus . . .
  o Should I get anti-virus software for my Linux box?
  o But didn't security expert Simson Garfinkel say that
all Linux systems need virus checkers?
  o Don't the rise of Linux worms show that Linux now has
a virus problem?
  o Isn't Microsoft Corporation's market dominance,
making Linux an insignificant target, the only reason it doesn't
have a virus problem?
  o But how can you say there's no virus problem, when
there have been several dozen Linux viruses?


  Should I get anti-virus software for my Linux box?

  The problem with answering this question is that those
asking it know only OSes where viruses, trojan-horse programs,
worms, nasty Javascripts, ActiveX controls with destructive
payloads, and ordinary misbehaved applications are a constant
threat to their computing. Therefore, they refuse to believe
Linux could be different, no matter what they hear.

  And yet it is.

  Here's the short version of the answer: No. If you simply
never run untrusted executables while logged in as the root user
(or equivalent), all the virus checkers in the world will be at
best superfluous; at worst, downright harmful. Hostile
executables (including viruses) are almost unfindable in the
Linux world — and no real threat to it — because they lack
root-user authority, and because Linux admins are seldom stupid
enough to run untrusted executables as root, and because Linux
users' sources for privileged executables enjoy paranoid-grade
scrutiny (such that any unauthorised changes would be detected
and remedied).

  Here's the long version: Still no. Any program on a Linux
box, viruses included, can only do what the user who ran it can
do. Real users aren't allowed to hurt the system (only the root
user can), so neither can programs they run.

  Because of the distinction between privileged (root-run)
processes and user-owned processes, a hostile executable that a
non-root user receives (or creates) and then executes (runs)
cannot infect or otherwise manipulate the system as a whole.
Just as you can delete only your own files (i.e., those you have
write permission to), executables you run cannot affect other
users' (or root's) files. Therefore, although you can create (or
retrieve), and then run, a virus, worm, trojan horse, etc., it
can't do much. Unless you do so as root. Which it's simple to
avoid doing.

==

This is just the beginning - it continues on to cover every
aspect of the issue in a mere 1100 lines 

All of it well worth reading.


Jeff Kinz.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Ian Forde
On Wed, 2009-01-21 at 21:06 -0500, Adam Tauno Williams wrote:
  Yes, I know, it's really really embarrassing to have to ask but I'm
  being pushed to the wall with PCI DSS Compliance procedure
  (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
  we don't need to install an anti-virus or find an anti-virus to run on
  our CentOS 5 servers.
  Whatever I do - it needs to be convincing enough to make the PCI
  compliance guy tick the box.
  1. Has anyone here gone though such a procedure and got good arguments
  against the need for anti-virus?
 
 There is no good argument against running malware detection on any
 sever.

That depends upon how you define malware detection.  Antivirus software
for Linux typically scans for Windows viruses and malware.  On the other
hand, if you're talking about detection in the sense of Tripwire, or a
cron job that runs a 'rpm -V' every night, I completely agree that this
is something that should be done.

 CLAMAV works well.

For detecting Windows malware, which isn't really the point...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] Antivirus for CentOS? (yuck!)

2009-01-21 Thread Les Bell

Ian Forde i...@duckland.org wrote:


That depends upon how you define malware detection.  Antivirus software
for Linux typically scans for Windows viruses and malware.  On the other
hand, if you're talking about detection in the sense of Tripwire, or a
cron job that runs a 'rpm -V' every night, I completely agree that this
is something that should be done.


Bingo. The changes made in PCI DSS v 1.2 broaden the scope of section 5
from viruses to malicious software. This covers viruses, worms,
trojans, spyware, rootkits, etc. Use of AIDE or Open-Source Tripwire, with
a carefully set up policy, should meet the requirements. I would write an
explanation of non-applicability that states that CentOS is at low risk
of infection by viruses and only slightly higher risk of infection by
worms, and that implementation of a host filesystem integrity verification
system (or host intrusion detection system) provides an appropriate control
to alert administrators to unauthorised changes of any kind on the system.
Add appropriate verbiage about SELinux, etc. if appropriate. I'd say that
should get the job done.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos