Re: [OpenIndiana-discuss] Anti-Virus strategy
Michelle, The first thing I would do for performance is to limit your scans to user home directories unless you're really paranoid. Then you can use one of the intrusion detectors to make sure none of the system files were touched. For me, validating that the system files haven't been tampered with is much more critical. I was hit hard with a root-kit on a SunOS machine back in the 80s and had no choice but to wipe everything clean and reinstall since there was no clear way to determine what was compromised. The only good thing was that my firewall prevented the root kit from getting the command/control connection to do whatever nefarious work that was intended. I've never had a successful attack since, but I still remember the horror and pain that that caused. If they didn't have a small bug in their installation that caused a peculiar error message that I happened to catch flying by during a boot, I would not have started the investigation that finally uncovered it. I happen to use aide and run it nightly using the reference database stored on a read-only device for added security. The only downside is that after installing, updating, or removing a package you have to take the time to bless the changes reported by such a system. On the plus side, it saved me a few times when I accidentally overwrote things (one of those Oh-No! situations). I could easily generate a report of what was changed so I could pull back the original files from backup. Gary On 12/26/2012 11:13 AM, Michelle Knight wrote: Hi Folks, Up until now, I've been using Clam on a linux client to remotely scan my ZFS volumes overnight every few days; primarily as I don't know anything about running anti-viru direclty on the OI box. However, the number of (especially small ) files has been increasing so I'm facing installing and configuring an anti-virus scan on the OI box itself. I've done some search engine reading, but it is all at a higher level and I haven't been able to learn enough to put together a solid strategy. I don't really suffer viruses; thanks to some hard lessons learned in the past. However I'm human and something could still catch me a blind side some day, so another gate keeper won't hurt. Has anyone got any advice and links to instructions please? Many thanks, Michelle. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Anti-Virus strategy
On 2012-12-26 17:13, Michelle Knight wrote: Hi Folks, Up until now, I've been using Clam on a linux client to remotely scan my ZFS volumes overnight every few days; primarily as I don't know anything about running anti-viru direclty on the OI box. (...) I don't really suffer viruses; thanks to some hard lessons learned in the past. However I'm human and something could still catch me a blind side some day, so another gate keeper won't hurt. Has anyone got any advice and links to instructions please? Well, one thing you could use is ClamAV itself. It cleanly compiles under Solaris, I believe OI or SFE even provide it as a package, maybe even with SMF integration. I've recently packaged my own build for my older Solaris machines (you might need ncurses for clamdtop, otherwise no surprises). Then you could either use regular scanning via command-line/crontab and/or intrusion detection (as Gary detailed), perhaps mixing the two to only scan changed files. Though it might make sense to scan everything once in a while, just in case new fingerprints are added to antivirus database that were not present when you originally saved the files with possible unknown viruses. However, ClamAV's strengths shine when you use it as a daemon. Not only is its command-line client clamdscan much faster than usual clamscan - because it doesn't have to load the databases every time - but also you can use clamd as a filter for other tasks. The bundled clamav-milter can help with your emails, and the extra ICAP integration (i.e. c-icap software) allows to stick the filter into Squid for web traffic, into Samba for CIFS and into ZFS for any file IO (CIFS, NFS, FTP, local, ...). * http://www.c0t0d0s0.org/uploads/vscanclamav.pdf * http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id2652728 * http://squidclamav.darold.net and http://louwrentius.com/blog/2012/08/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap/ * http://c-icap.sourceforge.net/ * http://www.clamav.net/lang/en/ DISCLAIMER: I did not try anything other than email integration and command-line test usage, so can't help in detail further than this... HTH, //Jim Klimov ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Anti-Virus strategy
Thank you both for your advice. I neglected to tell you exactly what role OI is being used for, which could help you target your advice. The OI machine is a simple text server installation; no frills. It has two admin users on board, namely root and the irregular user name that I use when installing. This is what I ssh to the box with when I need to do rare admin work (which I why I keep forgetting commands; this thing is like a tank!) All other user names are used for file access only via the CIFS share and have no other privs on the system. Therefore, the usual home areas aren't written to or used on a regular basis. There is one large ZFS dataset published with CIFS and most areas are read-only. Only some select areas are read-write by a very few data users only. The rest are read only and have to be written to by opening an SFTP session. The chances of someone getting at the system itself is remote; but if the worst happens, the system is so straightforward I can have it rebuilt in less than an hour. You're talking in things that I don't completely understand. Obviously as I used to be an assembler programmer, I know what you're saying, (make, compile, etc.) but not how to achieve it in OI. I never really learned C, so I do need a bit of babying. Particularly when they go wrong; I never know which libraries have what in them. I just don't do it on a regular basis. First question is that as the machine is used on this basis, is intrusion detection going to delivery me any serious benefit? I'm not using it for browsing, etc. and very limited services are running, basically the only thing extra than what comes out of the box is CIFS for the ZFS share. Secondly, Clam as a daemon sounds a good step forward, but I'm not sure how to get its reports. Currently, the client produces a report of the scan and puts it to a separate web server; which is my home page. Whenever I open a browser I get an hourly report of the ZFS status and a link to the last anti-virus scan. How do I get the daemon to plug in to this kind of reporting please? Thanks again, Michelle. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Anti-Virus strategy
+1 on the ClamAV thing. In past lives when I cared about virus', I never had any problem getting a clean compile of ClamAV on Solaris or Solaris based distro's. I would also 2nd Jim's recommendation of the VSCAN and related items. It looks like the following is necessary to get the base VSCAN stuff added to OI. # pkg install pkg:/service/storage/virus-scan Also, but obsolete, is the original OpenSolaris VSCAN page. http://www.opensolaris.org/os/project/vscan which now redirects here: http://hub.opensolaris.org/bin/view/Project+vscan/ Jerry On 12/26/12 11:08 AM, Jim Klimov wrote: Well, one thing you could use is ClamAV itself. It cleanly compiles under Solaris, I believe OI or SFE even provide it as a package, maybe even with SMF integration. I've recently packaged my own build for my older Solaris machines (you might need ncurses for clamdtop, otherwise no surprises). Then you could either use regular scanning via command-line/crontab and/or intrusion detection (as Gary detailed), perhaps mixing the two to only scan changed files. Though it might make sense to scan everything once in a while, just in case new fingerprints are added to antivirus database that were not present when you originally saved the files with possible unknown viruses. However, ClamAV's strengths shine when you use it as a daemon. Not only is its command-line client clamdscan much faster than usual clamscan - because it doesn't have to load the databases every time - but also you can use clamd as a filter for other tasks. The bundled clamav-milter can help with your emails, and the extra ICAP integration (i.e. c-icap software) allows to stick the filter into Squid for web traffic, into Samba for CIFS and into ZFS for any file IO (CIFS, NFS, FTP, local, ...). * http://www.c0t0d0s0.org/uploads/vscanclamav.pdf * http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id2652728 * http://squidclamav.darold.net and http://louwrentius.com/blog/2012/08/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap/ * http://c-icap.sourceforge.net/ * http://www.clamav.net/lang/en/ DISCLAIMER: I did not try anything other than email integration and command-line test usage, so can't help in detail further than this... HTH, //Jim Klimov ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Anti-Virus strategy
http://www.c0t0d0s0.org/uploads/vscanclamav.pdf And a very quick look at the Solaris 11 docs leaves me with the impression that Vscan hasn't changed much since OpenSolaris. So it might take a bit more doc reading and fiddling than the above, but probably not too much. Haven't tried it myself, so there's probably not much point in asking me detailed questions. On Dec 26, 2012, at 2:15 PM, Jerry Kemp wrote: +1 on the ClamAV thing. In past lives when I cared about virus', I never had any problem getting a clean compile of ClamAV on Solaris or Solaris based distro's. I would also 2nd Jim's recommendation of the VSCAN and related items. It looks like the following is necessary to get the base VSCAN stuff added to OI. # pkg install pkg:/service/storage/virus-scan Also, but obsolete, is the original OpenSolaris VSCAN page. http://www.opensolaris.org/os/project/vscan which now redirects here: http://hub.opensolaris.org/bin/view/Project+vscan/ Jerry On 12/26/12 11:08 AM, Jim Klimov wrote: Well, one thing you could use is ClamAV itself. It cleanly compiles under Solaris, I believe OI or SFE even provide it as a package, maybe even with SMF integration. I've recently packaged my own build for my older Solaris machines (you might need ncurses for clamdtop, otherwise no surprises). Then you could either use regular scanning via command-line/crontab and/or intrusion detection (as Gary detailed), perhaps mixing the two to only scan changed files. Though it might make sense to scan everything once in a while, just in case new fingerprints are added to antivirus database that were not present when you originally saved the files with possible unknown viruses. However, ClamAV's strengths shine when you use it as a daemon. Not only is its command-line client clamdscan much faster than usual clamscan - because it doesn't have to load the databases every time - but also you can use clamd as a filter for other tasks. The bundled clamav-milter can help with your emails, and the extra ICAP integration (i.e. c-icap software) allows to stick the filter into Squid for web traffic, into Samba for CIFS and into ZFS for any file IO (CIFS, NFS, FTP, local, ...). * http://www.c0t0d0s0.org/uploads/vscanclamav.pdf * http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id2652728 * http://squidclamav.darold.net and http://louwrentius.com/blog/2012/08/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap/ * http://c-icap.sourceforge.net/ * http://www.clamav.net/lang/en/ DISCLAIMER: I did not try anything other than email integration and command-line test usage, so can't help in detail further than this... HTH, //Jim Klimov ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- eMail: mailto:rlha...@smart.net Home page: http://www.smart.net/~rlhamil/ Facebook, MySpace, AIM, Yahoo, etc:ask ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss