[CentOS] Antivirus for CentOS? (yuck!)

Ian Forde ian at duckland.org
Thu Jan 22 01:45:00 UTC 2009


On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
> Hi All,
> 
> Yes, I know, it's really really embarrassing to have to ask but I'm
> being pushed to the wall with PCI DSS Compliance procedure
> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> we don't need to install an anti-virus or find an anti-virus to run on
> our CentOS 5 servers.

Note - I am *NOT* a lawyer.  This advice is freely given, and may be
worth exactly what you paid for it... ;)

> Whatever I do - it needs to be convincing enough to make the PCI
> compliance guy tick the box.
> 
> So:
> 
> 1. Has anyone here gone though such a procedure and got good arguments
> against the need for anti-virus?

Yep - on the wikipedia page you referenced, look in the "Requirements"
section, section 5.  It says: "Use and regularly update anti-virus
software on all systems commonly affected by malware"

Note that CentOS isn't commonly affected by malware.  So you should be
okay here.

> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> word combination :() do you use which doesn't affect our systems
> performance too much.

None... clamav, amavis, etc... are used for protecting Windows boxes
behind the Linux boxes.  If you aren't running any Windows hosts on the
same network as the Linux hosts, that should take care of the sweet spot
of the AV argument.  (Though if you're connected to a site via VPN or
private link that has Windows boxes, that may be a different story.)

> The reviewed servers run both Internet-facing web applications and
> internal systems, mostly using proprietary protocol for internal
> communications. They are being administrated remotely via IPSec VPN
> (and possibly in the future also OpenVPN).

Yep - then you want to make sure that since you're using a VPN, nothing
(like say, an Apache worm) can jump over...

PCI Compliance can be a bear.  Just make sure that you have management
buy-in, and good external scanning vendor...

	-I



More information about the CentOS mailing list