Hi all!
At work we've developed a package that we ship as an RPM. We also have a requirement to virusscan everything we ship.
The company uses AVG antivirus on Windows. It can find and scan all the files in a zip file, but it scans only the RPM itself, not its contents.
Anybody out thre know if RH (or Centos) has any tools for scanning contentss of files such as RPM that have other things embedded inside them?
Thanks in advance!
Fred
On Tue, Jun 11, 2019, at 6:52 PM, Fred Smith wrote:
Hi all!
At work we've developed a package that we ship as an RPM. We also have a requirement to virusscan everything we ship.
The company uses AVG antivirus on Windows. It can find and scan all the files in a zip file, but it scans only the RPM itself, not its contents.
Anybody out thre know if RH (or Centos) has any tools for scanning contentss of files such as RPM that have other things embedded inside them?
EPEL has clamav. Red Hat maintains that anti-virus is unnecessary, so does not ship a solution.
V/r, James Cassell
Thanks in advance!
Fred
---- Fred Smith -- fredex@fcshome.stoneham.ma.us ----------------------------- Show me your ways, O LORD, teach me your paths; Guide me in your truth and teach me, for you are God my Savior, And my hope is in you all day long. -------------------------- Psalm 25:4-5 (NIV) -------------------------------- _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On Tue, Jun 11, 2019 at 07:00:03PM -0400, James Cassell wrote:
On Tue, Jun 11, 2019, at 6:52 PM, Fred Smith wrote:
Hi all!
At work we've developed a package that we ship as an RPM. We also have a requirement to virusscan everything we ship.
The company uses AVG antivirus on Windows. It can find and scan all the files in a zip file, but it scans only the RPM itself, not its contents.
Anybody out thre know if RH (or Centos) has any tools for scanning contentss of files such as RPM that have other things embedded inside them?
EPEL has clamav. Red Hat maintains that anti-virus is unnecessary, so does not ship a solution.
Yeah, I don't disagree. Unfortunately someone up high in the company has caved to customer pressure, and it's written into contracts. :( :( :(
Best thing we've been able to come up with is to do rpm-to-cpio then virusscan the rpm and the cpio file on windows. Since I wasn't present when that was done, I don't know if the scanner actually noticed the files in the cpio archive.
Could move the entire tree of things that will become the rpm to windows and run the scanner on that. but symbolic links will be a problem on Winders.
I would suggest, after the build is completed, have clamav scan the sources, as part of the build section of the RPM spec. Once the RPM is built, make sure to GPG sign it and also publish your public key so GPG signature checking can be enabled. In this way, you satisfy the AV scan requirement on the package contents before packaging, and you sign the package during build to help ensure it hasn't been tampered with post build.
Obviously, you need to go through all the rigamarol to ensure signature checking is enabled on the destination devices, and that your key is imported and trusted (and you will want to sign your repo if you use one as well, and enable repo signature checking), and also ensure that unsigned RPMs cannot be installed.
Gregory Young
-----Original Message----- From: CentOS-devel centos-devel-bounces@centos.org On Behalf Of Fred Smith Sent: June 11, 2019 9:45 PM To: The CentOS developers mailing list. centos-devel@centos.org Subject: Re: [CentOS-devel] virusscan a RPM file?
On Tue, Jun 11, 2019 at 07:00:03PM -0400, James Cassell wrote:
On Tue, Jun 11, 2019, at 6:52 PM, Fred Smith wrote:
Hi all!
At work we've developed a package that we ship as an RPM. We also have a requirement to virusscan everything we ship.
The company uses AVG antivirus on Windows. It can find and scan all the files in a zip file, but it scans only the RPM itself, not its contents.
Anybody out thre know if RH (or Centos) has any tools for scanning contentss of files such as RPM that have other things embedded inside them?
EPEL has clamav. Red Hat maintains that anti-virus is unnecessary, so does not ship a solution.
Yeah, I don't disagree. Unfortunately someone up high in the company has caved to customer pressure, and it's written into contracts. :( :( :(
Best thing we've been able to come up with is to do rpm-to-cpio then virusscan the rpm and the cpio file on windows. Since I wasn't present when that was done, I don't know if the scanner actually noticed the files in the cpio archive.
Could move the entire tree of things that will become the rpm to windows and run the scanner on that. but symbolic links will be a problem on Winders.
-- ---- Fred Smith -- fredex@fcshome.stoneham.ma.us ----------------------------- "For the word of God is living and active. Sharper than any double-edged sword, it penetrates even to dividing soul and spirit, joints and marrow; it judges the thoughts and attitudes of the heart." ---------------------------- Hebrews 4:12 (niv) ------------------------------ _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
* On 6/12/19 4:16 AM, Young, Gregory wrote:
I would suggest, after the build is completed, have clamav scan the sources, as part of the build section of the RPM spec. Once the RPM is built, make sure to GPG sign it and also publish your public key so GPG signature checking can be enabled. In this way, you satisfy the AV scan requirement on the package contents before packaging, and you sign the package during build to help ensure it hasn't been tampered with post build.
That implies that virus scanners are able to detect malicious source code, which doesn't seem likely, since they mostly look for binary patterns (notwithstanding stuff like VBScript) and that the build machine was not itself infected and spews out malicious binaries for clean source code.
Doesn't sound like a good way to go to me.
Obviously, you need to go through all the rigamarol to ensure signature checking is enabled on the destination devices, and that your key is imported and trusted (and you will want to sign your repo if you use one as well, and enable repo signature checking), and also ensure that unsigned RPMs cannot be installed.
Together with signing you could however transfer the RPM file to a trusted scanning box, check the signature, unpack the file (rpm2cpio ... | cpio --extract --make-directories) into a staging directory and use clamav's manual scanner on that staging directory. This can easily be done on a CentOS box with EPEL packages and a bit of automation scripts. That approach also assumes that you have a "trusted scanning box", but all this snake oil expects a trusted something at some point in the chain.
Mihai
Hi,
visit
and scan your RPM. You will get a list of virus scan software that supports RPMs.
We use
Sophos AV for Linux used via MailScanner https://www.mailscanner.info/.
https://community.sophos.com/products/endpoint-security-control/f/sophos-end...
thanks
--
Thomas Stephen Lee
On Wed, Jun 12, 2019 at 7:54 AM Mihai Moldovan ionic@ionic.de wrote:
- On 6/12/19 4:16 AM, Young, Gregory wrote:
I would suggest, after the build is completed, have clamav scan the
sources, as part of the build section of the RPM spec. Once the RPM is built, make sure to GPG sign it and also publish your public key so GPG signature checking can be enabled. In this way, you satisfy the AV scan requirement on the package contents before packaging, and you sign the package during build to help ensure it hasn't been tampered with post build.
That implies that virus scanners are able to detect malicious source code, which doesn't seem likely, since they mostly look for binary patterns (notwithstanding stuff like VBScript) and that the build machine was not itself infected and spews out malicious binaries for clean source code.
Doesn't sound like a good way to go to me.
Obviously, you need to go through all the rigamarol to ensure signature
checking is enabled on the destination devices, and that your key is imported and trusted (and you will want to sign your repo if you use one as well, and enable repo signature checking), and also ensure that unsigned RPMs cannot be installed.
Together with signing you could however transfer the RPM file to a trusted scanning box, check the signature, unpack the file (rpm2cpio ... | cpio --extract --make-directories) into a staging directory and use clamav's manual scanner on that staging directory. This can easily be done on a CentOS box with EPEL packages and a bit of automation scripts. That approach also assumes that you have a "trusted scanning box", but all this snake oil expects a trusted something at some point in the chain.
Mihai
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On Wed, Jun 12, 2019 at 02:16:27AM +0000, Young, Gregory wrote:
I would suggest, after the build is completed, have clamav scan the sources, as part of the build section of the RPM spec. Once the RPM is built, make sure to GPG sign it and also publish your public key so GPG signature checking can be enabled. In this way, you satisfy the AV scan requirement on the package contents before packaging, and you sign the package during build to help ensure it hasn't been tampered with post build.
You can use 'cpio' to extract the payload of an RPM; e.g.:
rpm2cpio commons-lang3-3.3.2-1.x86_64.rpm | cpio -idmv
That won't dump out scriptlets, triggers, etc. That's an additional set of steps:
rpm -q --scripts -p commons-lang3-3.3.2-1.x86_64.rpm rpm -q --triggers -p commons-lang3-3.3.2-1.x86_64.rpm rpm -q --queryformat "%{PRETRANS}" -p commons-lang3-3.3.2-1.x86_64.rpm rpm -q --queryformat "%{POSTTRANS}" -p commons-lang3-3.3.2-1.x86_64.rpm
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-
Brian Reichert -
Fred Smith -
James Cassell -
Mihai Moldovan -
Thomas Stephen Lee -
Young, Gregory