Hi All,
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much.
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).
Thanks,
--Amos
On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
Hi All,
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;)
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware"
Note that CentOS isn't commonly affected by malware. So you should be okay here.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.)
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).
Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over...
PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor...
-I
2009/1/22 Ian Forde ian@duckland.org:
On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:
Hi All,
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;)
Thanks. We are paying some guy ~$US2000 a day to do this officially. But any preperation we can make to shorten the time he spends with us might save us a lot of money. And your advise below looks very reasonable.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware"
Note that CentOS isn't commonly affected by malware. So you should be okay here.
:) Thanks.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the
e.g. in situations where the Linux box is the internet-facing SMTP server, right?
same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.)
Rightso. You reminded me - we have a couple of Windows servers there as well (running software we didn't get around to port to Linux yet). They only talk to internal systems and we'll install BitDefender on them (that's what we have around here).
They talk to a couple of the Linux servers internally using our proprietary protocol.
Is this the sort of situation that triggers requirement for AV on linux?
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).
Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over...
Yes. We defined the "PCI Zone" as the remote data centre and have a "border" between it and the rest of the world, including our offices.
PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor...
This requirement came from management, though the vendor we picked gives an impression that he knows his stuff about security and will help with real pen-testing rather than just tick boxes on papers.
Thanks very much for your help!
Cheers,
--Amos
Amos Shapira wrote:
2009/1/22 Ian Forde ian@duckland.org:
same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.)
Rightso. You reminded me - we have a couple of Windows servers there as well (running software we didn't get around to port to Linux yet). They only talk to internal systems and we'll install BitDefender on them (that's what we have around here).
IF AV is needed, then BitDefender used to do a free command line based package for Linux. I don't know if it's still available, but if that's what you're using then might be worth looking into for evaluation purposes. The free version might not be available for commercial use though, but if you're already purchasing licences from them...
The joke of this is that when I tested a bunch of Linux based AVs a few years back, most of them didn't actually detect any Linux virus samples in my corpus - they only detected Windows-based samples.
None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the
FYI, clamav also detects linux based viruses. There are linux based viruses. Rkhunter is also good to run on a linux server as well.
http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses
Of course if you keep your passwords secure and up to date on patches you 'should' not get any viruses on a linux box. Nothing is certain though. Its very little effort to install clamav and rkhunter.
Matt
On Thu, 22 Jan 2009 09:32:16 -0600, Matt wrote:
FYI, clamav also detects linux based viruses. There are linux based viruses. Rkhunter is also good to run on a linux server as well.
http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses
Of course if you keep your passwords secure and up to date on patches you 'should' not get any viruses on a linux box. Nothing is certain though. Its very little effort to install clamav and rkhunter.
Viruses have nothing to do with passwords. Viruses get passed around by infected binaries. You might be thinking of worms. Antiviruses don't protect against worms, IDSs do. Unfortunately PCI-DSS requires an AV *as well* as an IDS.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
Eset has a current linux client, though their product *AND* support suck the biggest one.
https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk
for more
HTH, jlc
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
There is no good argument against running malware detection on any sever.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
CLAMAV works well.
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).
On Wed, 2009-01-21 at 21:06 -0500, Adam Tauno Williams wrote:
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
There is no good argument against running malware detection on any sever.
That depends upon how you define malware detection. Antivirus software for Linux typically scans for Windows viruses and malware. On the other hand, if you're talking about detection in the sense of Tripwire, or a cron job that runs a 'rpm -V' every night, I completely agree that this is something that should be done.
CLAMAV works well.
For detecting Windows malware, which isn't really the point...
-I
Adam Tauno Williams wrote:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
There is no good argument against running malware detection on any sever.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
CLAMAV works well.
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
Curious,
Ralph
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report:
--------------------- clam-update Begin ------------------------
Last ClamAV update process started at Wed Jan 21 04:02:23 2009
Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes)
---------------------- clam-update End -------------------------
--------------------- Clamav Begin ------------------------
**Unmatched Entries** Database correctly reloaded (936952 signatures)
---------------------- Clamav End -------------------------
That should satisfy and auditor.
Anne
Anne Wilson wrote:
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
1 - it protects you against passing on any windows viruses to windows users
Yes, but how is it run? Hourly via cron? On which files? What does it protect against? Mind you, I'm not talking about workstations, but about servers.
Ralph
on 1-22-2009 4:33 AM Ralph Angenendt spake the following:
Anne Wilson wrote:
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
1 - it protects you against passing on any windows viruses to windows users
Yes, but how is it run? Hourly via cron? On which files? What does it protect against? Mind you, I'm not talking about workstations, but about servers.
Ralph
Cron a "clamscan -ir /" It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though.
You can also scan for things like ssn's in datafiles laying around.
On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote:
Cron a "clamscan -ir /" It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though.
You can also scan for things like ssn's in datafiles laying around.
Congratulations, anyone who can write to /tmp is all set to pwn you on the next ClamAV vuln.
On Apr 23, 2009, at 3:00 PM, NM nico@altiva.fr wrote:
On Fri, 23 Jan 2009 11:30:12 -0800, Scott Silva wrote:
Cron a "clamscan -ir /" It will check the entire filesystem and report infected files. You probably don't want to automatically delete what you find, though.
You can also scan for things like ssn's in datafiles laying around.
Congratulations, anyone who can write to /tmp is all set to pwn you on the next ClamAV vuln.
How about running it as the untrusted user 'clamav'?
I know there is a lot of boilerplate regulation out there, I have my fair share to deal with myself. Often hidden in the BS there is a good intention it just requires a little give and take. Give in to a little BS here to get a little break on the BS there.
What the consultant should be working off of is an accurate risk assessment of the OS and the applications installed on it, not some dumb checklist.
-Ross
On Thu, 23 Apr 2009 18:10:38 -0400, Ross Walker wrote:
How about running it as the untrusted user 'clamav'?
How's that user going to check anything that's not o+r?
I know there is a lot of boilerplate regulation out there, I have my fair share to deal with myself. Often hidden in the BS there is a good intention it just requires a little give and take. Give in to a little BS here to get a little break on the BS there.
What the consultant should be working off of is an accurate risk assessment of the OS and the applications installed on it, not some dumb checklist.
Yeah, well, problem is, you don't get to choose who's going to assess you.
On 4/24/09 8:05 AM, "NM" nico@altiva.fr wrote:
On Thu, 23 Apr 2009 18:10:38 -0400, Ross Walker wrote:
How about running it as the untrusted user 'clamav'?
How's that user going to check anything that's not o+r?
How about selinux? You could make a context that allows clamav read rights to everything, and write to none. You could even develop your own PCI compliant selinux security framework that can be applied to all PCI hosts.
I know there is a lot of boilerplate regulation out there, I have my fair share to deal with myself. Often hidden in the BS there is a good intention it just requires a little give and take. Give in to a little BS here to get a little break on the BS there.
What the consultant should be working off of is an accurate risk assessment of the OS and the applications installed on it, not some dumb checklist.
Yeah, well, problem is, you don't get to choose who's going to assess you.
Well you can either go with the compliance flow, or you can let the compliance flow take you kicking and screaming. Either way your regulated now and there isn't anything you can do about it. It's the world we live in today I'm afraid.
If you don't like the way the consultant is doing things, then after this cycle is complete, take control of the process. Do your own risk assessments on the hardware and software and develop your own PCI compliant controls that more accurately reflects the true threats and vulnerabilities of your environment instead of the "perceived" threats and vulnerabilities being used now.
Having your own regular in-house risk assessment performed can only help you in both developing and supporting your decisions for which controls are applied to which systems. And even if you need a token install of anti-virus everywhere to appease the regulator gods, it isn't the end of the world. If your risk analysis of the software determines it poses a great enough risk, you can impose controls on it like I mentioned above.
-Ross
On Thu, 2009-01-22 at 12:16 +0000, Anne Wilson wrote:
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report:
--------------------- clam-update Begin ------------------------
Last ClamAV update process started at Wed Jan 21 04:02:23 2009
Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes)
---------------------- clam-update End -------------------------
--------------------- Clamav Begin ------------------------
**Unmatched Entries** Database correctly reloaded (936952 signatures)
---------------------- Clamav End -------------------------
That should satisfy and auditor.
---- the above suggests that clamav signature files were updated and the database reloaded but nowhere does it suggest that any scanning of the file system occurred nor the output of such scanning which probably never occurred. What you have demonstrated is a gymnastic exercise which accomplishes little. clamd might be able to do something useful but it is not indicated above.
Craig
On Thursday 22 January 2009 12:46:46 Craig White wrote:
On Thu, 2009-01-22 at 12:16 +0000, Anne Wilson wrote:
On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
What do you do with clamav on a linux server? Especially: How is it run by you? What do you think it protects you against on a linux server?
1 - it protects you against passing on any windows viruses to windows users 2 - it satisfied those auditors who can't think beyond what they have been told, especially if you have log proof. Logwatch's daily report:
--------------------- clam-update Begin ------------------------
Last ClamAV update process started at Wed Jan 21 04:02:23 2009
Last Status: main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder: ccordes)
---------------------- clam-update End -------------------------
--------------------- Clamav Begin ------------------------
**Unmatched Entries** Database correctly reloaded (936952 signatures)
---------------------- Clamav End -------------------------
That should satisfy and auditor.
the above suggests that clamav signature files were updated and the database reloaded but nowhere does it suggest that any scanning of the file system occurred nor the output of such scanning which probably never occurred. What you have demonstrated is a gymnastic exercise which accomplishes little. clamd might be able to do something useful but it is not indicated above.
True. As I have no windows boxes on the LAN I only run it manually, and it wasn't done on the day that that reported. The one area that I am vulnerable to is email-borne viruses, and since I am not serving those to windows boxes it is only out of curiosity that I need clamav.
I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently. I was merely demonstrating how easy it is to show that you keep the database up to date. You are quite right,of course, they will want to see evidence that it is scanning as well.
Anne
Anne Wilson wrote:
I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently.
Sorry, I do not want to know how to "use clamav efficiently", I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those.
But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty).
As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it.
So again: If you want to be PCI-DSS compliant - what's the use of clamav?
Ralph
On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt <ra+centos@br-online.dera%2Bcentos@br-online.de
wrote:
Anne Wilson wrote:
I'm sure there are plenty of people that can give Ralph detailed
information
about using it efficiently.
Sorry, I do not want to know how to "use clamav efficiently", I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those.
But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty).
As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it.
So again: If you want to be PCI-DSS compliant - what's the use of clamav?
Ralph
Check out BitDefender http://www.bitdefender.com
-matt http://www.sysadminvalley.com http://www.beantownhost.com http://www.linkedin.com/in/mattboston
Matt Shields wrote:
On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt <ra+centos@br-online.dera%2Bcentos@br-online.de
As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it.
Check out BitDefender http://www.bitdefender.com
Bitdefender for Samba which only scans stuff on network shares and Bitdefender for Mail Servers which does the same clamav and amavisd/exiscan/whatever can do. No security products which "protect" servers itself, just hooks into the windows world.
Supports the point I tried to make :)
Ralph
On Thu, 2009-01-22 at 14:15 +0100, Ralph Angenendt wrote:
Anne Wilson wrote:
I'm sure there are plenty of people that can give Ralph detailed information about using it efficiently.
Sorry, I do not want to know how to "use clamav efficiently", I am just wondering what good clamav will do on a server, as there aren't really any hooks into file writing or reading. Sure, I can hook up clamav into my email stream or into my proxy on that machine for filtering out requests to people who use windows boxes behind those.
But I do not understand which sense clamav makes on a linux server, if there are no hooks into the kernel (I know about dazuko, but a) we don't ship it and b) last time I looked at it I couldn't get it to run properly without a *huge* speed penalty).
As far as I know there is no AntiVirus solution for Linux which works the same as all the solutions under Windows do. And if you do not have real time scanning on a server/workstation, an anti virus scanner doesn't do you any good, as the time frame for attacks is just too large. Either you get it on the first shot or you can just forget about it.
So again: If you want to be PCI-DSS compliant - what's the use of clamav?
---- re: the last question, I simply don't know.
I do know that I have an 'unsupported' version of Symantec Anti-Virus for Linux which came with their 'End Point Protection' package which I gather is a 'real-time' package but I am not interested in finding out what that would do to performance of the system.
I also know that samba has a 'vfs' option for using clamd on your samba/Windows file server.
Craig
I use AVG, they have a nice and clean Real Time Scanning piece of software for Linux
see http://www.grisoft.com for general info
http://www.avg.com/download-7?prd=avl
to download for the different flavors of Linux....
I use it on my Linux boxes as well as all of my Windows Clients and Servers as well, bang for buck its one of the best out and much better than that crappy Symantic brand AV....
john plemons
Adam Tauno Williams wrote:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
There is no good argument against running malware detection on any sever.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
CLAMAV works well.
What do you do with clamav on a linux server?
You scan the server for malware.
There is nothing special about LINUX here. The whole "don't run services as root" business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server.
I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; and the exploiter does not need to "own" the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server.
The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
What do you think it protects you against on a linux server?
"against a linux server?" ?
On Thu, Jan 22, 2009 at 12:01 PM, Adam Tauno Williams awilliam@whitemice.org wrote:
Adam Tauno Williams wrote:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
There is no good argument against running malware detection on any sever.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
CLAMAV works well.
What do you do with clamav on a linux server?
You scan the server for malware.
There is nothing special about LINUX here. The whole "don't run services as root" business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server.
I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server. No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed; and the exploiter does not need to "own" the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server.
The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
I don't know about that last sentence.. I am not familiar enough with PCI/DSS to say it protects data or protects from lawsuits. Everything else I can agree with 100%. Linux/Mac/Solaris etc are all good vectors for serving malware because they are not routinely looked at for malware (because most Unix admins think it is something that affects them.) Most malware authors learned that while they may not be able to get 'root' all they really need is normal permissions for most things because they can still open up high ports to send/recieve spam or that most systems have data at o+rw for ease of use.
Does this mean that every Linux machine should have a malware detector on it that runs and scans every file? No its a matter of risk management. If you are in a high risk environment, you should know why or why not it is not in place (having other strong security measures in place with constant vigilance can be good enough or for something else it might not be.).
What do you think it protects you against on a linux server?
"against a linux server?" ?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Adam Tauno Williams wrote:
What do you do with clamav on a linux server?
You scan the server for malware.
When? Every day via crontab? That can be much too late. Every hour? That can be much too late. Every 10 minutes? That can be much too late - and your server is busy scanning the file system.
The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
I never said "LINUX doesn't suffer from malware". But clamav itself is not able to scan in real time. Looks like dazuko has gotten a bit better, I don't know about clamuko. But by "just installing clamav, you gain nothing protection wise.
What do you think it protects you against on a linux server?
"against a linux server?" ?
When?
Ralph
On Thu, 2009-01-22 at 21:24 +0100, Ralph Angenendt wrote:
Adam Tauno Williams wrote:
What do you do with clamav on a linux server?
You scan the server for malware.
When? Every day via crontab? That can be much too late. Every hour? That can be much too late. Every 10 minutes? That can be much too late - and your server is busy scanning the file system.
Verses never??? That's just silly; your making perfect an obstacle of the good. If it finds something then you KNOW you have a problem and the time frame in which it occurred: you can then access and respond and [potentially] notify. Verses what? No knowledge? The alternative is to host the malware indefinitely in blissful ignorance - or until someone else detects and reports your server.
CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS.
The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers. Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
I never said "LINUX doesn't suffer from malware". But clamav itself is not able to scan in real time. Looks like dazuko has gotten a bit better, I don't know about clamuko. But by "just installing clamav, you gain nothing protection wise.
Yes, you gain the ability to detect a compromised server.
On Thu, 22 Jan 2009 15:55:11 -0500, Adam Tauno Williams wrote:
Yes, you gain the ability to detect a compromised server.
Absolutely not, you don't gain that ability at all. Again we're talking *viruses* not all malware. An antivirus will never detect a good rootkit; modern rootkit employ sophisticated stealth techniques and hide themselves and their files from all other processes. They typically insert an invisible kernel module. An antivirus can't do squat about that ... because that's not a virus anyway.
On the other hand an antivirus is yet another piece of useless garbage running on your server, and one more opportunity for an attacker to pwn you.
Adam Tauno Williams wrote:
What do you do with clamav on a linux server?
You scan the server for malware.
There is nothing special about LINUX here. The whole "don't run services as root" business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server.
Yes, but the scan has to be specific for the kind of problem you want to detect.
I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server.
That tends to be more because someone isn't doing updates than that they aren't checking. Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install?
No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed;
But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well.
and the exploiter does not need to "own" the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server.
The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers.
That may be true, but the exploit that allowed it to be put there may be unrelated. For example, you may have virus-laden email being transported through a Linux server that doesn't have anything else to do with it. Or you may have a samba share where windows clients can infect it. Or, someone might get access through brute-force ssh password guessing.
Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
An occasional clamav scan can't hurt.
What do you think it protects you against on a linux server?
"against a linux server?" ?
Doing frequent updates is what keeps you safe - and maybe turning off ssh password access.
There is nothing special about LINUX here. The whole "don't run services as root" business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server.
Yes, but the scan has to be specific for the kind of problem you want to detect.
The presence of a malware pattern - it is pretty straight forward.
I've seen CLAMAV find malware on web servers (maybe it isn't common... because no one is checking). Someone's crappy PHP code [is there any other kind?] allows malware to get injected into, and served, from the server.
That tends to be more because someone isn't doing updates than that they aren't checking.
This doesn't make sense. No amount of updating will protect you from a flaw in the application code / method. One can't presume that the hosted application / service is perfect. Applications are compromised much more frequently than Operating Systems which is why the fact that it is a LINUX server doesn't matter. A scanner will potentially tell you when an application has been compromised.
Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install?
Someone is going to release an update for your local application and configuration? Emphasis on the "likely" in "likely be an update to fix it". And a scanner doesn't detect the security flaw, it detects that the server has been breached enough to contain malicious patterns. It has nothing to do with updates; relying on being up-to-date to prove your system is secure is akin to covering it with stickers of unicorns to protect it.
No root access anywhere, or required. It isn't about protecting the OS or the system, it is about protecting the data, the applications [from exploit], and the end-users [so the server isn't an attack vector]. Assuming none of the services on you server can be exploited is just wrong headed;
But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well.
This has nothing to do with knowing about exploits in the way you are using the term "exploit" (as a method of exploiting a service). It is a way to know about exploits OF a server's service. The scanner doesn't need to know anything at all about how the malicious content got there - it alerts you of it's presence.
and the exploiter does not need to "own" the server (aka have root) in order to do mischief. Access to your data is probably more valuable than whacking your server. The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots of malware is served from LINUX servers.
That may be true, but the exploit that allowed it to be put there may be unrelated.
So?
For example, you may have virus-laden email being transported through a Linux server that doesn't have anything else to do with it. Or you may have a samba share where windows clients can infect it. Or, someone might get access through brute-force ssh password guessing.
We are talking about completely different things. I'm talking about using a scanner to indicate that a server does not contain malware patterns indicating it has been [potentially] exploited - which is an *UNEXPECTED* event. You can't perform highly specific tests for unexpected events. The entire principle of auditing is looking for the unexpected.
Scanning a server for signatures is just another way to proof (not prove) that a server has not been compromised and that data accessed by the server is secure. Which is what things like PCI/DSS is about - protecting the *data*.
An occasional clamav scan can't hurt.
What do you think it protects you against on a linux server?
"against a linux server?" ? Doing frequent updates is what keeps you safe - and maybe turning off ssh password access.
It isn't about "being safe". It is about having configuration and policies that ***tests*** the integrity of your systems; detecting malware patterns is a critical component of that.
Adam Tauno Williams wrote:
Yes, but the scan has to be specific for the kind of problem you want to detect.
The presence of a malware pattern - it is pretty straight forward.
Only for known instances of malware.
This doesn't make sense. No amount of updating will protect you from a flaw in the application code / method.
Of course it will.
One can't presume that the hosted application / service is perfect.
Which is why things are fixed and updated.
Applications are compromised much more frequently than Operating Systems which is why the fact that it is a LINUX server doesn't matter. A scanner will potentially tell you when an application has been compromised.
No, a scanner will only tell you when known patterns are present.
Before a scan can help you, the scanner has to know about the problem. After someone knows about the problem there will likely be an update to fix it at least as soon as a scanner that will detect it after the fact. Which makes more sense to install?
Someone is going to release an update for your local application and configuration?
Yes, you can create your own problems that no one else can fix, but you are also probably running php, ssh, bind and an assortment of standard services that have known vulnerabilities if not updated.
Emphasis on the "likely" in "likely be an update to fix it". And a scanner doesn't detect the security flaw, it detects that the server has been breached enough to contain malicious patterns.
"known" patterns.
It has nothing to do with updates; relying on being up-to-date to prove your system is secure is akin to covering it with stickers of unicorns to protect it.
That's not quite the way it works. When anyone else has noticed an exploit and figures out how it happened, or examines some code and finds how one could happen, it is reported and fixed. And the next update will prevent it. Not quite the same as stickers - but similar to the way the known patterns for scanners become known.
Assuming none of the services on you server can be exploited is just wrong headed;
But expecting a scanner to know about the exploit long before the exploit is known and fixed seems misguided as well.
This has nothing to do with knowing about exploits in the way you are using the term "exploit" (as a method of exploiting a service). It is a way to know about exploits OF a server's service. The scanner doesn't need to know anything at all about how the malicious content got there - it alerts you of it's presence.
But it does have to know the content itself, and there's not much reason to think you will know this content without knowing how to stop the related exploit.
We are talking about completely different things. I'm talking about using a scanner to indicate that a server does not contain malware patterns indicating it has been [potentially] exploited - which is an *UNEXPECTED* event.
No, scanners only scan for known and sort-of expected things.
You can't perform highly specific tests for unexpected events. The entire principle of auditing is looking for the unexpected.
But scanning doesn't do that. There is some value in knowing that you do have those known patterns present, but you can't deduce that you don't have any unexpected problems if you don't find them.
Doing frequent updates is what keeps you safe - and maybe turning off ssh password access.
It isn't about "being safe". It is about having configuration and policies that ***tests*** the integrity of your systems; detecting malware patterns is a critical component of that.
As long as you realize that it is only a test for certain known patterns that don't have much to do with linux problems, fine. Just don't assume that it proves anything about integrity when you don't find them. Your real problem may be that someone has guessed your ssh password and installed a rootkit that hides itself from all normal scans (remember, running programs continue to run even if the filename is erased so scans don't find it).
On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote:
An occasional clamav scan can't hurt.
You are absolutely, completely wrong.
Clamav has had vulnerabilities that could be used to cause it to execute arbitrary code in the scanned files. I don't doubt for one second that proprietary AVs have the same kind of problem, except that you can't look at the code to check for yourself.
While the risk is worth taking when you are implementing a mail server or a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a proprietary product) installed on every single one of our servers in the PCI scope, even though there is not a single Windows machine in the scope.
The likelyhood of an actual _virus_ infection is 0 for us. I don't mean malware -- I mean virus. The problem is that while PCI-DSS 1.2 now mentions malware as a whole, it still requires "antivirus" software, while only giving a weak "if applicable" exception. We are told we can't use it since there is at least a handful of known Linux viruses (nevermind that they are never seen in the wild) which could simply *not* infect us, since they require, by definition, that we run an infected binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but it doesn't cover the "antivirus" requirement, we are told.
So we're going to go ahead and weaken our security just to check a PCI- DSS checkbox. This is simply ridiculous.
PS: I want to emphasize that by "virus" I mean "virus," not "worm" or "rootkit" or "malware" or "exploit." There are sploits, worms and rootkits on Linux, some are/have been quite nasty; there has *never* been an actual virus threat.
On Thu, 22 Jan 2009 14:01:26 -0500, Adam Tauno Williams wrote:
You scan the server for malware.
You run a useless process widening your attack surface.
Hint: "Security is a trade-off" -- Schneier.
Don't trade actual security for cargo cult systems administration.
There is nothing special about LINUX here. The whole "don't run services as root" business is just so much noise. It isn't about protecting the *server* it is about protecting the *data* which is accesses [hopefully] by services which are *not* root. It is about the data and the clients that connect to the server.
There is something special about Linux, it's called RPM. We don't run arbitrary binaries. We don't let strange .exe put files wherever they please. Bonus: rpmverify, free of charge.
That doesn't mean that there aren't vulnerabilities or malware. It means that *viruses* are not a problem.
On Wed, 21 Jan 2009 21:06:38 -0500, Adam Tauno Williams wrote:
There is no good argument against running malware detection on any sever.
Except when the malware it can detect is extremely unlikely to be an issue, because you are now running yet another process for no good reason that might have a vulnerability itself.
ClamAV is probably your best bet.
That said, the question is, what do you scan? It can be used several ways, typically scanning files on demand... its not an intrusion detection system like most MS Windows scanners, where it automatically scans every file being read or written (while slowing the system down 300%). If your system isn't handling 'files', it becomes harder to figure out what to do with it... I suppose you could crontab a nightly scan of all files on the system with clamscan, or something. of course, you want to run freshclam once or twice a day to pick up new definitions.
I most typically use ClamAV in my email flow, where MailScanner runs every inbound (and outbound) email through it. I've also run it periodically against file systems used as a file server.
On Thu, Jan 22, 2009 at 12:19:27PM +1100, Amos Shapira wrote:
Hi All,
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
Amos - the best argument I have ever seen along those lines is here : (And its a good one )
http://linuxmafia.com/~rick/faq/index.php?page=virus
All UNIX/Linux aficionados should be familiar with its content.
FAIR WARNING, It is long and complex. Because it is comprehensive and detailed. Those among you familiar with Rick Moen will understand and appreciate why.
A portion pasted here:
The most recent version of these essays can be found at http://linuxmafia.com/~rick/faq/. Rick's Rants
Virus . . . o Should I get anti-virus software for my Linux box? o But didn't security expert Simson Garfinkel say that all Linux systems need virus checkers? o Don't the rise of Linux worms show that Linux now has a virus problem? o Isn't Microsoft Corporation's market dominance, making Linux an insignificant target, the only reason it doesn't have a virus problem? o But how can you say there's no virus problem, when there have been several dozen Linux viruses?
Should I get anti-virus software for my Linux box?
The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Javascripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear.
And yet it is.
Here's the short version of the answer: No. If you simply never run untrusted executables while logged in as the root user (or equivalent), all the "virus checkers" in the world will be at best superfluous; at worst, downright harmful. "Hostile" executables (including viruses) are almost unfindable in the Linux world — and no real threat to it — because they lack root-user authority, and because Linux admins are seldom stupid enough to run untrusted executables as root, and because Linux users' sources for privileged executables enjoy paranoid-grade scrutiny (such that any unauthorised changes would be detected and remedied).
Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run.
Because of the distinction between privileged (root-run) processes and user-owned processes, a "hostile" executable that a non-root user receives (or creates) and then executes (runs) cannot "infect" or otherwise manipulate the system as a whole. Just as you can delete only your own files (i.e., those you have "write" permission to), executables you run cannot affect other users' (or root's) files. Therefore, although you can create (or retrieve), and then run, a virus, worm, trojan horse, etc., it can't do much. Unless you do so as "root". Which it's simple to avoid doing.
==============================================================
This is just the beginning - it continues on to cover every aspect of the issue in a mere 1100 lines....
All of it well worth reading.
Jeff Kinz.
Am 22.01.2009 02:19, schrieb Amos Shapira:
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
http://www.f-prot.com/products/corporate_users/unix/ has some Linux AV products.
Rainer
Rainer Traut wrote:
Am 22.01.2009 02:19, schrieb Amos Shapira:
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
http://www.f-prot.com/products/corporate_users/unix/ has some Linux AV products.
And just for completeness, Symantec has AV for Linux too... it is better there than on the Windows platform, but that doesn't say much. The advantage of Symantec is that it is a well-known brand, so in some cases it can be a easy option to push through red-tape bureaucrats.
But again you said it, Symantic is trash....
With my history of machine crashes caused by their I can do it better altitude, Run don't walk from Symantic....
John Plemons
I run this on a centos-server I have. The machine comes to crawl when I open up the Symantec-GUI. I think the GUI is built on java, which might make the machine slower than necessary. Probably the CLI-interface is more responsive.
Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
We are going through the same thing. The initial rollout was planned for only PCI critical systems, but has been expanded to SOX and business-critical servers. Given the extreme rarity of Unix/Linux related viruses, we did question why we needed to run an AV solution at all. However, we do have shares that are accessible via Windows and Mac users, so these were targeted. Per our compliance officer, though a rigid interpretation of the PCI documentation might not require full scans of every server, or even scanning every server, we would go beyond the spec. Thus, at some point we're expecting that all servers will require some sort of AV product.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
The AV solution we were told to use was Sophos AV. Our environment is primarily AIX with a few Linux systems. Though the Linux systems had (mostly) equivalent features to the Windows product, the AIX solution was essentially a command line driven scan similar to ClamAV.
Now, SophosAV on Linux requires some kernel hooks for the on-access scan. If Sophos-compiled binaries are not available for your kernel then you'd need to build them on the machine. I.e., you'd require GCC and the kernel-dev packages. Per our security requirements (not PCI specific), we do not have compilers and dev libraries on anything but development servers. Sophos also did not have an SLA as to when new binaries would be released after a new kernel.
Which leads to an interesting conundrum. The Sophos product cannot do on-demand scanning without a dev environment (and compiling elsewhere was not a documented process from Sophos). So we were left with the command line, cron driven scanner. Given that the files we would target were often temporary (e.g., uploaded documents, files to be pushed into a doc manager), it made little sense to scan daily. Instead, you'd need to script processes to watch directories and holding areas.
The rest of the problems were primarily with the AIX client.
Anyhoo, the AV products don't put too much load on the system, depending on your scan requirements. They can do so though. E.g., if you scan compressed files, do on demand, scan across shares, etc..
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).
Amos Shapira wrote:
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
I highly recommend Sophos antivirus:
http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/...
They seem to cost more than the competition but it's because they have a better product.
Glad I don't have to deal with credit card numbers anymore the security around that stuff was a pain.
nate
-
Adam Tauno Williams -
Amos Shapira -
Anne Wilson -
Christopher Chan -
Craig White -
Ian Forde -
jkinz@kinz.org -
John Plemons -
John R Pierce -
Joseph L. Casale -
Kwan Lowe -
Les Mikesell -
Matt -
Matt Shields -
Morten Torstensen -
nate -
Ned Slider -
NM -
Rainer Traut -
Ralph Angenendt -
Ross Walker -
Scott Silva -
Sorin Srbu -
Stephen John Smoogen