On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote: > Hi All, > > Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers. Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;) > Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > > So: > > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus? Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware" Note that CentOS isn't commonly affected by malware. So you should be okay here. > 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much. None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.) > The reviewed servers run both Internet-facing web applications and > internal systems, mostly using proprietary protocol for internal > communications. They are being administrated remotely via IPSec VPN > (and possibly in the future also OpenVPN). Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over... PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor... -I