2009/1/22 Ian Forde <ian at duckland.org>: > On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote: >> Hi All, >> >> Yes, I know, it's really really embarrassing to have to ask but I'm >> being pushed to the wall with PCI DSS Compliance procedure >> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why >> we don't need to install an anti-virus or find an anti-virus to run on >> our CentOS 5 servers. > > Note - I am *NOT* a lawyer. This advice is freely given, and may be > worth exactly what you paid for it... ;) Thanks. We are paying some guy ~$US2000 a day to do this officially. But any preperation we can make to shorten the time he spends with us might save us a lot of money. And your advise below looks very reasonable. > >> Whatever I do - it needs to be convincing enough to make the PCI >> compliance guy tick the box. >> >> So: >> >> 1. Has anyone here gone though such a procedure and got good arguments >> against the need for anti-virus? > > Yep - on the wikipedia page you referenced, look in the "Requirements" > section, section 5. It says: "Use and regularly update anti-virus > software on all systems commonly affected by malware" > > Note that CentOS isn't commonly affected by malware. So you should be > okay here. :) Thanks. > >> 2. Alternatively - what linux anti-virus (oh, the shame of typing this >> word combination :() do you use which doesn't affect our systems >> performance too much. > > None... clamav, amavis, etc... are used for protecting Windows boxes > behind the Linux boxes. If you aren't running any Windows hosts on the e.g. in situations where the Linux box is the internet-facing SMTP server, right? > same network as the Linux hosts, that should take care of the sweet spot > of the AV argument. (Though if you're connected to a site via VPN or > private link that has Windows boxes, that may be a different story.) Rightso. You reminded me - we have a couple of Windows servers there as well (running software we didn't get around to port to Linux yet). They only talk to internal systems and we'll install BitDefender on them (that's what we have around here). They talk to a couple of the Linux servers internally using our proprietary protocol. Is this the sort of situation that triggers requirement for AV on linux? > >> The reviewed servers run both Internet-facing web applications and >> internal systems, mostly using proprietary protocol for internal >> communications. They are being administrated remotely via IPSec VPN >> (and possibly in the future also OpenVPN). > > Yep - then you want to make sure that since you're using a VPN, nothing > (like say, an Apache worm) can jump over... Yes. We defined the "PCI Zone" as the remote data centre and have a "border" between it and the rest of the world, including our offices. > > PCI Compliance can be a bear. Just make sure that you have management > buy-in, and good external scanning vendor... This requirement came from management, though the vendor we picked gives an impression that he knows his stuff about security and will help with real pen-testing rather than just tick boxes on papers. Thanks very much for your help! Cheers, --Amos