[CentOS] Antivirus for CentOS? (yuck!)

Thu Jan 22 14:55:41 UTC 2009
Kwan Lowe <kwan.lowe at gmail.com>

> Yes, I know, it's really really embarrassing to have to ask but I'm
> being pushed to the wall with PCI DSS Compliance procedure
> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> we don't need to install an anti-virus or find an anti-virus to run on
> our CentOS 5 servers.
> Whatever I do - it needs to be convincing enough to make the PCI
> compliance guy tick the box.
> So:
> 1. Has anyone here gone though such a procedure and got good arguments
> against the need for anti-virus?

We are going through the same thing. The initial rollout was planned
for only PCI critical systems, but has been expanded to SOX and
business-critical servers.  Given the extreme rarity of Unix/Linux
related viruses, we did question why we needed to run an AV solution
at all. However, we do have shares that are accessible via Windows and
Mac users, so these were targeted.  Per our compliance officer, though
a rigid interpretation of the PCI documentation might not require full
scans of every server, or even scanning every server, we would go
beyond the spec. Thus, at some point we're expecting that all servers
will require some sort of AV product.

> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> word combination :() do you use which doesn't affect our systems
> performance too much.

The AV solution we were told to use was Sophos AV. Our environment is
primarily AIX with a few Linux systems. Though the Linux systems had
(mostly) equivalent features to the Windows product, the AIX solution
was essentially a command line driven scan similar to ClamAV.

Now, SophosAV on Linux requires some kernel hooks for the on-access
scan. If Sophos-compiled binaries are not available for your kernel
then you'd need to build them on the machine. I.e., you'd require GCC
and the kernel-dev packages. Per our security requirements (not PCI
specific), we do not have compilers and dev libraries on anything but
development servers. Sophos also did not have an SLA as to when new
binaries would be released after a new kernel.

Which leads to an interesting conundrum. The Sophos product cannot do
on-demand scanning without a dev environment (and compiling elsewhere
was not a documented process from Sophos). So we were left with the
command line, cron driven scanner.  Given that the files we would
target were often temporary (e.g., uploaded documents, files to be
pushed into a doc manager), it made little sense to scan daily.
Instead, you'd need to script processes to watch directories and
holding areas.

The rest of the problems were primarily with the AIX client.

Anyhoo, the AV products don't put too much load on the system,
depending on your scan requirements. They can do so though. E.g., if
you scan compressed files, do on demand, scan across shares, etc..

> The reviewed servers run both Internet-facing web applications and
> internal systems, mostly using proprietary protocol for internal
> communications. They are being administrated remotely via IPSec VPN
> (and possibly in the future also OpenVPN).