Hi All, Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers. Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box. So: 1. Has anyone here gone though such a procedure and got good arguments against the need for anti-virus? 2. Alternatively - what linux anti-virus (oh, the shame of typing this word combination :() do you use which doesn't affect our systems performance too much. The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN). Thanks, --Amos
On Thu, 2009-01-22 at 12:19 +1100, Amos Shapira wrote:> Hi All, > > Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers.Note - I am *NOT* a lawyer. This advice is freely given, and may be worth exactly what you paid for it... ;)> Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > > So: > > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus?Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware" Note that CentOS isn't commonly affected by malware. So you should be okay here.> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much.None... clamav, amavis, etc... are used for protecting Windows boxes behind the Linux boxes. If you aren't running any Windows hosts on the same network as the Linux hosts, that should take care of the sweet spot of the AV argument. (Though if you're connected to a site via VPN or private link that has Windows boxes, that may be a different story.)> The reviewed servers run both Internet-facing web applications and > internal systems, mostly using proprietary protocol for internal > communications. They are being administrated remotely via IPSec VPN > (and possibly in the future also OpenVPN).Yep - then you want to make sure that since you're using a VPN, nothing (like say, an Apache worm) can jump over... PCI Compliance can be a bear. Just make sure that you have management buy-in, and good external scanning vendor... -I
>Whatever I do - it needs to be convincing enough to make the PCI >compliance guy tick the box.Eset has a current linux client, though their product *AND* support suck the biggest one. https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk for more HTH, jlc
> Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers. > Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus?There is no good argument against running malware detection on any sever.> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much.CLAMAV works well.> The reviewed servers run both Internet-facing web applications and > internal systems, mostly using proprietary protocol for internal > communications. They are being administrated remotely via IPSec VPN > (and possibly in the future also OpenVPN).
Ian Forde <ian at duckland.org> wrote:>>Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware" << I doubt Amos's QSA is using Wikipedia as his reference, unfortunately. The PCI DSS Ver 1.2 standard (of Oct. 2008 - get it from https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html) actually states: 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). but then goes on, under "Testing Procedures" to state: 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Unfortunately, both open-source and commercial anti-virus software that will run on Centos do exist, which gives the assessor some wiggle-room. Even worse, the Summary of Changes from 1.1 to 1.2 says: Requirement & Testing Procedure: Clarified requirement applies to all operating systems types commonly affected by malicious software, if applicable anti-virus technology exists. Besides use of the term "anti-virus software", changed the term "virus" to "malicious software". Deleted note stating "Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes." That last sentence is a killer, unfortunately - it means they have been tightening up on *ix systems. Looks like you could be in for a battle if the QSA is an intransigent sort. You could argue that while anti-virus programs do exist, their purpose is to detect infected files which could harm connected Windows systems, and are therefore not applicable in your specific case, particularly since you are using proprietary protocols and not running Windows file-sharing software (e.g. Samba, FTP, etc.) It really comes down to whether your Assessor is clueful, or a box-ticking droid. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
ClamAV is probably your best bet. That said, the question is, what do you scan? It can be used several ways, typically scanning files on demand... its not an intrusion detection system like most MS Windows scanners, where it automatically scans every file being read or written (while slowing the system down 300%). If your system isn't handling 'files', it becomes harder to figure out what to do with it... I suppose you could crontab a nightly scan of all files on the system with clamscan, or something. of course, you want to run freshclam once or twice a day to pick up new definitions. I most typically use ClamAV in my email flow, where MailScanner runs every inbound (and outbound) email through it. I've also run it periodically against file systems used as a file server.
> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much. >Sophos AV if you have to get something on.
On Thu, Jan 22, 2009 at 12:19:27PM +1100, Amos Shapira wrote:> Hi All, > > Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers. > > Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > > So: > > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus?Amos - the best argument I have ever seen along those lines is here : (And its a good one ) http://linuxmafia.com/~rick/faq/index.php?page=virus All UNIX/Linux aficionados should be familiar with its content. FAIR WARNING, It is long and complex. Because it is comprehensive and detailed. Those among you familiar with Rick Moen will understand and appreciate why. A portion pasted here: The most recent version of these essays can be found at http://linuxmafia.com/~rick/faq/. Rick's Rants Virus . . . o Should I get anti-virus software for my Linux box? o But didn't security expert Simson Garfinkel say that all Linux systems need virus checkers? o Don't the rise of Linux worms show that Linux now has a virus problem? o Isn't Microsoft Corporation's market dominance, making Linux an insignificant target, the only reason it doesn't have a virus problem? o But how can you say there's no virus problem, when there have been several dozen Linux viruses? Should I get anti-virus software for my Linux box? The problem with answering this question is that those asking it know only OSes where viruses, trojan-horse programs, worms, nasty Javascripts, ActiveX controls with destructive payloads, and ordinary misbehaved applications are a constant threat to their computing. Therefore, they refuse to believe Linux could be different, no matter what they hear. And yet it is. Here's the short version of the answer: No. If you simply never run untrusted executables while logged in as the root user (or equivalent), all the "virus checkers" in the world will be at best superfluous; at worst, downright harmful. "Hostile" executables (including viruses) are almost unfindable in the Linux world ? and no real threat to it ? because they lack root-user authority, and because Linux admins are seldom stupid enough to run untrusted executables as root, and because Linux users' sources for privileged executables enjoy paranoid-grade scrutiny (such that any unauthorised changes would be detected and remedied). Here's the long version: Still no. Any program on a Linux box, viruses included, can only do what the user who ran it can do. Real users aren't allowed to hurt the system (only the root user can), so neither can programs they run. Because of the distinction between privileged (root-run) processes and user-owned processes, a "hostile" executable that a non-root user receives (or creates) and then executes (runs) cannot "infect" or otherwise manipulate the system as a whole. Just as you can delete only your own files (i.e., those you have "write" permission to), executables you run cannot affect other users' (or root's) files. Therefore, although you can create (or retrieve), and then run, a virus, worm, trojan horse, etc., it can't do much. Unless you do so as "root". Which it's simple to avoid doing. ============================================================= This is just the beginning - it continues on to cover every aspect of the issue in a mere 1100 lines.... All of it well worth reading. Jeff Kinz.
Ian Forde <ian at duckland.org> wrote:>>That depends upon how you define malware detection. Antivirus software for Linux typically scans for Windows viruses and malware. On the other hand, if you're talking about detection in the sense of Tripwire, or a cron job that runs a 'rpm -V' every night, I completely agree that this is something that should be done. << Bingo. The changes made in PCI DSS v 1.2 broaden the scope of section 5 from "viruses" to "malicious software". This covers viruses, worms, trojans, spyware, rootkits, etc. Use of AIDE or Open-Source Tripwire, with a carefully set up policy, should meet the requirements. I would write an "explanation of non-applicability" that states that CentOS is at low risk of infection by viruses and only slightly higher risk of infection by worms, and that implementation of a host filesystem integrity verification system (or host intrusion detection system) provides an appropriate control to alert administrators to unauthorised changes of any kind on the system. Add appropriate verbiage about SELinux, etc. if appropriate. I'd say that should get the job done. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
Am 22.01.2009 02:19, schrieb Amos Shapira:> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much.http://www.f-prot.com/products/corporate_users/unix/ has some Linux AV products. Rainer
> Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers. > > Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > > So: > > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus?We are going through the same thing. The initial rollout was planned for only PCI critical systems, but has been expanded to SOX and business-critical servers. Given the extreme rarity of Unix/Linux related viruses, we did question why we needed to run an AV solution at all. However, we do have shares that are accessible via Windows and Mac users, so these were targeted. Per our compliance officer, though a rigid interpretation of the PCI documentation might not require full scans of every server, or even scanning every server, we would go beyond the spec. Thus, at some point we're expecting that all servers will require some sort of AV product.> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much.The AV solution we were told to use was Sophos AV. Our environment is primarily AIX with a few Linux systems. Though the Linux systems had (mostly) equivalent features to the Windows product, the AIX solution was essentially a command line driven scan similar to ClamAV. Now, SophosAV on Linux requires some kernel hooks for the on-access scan. If Sophos-compiled binaries are not available for your kernel then you'd need to build them on the machine. I.e., you'd require GCC and the kernel-dev packages. Per our security requirements (not PCI specific), we do not have compilers and dev libraries on anything but development servers. Sophos also did not have an SLA as to when new binaries would be released after a new kernel. Which leads to an interesting conundrum. The Sophos product cannot do on-demand scanning without a dev environment (and compiling elsewhere was not a documented process from Sophos). So we were left with the command line, cron driven scanner. Given that the files we would target were often temporary (e.g., uploaded documents, files to be pushed into a doc manager), it made little sense to scan daily. Instead, you'd need to script processes to watch directories and holding areas. The rest of the problems were primarily with the AIX client. Anyhoo, the AV products don't put too much load on the system, depending on your scan requirements. They can do so though. E.g., if you scan compressed files, do on demand, scan across shares, etc..> > The reviewed servers run both Internet-facing web applications and > internal systems, mostly using proprietary protocol for internal > communications. They are being administrated remotely via IPSec VPN > (and possibly in the future also OpenVPN). >
Amos Shapira wrote:> 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much.I highly recommend Sophos antivirus: http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/linux/ They seem to cost more than the competition but it's because they have a better product. Glad I don't have to deal with credit card numbers anymore the security around that stuff was a pain. nate
Amos Shapira <amos.shapira at gmail.com> wrote:> Hi All, > > Yes, I know, it's really really embarrassing to have to ask but I'm > being pushed to the wall with PCI DSS Compliance procedure > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why > we don't need to install an anti-virus or find an anti-virus to run on > our CentOS 5 servers. > > Whatever I do - it needs to be convincing enough to make the PCI > compliance guy tick the box. > > So: > > 1. Has anyone here gone though such a procedure and got good arguments > against the need for anti-virus? > 2. Alternatively - what linux anti-virus (oh, the shame of typing this > word combination :() do you use which doesn't affect our systems > performance too much. > > The reviewed servers run both Internet-facing web applications and > internal systems, mostly using proprietary protocol for internal > communications. They are being administrated remotely via IPSec VPN > (and possibly in the future also OpenVPN). > > Thanks, > > --AmosAfter reading all of the other replies (including the ones that pointed out that the PCI DSS requirement had changed the terminology from "virus" to "malware"), why not claim you are meeting the requirement by doing something useful like running chkrootkit or rkhunter on a regular basis? That way you would be scanning the systems for the only malware known to actually pose a threat to a Linux box. It may be a low probability of infection (as others have pointed out) but should satisfy the auditor and hopefully will just be a low cost exercise in futility as long as reasonable security policies are followed. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce
Adam Tauno Williams <awilliam at whitemice.org> wrote:>>CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS. << It's worth noting that the type of scan required by PCI DSS is not a filesystem scan by an antivirus product. It is a vulnerability scan performed by an Approved Scanning Vendor. Some other miscellanous points triggered by posts in this thread that I've read this morning: According to the Verizon 2008 Data Breaches Report, in over 90% of cases where a successful attack exploited a vulnerability, there was a patch available for at least six months prior to the breach. So the first thing we can say is that there is good reason to patch your system - it's definitely an effective activity. While the most popular attack methods of cybercriminals are hacking and malcode (again, the Verizon report confirms this), malcode is much more popular in the Windows world and hacking is the method of choice against Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means that anti-virus products will be less effective in safeguarding the data on a Linux box, and host intrustion detection systems are correspondingly more effective. Most attacks against servers are conducted against the application layer code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again, anti-virus products are not effective here, particularly since the original poster seems to be running custom code (internally-developed or outsourced). The best controls here will be HIDS like AIDE and Tripwire, as well as network IDS. An attacker who exploits a server might upload some recognisable malware, and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.) ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites and other stuff sometimes turns up on compromised hosts. The bulk of the signature database is undoubtedly Windows malware. However, a determined attacker, who knows what the server hosts, is much more likely to either use SQL injection or command injection techniques to extract credit card info (use NIDS to detect this) or to install a rootkit to allow him to come and go more easily (and HIDS will detect this). Remember, there are two problems to be solved here: a) Get the systems past the PCI-DSS Assessor b) Do something useful to actually protect the systems It would be great if both problems had the same solution, but that depends on how clueful the Assessor is (and how artfully the original poster can "manage" him). Right now, the original poster's employer is paying him to solve a), and will probably only worry about b) much later, should the excrement actually hit the fan. If installing ClamAV is what it takes to solve a), just do it and then get to work on b). Best, --- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security) [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909
Stephen John Smoogen <smooge at gmail.com> wrote:> On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller <dave at davenjudy.org> wrote: > >> > Amos Shapira <amos.shapira at gmail.com> wrote: >> > >> >>> >> Hi All, >>> >> >>> >> Yes, I know, it's really really embarrassing to have to ask but I'm >>> >> being pushed to the wall with PCI DSS Compliance procedure >>> >> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why >>> >> we don't need to install an anti-virus or find an anti-virus to run on >>> >> our CentOS 5 servers. >>> >> >>> >> Whatever I do - it needs to be convincing enough to make the PCI >>> >> compliance guy tick the box. >>><SNIP>>> > After reading all of the other replies (including the ones that pointed >> > out that the PCI DSS requirement had changed the terminology from >> > "virus" to "malware"), why not claim you are meeting the requirement by >> > doing something useful like running chkrootkit or rkhunter on a regular >> > basis? That way you would be scanning the systems for the only malware >> > known to actually pose a threat to a Linux box. It may be a low >> > probability of infection (as others have pointed out) but should satisfy >> > the auditor and hopefully will just be a low cost exercise in futility >> > as long as reasonable security policies are followed. >> > > Any tool will require the need to have a risk assessment against it. > What is the liklihood of it finding malware? How much is updated and > how does it compare to other tools. These will be questions that will > need to be available for auditors to know you did your due-diligence > on selecting a tool.Answering those questions would provide the arguments for running a root kit scanner instead of anti-virus software. That is, the risk of malware affecting the systems in question is low with near zero likelihood that a true virus will cause a problem but with the possibility that a rootkit could compromise the systems. Chkrootkit and rkhunter are arguably the best tools for finding a root kit. The programs are updated whenever a new threat is identified. Obviously, the OP would need more than my say so as back up for these assertions. Said back up would also make the case that scanning for non-existent threats (Linux viruses) would make no sense while scanning for a real threat makes the most sense. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce