AppArmor

Malware, per se, doesn't exist in Linux and if you've taken additional steps to profile your processes with AppArmor, its difficult if not impossible for privilege escalation to get a toe hold.
I don't scan for viruses, but I do scan incoming email with ClamAV and SpamAssassin.
My server is running Apache mod-apparmor and clients' are FF AppArmor profiled.
When in doubt, sandbox with AppArmor or chroot are effective.

I have a multi-part series on security issues entitled: "Is It Safe?" over at Linux IT Consultant.

http://www.dtschmitz.com/dts/2008/05/is-it-safe.html

Be safe.

--dietrich

application whitelisting

john stewart (cisco cso) is talking about application whitelisting, which is more like tcsec secure attention keys, or trusted paths. some organizations have attempted to do this through AD GPO's, or Enterprise agents (e.g. Symantec, ePO, LANDesk, NetIQ, Lumension, BigFix, ConfigureSoft, et al)... but it's a lot of setup work. apparently, there are new security vendors pushing "application whitelisting", but i haven't heard of any specific products yet. there are others advocating thin client computing as another solution to this sort of problem.

anyway you look at it, this is all very dangerous ground. i've yet to see/hear of one Windows-based agent (AV or other) that didn't have multiple serious issues going on with the design and code. in other words, every agent is a disaster waiting to happen, much like SCADA or anything else

Re: Someone from Cisco makes sense

chroot jails are indeed quite effective, unfortunately they are pain to establish properly. The reason why Linux doesn't have malware (ie: viruses, spyware, adware, etc.) is simple: virtually no one uses it as a desktop OS. It certainly isn't the *Nix model that keeps it safe, as evidenced by the number of malwares that target OS X, which is also *Nix. It's just that there is no point in getting malware onto a Web server. :)

I also agree with the statement abot Windows agents and problems. They all essentially need to have rootkit (or deep level) access to the machine, and they all have holes, and when those holes get exploited, you can kiss the OS goodbye. It's not really Window's fault per se; if I had a *Nix AV process running as root but it was filled with holes like those Windows AV apps are, someone could own even the most locked down server in an instant. That's why the smart organizations are scanning either at the gateway/firewall/etc., or some other type of idolated storage area before passing the data on to the requester. If something's going to blow up, better it happen outside of the firewall.

J.Ja

Insanity is

doing the same thing over and over again and expecting different results.

Windows client Anti-Virus software is insane.

Linux is open source. Since projects are accessible by 'many eyes' and coders are vetted before they can touch any code, the likelyhood of any malware propagation is low. The only means for cloaking mischievous code is through obfuscation. Bugs get fixed quickly rather than eventually (with exception to the recent Debian SSL/SSH key randomizer debacle--a mismanaged project--which didn't effect other upstream code).

Even Vista suffers from legacy issues found attributable directly to ActiveX. ActiveX--a well-intentioned 'dynamic link library' for adding rich funtionality over the web can put your PC at risk in an instant as it reaches into the bowels of the O/S without any regard for privileged access.

Visit "Linux IT Consultant" follow along in the "Is It Safe" series at:
http://www.dtschmitz.com/dts/2008/05/is-it-safe.html

Be safe.

Thanks J.Ja

--dietrich

Insanity is

doing the same thing over and over again and expecting different results.

Windows client Anti-Virus software is insane.

Linux is open source. Since projects are accessible by 'many eyes' and coders are vetted before they can touch any code, the likelyhood of any malware propagation is low. The only means for cloaking mischievous code is through obfuscation. Bugs get fixed quickly rather than eventually (with exception to the recent Debian SSL/SSH key randomizer debacle--a mismanaged project--which didn't effect other upstream code).

Even Vista suffers from legacy issues found attributable directly to ActiveX. ActiveX--a well-intentioned 'dynamic link library' for adding rich funtionality over the web can put your PC at risk in an instant as it reaches into the bowels of the O/S without any regard for privileged access.

Visit "Linux IT Consultant" follow along in the "Is It Safe" series at:
http://www.dtschmitz.com/dts/2008/05/is-it-safe.html

Be safe.

Thanks J.Ja

--dietrich