Questions

What is the current regulator perspective on antivirus for Linux/UNIX?

+
3 Votes
Locked

What is the current regulator perspective on antivirus for Linux/UNIX?

jyates75
As a compliance analyst, I'm trying to determine whether current regulators are requiring antivirus on Linux/UNIX platforms? PCI-DSS states it must be deployed on all systems commonly affected by malicious software...I don't believe Linux is to the point where it's commonly affected. What about other regulations? I've also read that antivirus would be a good idea on the non-windows platforms in order to prevent transmission of windows viruses.
Thanks for the help.
  • +
    4 Votes
    robo_dev

    If a UNIX or Linux server is web server or is Internet-facing, than some sort of IDS and/or integrity verification would be a prudent measure. But if the server is adequately patched and hardened, and is behind a properly configured firewall, the last thing on earth it could get is a virus.

    But the PCI DSS 1,2 guidance does not exclude UNIX and even mainframes, so you do need to do what they say. The practical matter is that there simply is not a wide choice of AV for some platforms, like for Solaris, there's only one (CLAM).

    From a risk standpoint, does it need actual Linux AV software? If it is used to surf the Internet, maybe. But simple measures, such as not logging in as Root to do everything are just as effective. Malware is really just unapproved software, and it needs an entry point.

    In most cases, the only reason people use AV on Linux/UNIX systems so that they do not share or host infected Windows files, not to protect the server itself. So if my NFS server has a couple of gigabytes of user stuff on it, then you want to catch any bad stuff before it goes anywhere.

    But should ANY device used as part of the PCI process be used to surf the Internet? Heck No.

  • +
    4 Votes
    robo_dev

    If a UNIX or Linux server is web server or is Internet-facing, than some sort of IDS and/or integrity verification would be a prudent measure. But if the server is adequately patched and hardened, and is behind a properly configured firewall, the last thing on earth it could get is a virus.

    But the PCI DSS 1,2 guidance does not exclude UNIX and even mainframes, so you do need to do what they say. The practical matter is that there simply is not a wide choice of AV for some platforms, like for Solaris, there's only one (CLAM).

    From a risk standpoint, does it need actual Linux AV software? If it is used to surf the Internet, maybe. But simple measures, such as not logging in as Root to do everything are just as effective. Malware is really just unapproved software, and it needs an entry point.

    In most cases, the only reason people use AV on Linux/UNIX systems so that they do not share or host infected Windows files, not to protect the server itself. So if my NFS server has a couple of gigabytes of user stuff on it, then you want to catch any bad stuff before it goes anywhere.

    But should ANY device used as part of the PCI process be used to surf the Internet? Heck No.