[sf-lug] Linux Anti-Virus tool - comments requested...

Mon Jul 30 02:14:22 PDT 2018

Afterthought on my answer to Robert Johnson:

In the early 2000s, I was working at VA Linux Systems, which was then
the leading manufacturer of hardware systems designed to run Linux,
and was running the Debian Linux distribution on my company-issued
workstation at my desk.  There were a couple of amusing encounters I had
with accounting/auditing staff.  

One was when some guy working for the auditing team finally reached my
cubicle and posed the same question to me he'd been asking everyone
else:  He asked about the _licences_ for all the software I was running.

Me:  'Um, I'm running Debian.  It's open source.'
Auditor:  'And what applications are you running on Debian?'
Me:  'You mean other than open source applications provided as 
     Debian open-source packages?'
Auditor:  'Yes.'
Me:  'Just Debian.'
Auditor:  'Really?'
Me:  'Seriously.  Do you want to check?  I can mail you a list of 
     everything on the system.  It's just one dpkg command away.'
Auditor:  'Um... no, that's okay.'  [makes note on clipboard]

The second time (the following year, I think), with a different junior
member of the audit team visiting, I'd already been given a heads-up
about the _new_ question being shopped around.'

Auditor:  'We've been tasked with making sure every workstation runs 
          antivirus software.'
Me:  'So I heard.  The software mine runs for that purpose is called 
     AIDE.  Here, I've printed out a copy of the user guide for you.'
Auditor:  'This is antivirus software?  I've not heard of it.'
Me:  'I figured you wouldn't, which is why I printed out the user
     guide.  As you'll see, AIDE monitors all security-sensitive 
     system directories and files, and alerts on any unauthorised
     changes.  This prevents unnoticed compromise of the system by
     malware or anything else.'
Auditor:  'Um.... okay.  [another tickmark on the clipboard]

This second young fellow _probably_ suspected I was (arguably) 
feeding him a line, but he wasn't prepared to argue with a software guy
about software.  Besides, by what criteria would AIDE, a piece of
host-based intrusion system (HIDS) software, _not_ qualify as antivirus
software?  It verifies whether or not a system meets security integrity
criteria it's been configured to check.  What more is required?

https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
Comparison page:
https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system_comparison

Unlike the auditor, I'd spent some time thinking about what security
measures are and are not useful and relevant in context of a Unix
system and my use-case.

Many MS-Windows users _also_ expect 'antivirus software' to do some sort
of automagical _repairs_ if it detects that system security has been
breached.  In the Unix world, accepted wisdom is that, if system-level
security is proven to have been breached, from that point forward 
the system's executables and configuration cannot be trusted at all, and
the system must be taken down and rebuilt.  And, actually, the same is
true on any OS, but the corporate Windows-using world is in denial about
that fact.