[sf-lug] Linux Anti-Virus tool - comments requested...
Robert Johnson
emailbox6357 at gmail.com
Mon Jul 30 08:28:52 PDT 2018
Sorry, this is SF-LUG not SF-WIN... I get it...
On 7/30/18, Rick Moen <rick at linuxmafia.com> wrote:
> Afterthought on my answer to Robert Johnson:
>
> In the early 2000s, I was working at VA Linux Systems, which was then
> the leading manufacturer of hardware systems designed to run Linux,
> and was running the Debian Linux distribution on my company-issued
> workstation at my desk. There were a couple of amusing encounters I had
> with accounting/auditing staff.
>
> One was when some guy working for the auditing team finally reached my
> cubicle and posed the same question to me he'd been asking everyone
> else: He asked about the _licences_ for all the software I was running.
>
> Me: 'Um, I'm running Debian. It's open source.'
> Auditor: 'And what applications are you running on Debian?'
> Me: 'You mean other than open source applications provided as
> Debian open-source packages?'
> Auditor: 'Yes.'
> Me: 'Just Debian.'
> Auditor: 'Really?'
> Me: 'Seriously. Do you want to check? I can mail you a list of
> everything on the system. It's just one dpkg command away.'
> Auditor: 'Um... no, that's okay.' [makes note on clipboard]
>
>
> The second time (the following year, I think), with a different junior
> member of the audit team visiting, I'd already been given a heads-up
> about the _new_ question being shopped around.'
>
>
> Auditor: 'We've been tasked with making sure every workstation runs
> antivirus software.'
> Me: 'So I heard. The software mine runs for that purpose is called
> AIDE. Here, I've printed out a copy of the user guide for you.'
> Auditor: 'This is antivirus software? I've not heard of it.'
> Me: 'I figured you wouldn't, which is why I printed out the user
> guide. As you'll see, AIDE monitors all security-sensitive
> system directories and files, and alerts on any unauthorised
> changes. This prevents unnoticed compromise of the system by
> malware or anything else.'
> Auditor: 'Um.... okay. [another tickmark on the clipboard]
>
>
> This second young fellow _probably_ suspected I was (arguably)
> feeding him a line, but he wasn't prepared to argue with a software guy
> about software. Besides, by what criteria would AIDE, a piece of
> host-based intrusion system (HIDS) software, _not_ qualify as antivirus
> software? It verifies whether or not a system meets security integrity
> criteria it's been configured to check. What more is required?
>
> https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
> Comparison page:
> https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system_comparison
>
> Unlike the auditor, I'd spent some time thinking about what security
> measures are and are not useful and relevant in context of a Unix
> system and my use-case.
>
> Many MS-Windows users _also_ expect 'antivirus software' to do some sort
> of automagical _repairs_ if it detects that system security has been
> breached. In the Unix world, accepted wisdom is that, if system-level
> security is proven to have been breached, from that point forward
> the system's executables and configuration cannot be trusted at all, and
> the system must be taken down and rebuilt. And, actually, the same is
> true on any OS, but the corporate Windows-using world is in denial about
> that fact.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/<br>
> Related Information <br>
> http://www.shallowsky.com/blog/<br>
> http://explainshell.com/ <br>
>
More information about the sf-lug
mailing list