[sf-lug] Linux Anti-Virus tool - comments requested...

Robert Johnson emailbox6357 at gmail.com
Mon Jul 30 08:28:52 PDT 2018 

Sorry, this is SF-LUG not SF-WIN...  I get it...

On 7/30/18, Rick Moen <rick at linuxmafia.com> wrote:
> Afterthought on my answer to Robert Johnson:
>
> In the early 2000s, I was working at VA Linux Systems, which was then
> the leading manufacturer of hardware systems designed to run Linux,
> and was running the Debian Linux distribution on my company-issued
> workstation at my desk.  There were a couple of amusing encounters I had
> with accounting/auditing staff.
>
> One was when some guy working for the auditing team finally reached my
> cubicle and posed the same question to me he'd been asking everyone
> else:  He asked about the _licences_ for all the software I was running.
>
> Me:  'Um, I'm running Debian.  It's open source.'
> Auditor:  'And what applications are you running on Debian?'
> Me:  'You mean other than open source applications provided as
>      Debian open-source packages?'
> Auditor:  'Yes.'
> Me:  'Just Debian.'
> Auditor:  'Really?'
> Me:  'Seriously.  Do you want to check?  I can mail you a list of
>      everything on the system.  It's just one dpkg command away.'
> Auditor:  'Um... no, that's okay.'  [makes note on clipboard]
>
>
> The second time (the following year, I think), with a different junior
> member of the audit team visiting, I'd already been given a heads-up
> about the _new_ question being shopped around.'
>
>
> Auditor:  'We've been tasked with making sure every workstation runs
>           antivirus software.'
> Me:  'So I heard.  The software mine runs for that purpose is called
>      AIDE.  Here, I've printed out a copy of the user guide for you.'
> Auditor:  'This is antivirus software?  I've not heard of it.'
> Me:  'I figured you wouldn't, which is why I printed out the user
>      guide.  As you'll see, AIDE monitors all security-sensitive
>      system directories and files, and alerts on any unauthorised
>      changes.  This prevents unnoticed compromise of the system by
>      malware or anything else.'
> Auditor:  'Um.... okay.  [another tickmark on the clipboard]
>
>
> This second young fellow _probably_ suspected I was (arguably)
> feeding him a line, but he wasn't prepared to argue with a software guy
> about software.  Besides, by what criteria would AIDE, a piece of
> host-based intrusion system (HIDS) software, _not_ qualify as antivirus
> software?  It verifies whether or not a system meets security integrity
> criteria it's been configured to check.  What more is required?
>
> https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment
> Comparison page:
> https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system_comparison
>
> Unlike the auditor, I'd spent some time thinking about what security
> measures are and are not useful and relevant in context of a Unix
> system and my use-case.
>
> Many MS-Windows users _also_ expect 'antivirus software' to do some sort
> of automagical _repairs_ if it detects that system security has been
> breached.  In the Unix world, accepted wisdom is that, if system-level
> security is proven to have been breached, from that point forward
> the system's executables and configuration cannot be trusted at all, and
> the system must be taken down and rebuilt.  And, actually, the same is
> true on any OS, but the corporate Windows-using world is in denial about
> that fact.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/<br>
> Related Information <br>
> http://www.shallowsky.com/blog/<br>
> http://explainshell.com/ <br>
>

More information about the sf-lug mailing list