On Thu, Jan 22, 2009 at 12:19:27PM +1100, Amos Shapira wrote:> Hi All,> > Yes, I know, it's really really embarrassing to have to ask but I'm> being pushed to the wall with PCI DSS Compliance procedure> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why> we don't need to install an anti-virus or find an anti-virus to run on> our CentOS 5 servers.> > Whatever I do - it needs to be convincing enough to make the PCI> compliance guy tick the box.> > So:> > 1. Has anyone here gone though such a procedure and got good arguments> against the need for anti-virus? Amos - the best argument I have ever seen along those lines ishere : (And its a good one ) http://linuxmafia.com/~rick/faq/index.php?page=virus All UNIX/Linux aficionados should be familiar with its content. FAIR WARNING, It is long and complex. Because it is comprehensive and detailed. Those among you familiar with RickMoen will understand and appreciate why. A portion pasted here: The most recent version of these essays can be found athttp://linuxmafia.com/~rick/faq/.Rick's Rants Virus . . . o Should I get anti-virus software for my Linux box? o But didn't security expert Simson Garfinkel say thatall Linux systems need virus checkers? o Don't the rise of Linux worms show that Linux now hasa virus problem? o Isn't Microsoft Corporation's market dominance,making Linux an insignificant target, the only reason it doesn'thave a virus problem? o But how can you say there's no virus problem, whenthere have been several dozen Linux viruses? Should I get anti-virus software for my Linux box? The problem with answering this question is that thoseasking it know only OSes where viruses, trojan-horse programs,worms, nasty Javascripts, ActiveX controls with destructivepayloads, and ordinary misbehaved applications are a constantthreat to their computing. Therefore, they refuse to believeLinux could be different, no matter what they hear. And yet it is. Here's the short version of the answer: No. If you simplynever run untrusted executables while logged in as the root user(or equivalent), all the "virus checkers" in the world will be atbest superfluous; at worst, downright harmful. "Hostile"executables (including viruses) are almost unfindable in theLinux world — and no real threat to it — because they lackroot-user authority, and because Linux admins are seldom stupidenough to run untrusted executables as root, and because Linuxusers' sources for privileged executables enjoy paranoid-gradescrutiny (such that any unauthorised changes would be detectedand remedied). Here's the long version: Still no. Any program on a Linuxbox, viruses included, can only do what the user who ran it cando. Real users aren't allowed to hurt the system (only the rootuser can), so neither can programs they run. Because of the distinction between privileged (root-run)processes and user-owned processes, a "hostile" executable that anon-root user receives (or creates) and then executes (runs)cannot "infect" or otherwise manipulate the system as a whole.Just as you can delete only your own files (i.e., those you have"write" permission to), executables you run cannot affect otherusers' (or root's) files. Therefore, although you can create (orretrieve), and then run, a virus, worm, trojan horse, etc., itcan't do much. Unless you do so as "root". Which it's simple toavoid doing. ============================================================== This is just the beginning - it continues on to cover everyaspect of the issue in a mere 1100 lines.... All of it well worth reading. Jeff Kinz. _______________________________________________CentOS mailing listCentOS@xxxxxxxxxxxxxx://lists.centos.org/mailman/listinfo/centos