Stephen John Smoogen <smooge@xxxxxxxxx> wrote: > On Thu, Jan 22, 2009 at 12:42 PM, David G. Miller <dave@xxxxxxxxxxxxx> wrote: > >> > Amos Shapira <amos.shapira@xxxxxxxxx> wrote: >> > >> >>> >> Hi All, >>> >> >>> >> Yes, I know, it's really really embarrassing to have to ask but I'm >>> >> being pushed to the wall with PCI DSS Compliance procedure >>> >> (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why >>> >> we don't need to install an anti-virus or find an anti-virus to run on >>> >> our CentOS 5 servers. >>> >> >>> >> Whatever I do - it needs to be convincing enough to make the PCI >>> >> compliance guy tick the box. >>> <SNIP> >> > After reading all of the other replies (including the ones that pointed >> > out that the PCI DSS requirement had changed the terminology from >> > "virus" to "malware"), why not claim you are meeting the requirement by >> > doing something useful like running chkrootkit or rkhunter on a regular >> > basis? That way you would be scanning the systems for the only malware >> > known to actually pose a threat to a Linux box. It may be a low >> > probability of infection (as others have pointed out) but should satisfy >> > the auditor and hopefully will just be a low cost exercise in futility >> > as long as reasonable security policies are followed. >> > > Any tool will require the need to have a risk assessment against it. > What is the liklihood of it finding malware? How much is updated and > how does it compare to other tools. These will be questions that will > need to be available for auditors to know you did your due-diligence > on selecting a tool. Answering those questions would provide the arguments for running a root kit scanner instead of anti-virus software. That is, the risk of malware affecting the systems in question is low with near zero likelihood that a true virus will cause a problem but with the possibility that a rootkit could compromise the systems. Chkrootkit and rkhunter are arguably the best tools for finding a root kit. The programs are updated whenever a new threat is identified. Obviously, the OP would need more than my say so as back up for these assertions. Said back up would also make the case that scanning for non-existent threats (Linux viruses) would make no sense while scanning for a real threat makes the most sense. Cheers, Dave -- Politics, n. Strife of interests masquerading as a contest of principles. -- Ambrose Bierce _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos