[huskerlug] Re: Anti-Virus for GNU/Linux? My simple notes for n00bs
- From: Steve <steve@xxxxxxxxxxxxx>
- To: huskerlug@xxxxxxxxxxxxx
- Date: Mon, 1 Sep 2003 10:48:01 -0500
> The Anti-virus programs that are made to run on
> GNU/Linux and *BSD servers, are to filter out, and
> protect, computers that operate Microsoft window
> products, possibly connected to our POSIX system
> server. Anti-virus programs are NOT for POSIX
> compliant Operating Systems.
I know at least one AV products contain virus sigs for *nix
only viruses, and I'll bet several more do as well. If you have
f-prot, look at the "-virno" output once.
>
> There are about 14 exploits for POSIX compliant OSes.
You'll have to elaborate on what you mean by "14 exploits".
There have been thousands of exploits for POSIX compliant OSes
over the years, so I'm not sure what you mean. There are
definitely more than 14 mal-ware programs in existence for
POSIX compliant OSes.
> The automatic execution of a program, due to the macro
> program that is called up by the filename extension in
> Microsoft windows OSes, does not function in that
> manner in any POSIX variant OS.
Several applications that operate in "POSIX compliant" OSes have file
associations, whether it's by mime type or file extension, that have
the same effect as "automatic execution" under a windows OS. These
associations are usually within the application and have little to do with
the "POSIX compliant" OS.
As an example, Netscape was often setup by people with a file
association that would cause any file ending in ".sh" to be executed
by a local shell. Can you imagine the security implications of this?
Thankfully, most people know better by now, and no longer do this.
Imagine a script that simply had:
rm -rf /
in it. While a non-root user wouldn't wipe out the OS, any file that is
contained in a directory that the user has write access to would be wiped
out (assuming no additional file attributes have been set on it -- chattr +i,
etc).
>
> So, there is no automatic exploit in any POSIX
> compliant system.
I think that needs to be elaborated on. As your statement
stands now, it isn't true. POSIX is a standard, a spec, and while
most *nix OSes try to follow it, none are 100% compliant.
Read the LKML archives, you'll see what Linus' opinion is on
POSIX (i.e. it shouldn't be followed where it doesn't make sense
to follow it). I tend to agree with him too.
> do, they need root access! That is why there will
> never be any virus, and few w0rm exploits, in
> GNU/Linux.
That is simply naive. To say there will never be any viruses
in GNU/Linux is just plain wrong. If you really believe this,
please cross post this to a few of the well known security
mailing lists and see what kind of response you get.
All it takes is a remote exploit in any program to create a successful
worm. Any one who pays attention to security knows that there
have been thousands of remote exploits in POSIX compliant OSes over
the years.
> There are some potential threats from applications
> which are permitted some range of access to system
> processes, and open up a vulnerability. The concept
That's the problem. There are several applications that
require privileges beyond the standard user. And since
most "standard" POSIX compliant OSes only have 2 levels
of security (root and non-root), these programs must run
with some root privs in order to operate. So, almost any bug
in a program running with those privileges can be used to
"own" the system.
The traditional *nix security model isn't as great as many
think. In it's basic form, it's a simple binary model: you
either have all privs (root), or no privs (non-root). That is
why there are so many other OS research projects out there
that are trying to create a better security model (plan 9 is
one of the more well known research projects). It's also why
there are so many projects that are trying to retrofit Linux
with a more secure security model: SE Linux, LIDS, Grsecurity,
RSBAC, Medusa, the list goes on.
While *nix security isn't the best, it's generally a lot better
than the alternatives.
> caught very quickly. If you monitor any of the major
> distribution websites for any of the Open Source
> software and OSes, you will see these patches.
Yes, but most of the worms in the past have exploited flaws where patches have
already been available, and yet they were still able to spread quite
successfully because too many systems weren't patched.
I recommend viewing a lot more than the your vendor's web site for patches.
In many cases, you can pick up news of a new security bug long before a
vendor comes out with a fix.
In a perfect world with a perfect GNU/Linux OS, no virus or worm would exist
because there would be no security bugs to exploit. Unfortunately, that just
isn't the case.
If these "simple notes" are supposed to be for newbies, please be
careful in what you post to the list. The last thing we need is to mis-inform
our Linux newbies on the list and give them a false sense of security while
using Linux (or any *nix). That will simply lead to a lot more *nix boxes
being owned.
For those newbies on the list, please remember that "Security is a process,
not a product." -- Bruce Schneier
--
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint = 7F06 4D73 7963 BE96 5189 953A E285 CB2C BA03 2746
Available on key servers.
----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE
Other related posts:
