It is a very interesting question. As Michael Watterson points out,
social engineering / dumb users is always your #1 problem.
I run aide myself - the output isn't terrific, particularly after SW
updates, since you can get plenty of noise. Tripwire does more or less the
same thing.
Our company uses F-Secure as the corporate standard. Slow as a wet week in
Windows, and the Linux version doesn't seem to be dramatically better, but
at least it is a commercially supported virus scanner. It claims some level
of "Host Intrusion Protection (HIP)" TM - good luck deciphering that
marketing babble.
I have not been able to figure out how reliable ClamAV is or how fresh
the database is.
Rootkit Hunder and chkrootkit are available to check for root kits. I've
run both in the past.
All of these go some way to giving you the sense of confidence your system
is okay, but there is no conclusive way of gaining proof.
All rootkit hunters are subject to the Blue Pill attack, unless you can
have some confidence in your hypervisor code.
I'm not aware if anything equivalent to Windows SteadyState or eEye Blink
is available for Linux...
The NSA guides to hardening Linux are quite useful for locking down a
system. And Virtual machines are a good idea, along with HW DEP and
selinux (urg!) and AppArmor.
Cheers,
Ivan
On Wed, 11 Jun 2008, Cian Davis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>>> Hi All,
> I was asked by our IT department yesterday whether I could recommend
> some virus scanning software on Linux. I responded saying that you
> don't get viruses, per se, on Linux and that we use a combination of
> rootkit scanners, firewall rules and other monitoring to ensure no
> daemons etc. are running.
>> He was most concerned about rootkits. It got me thinking that rootkits
> and wide-spread attacks that install various daemons when then
> penetrate a system are, effectively, viruses. Does a one-stop-shop
> exist to detect all/a lot/some of these? An equivalent to a virus
> scanner on Windows? Or is intrusion detection on linux a matter of a
> few automated tools and a lot of sifting through logs and monitoring
> software outputs?
>> Regards,
> Cian
>>> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org>> iD8DBQFIT/Vw2yUma7R/3b8RArKRAJ499ml5AUi4YnhR6OoQSDtkNe1YYQCfaPk4
> oJKH3kdF8JsL13JiXoegV9s=
> =mrAG
> -----END PGP SIGNATURE-----
>> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/>>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
