[XCSSA] Re: [SATLUG] Anti Virus For FC5

xcssa@xcssa.org xcssa@xcssa.org
Sat, 9 Sep 2006 02:35:52 +0000 

On Saturday 09 September 2006 04:53, Bruce Dubbs wrote:
> Robert J Hewitt wrote:
> > Can anyone recommend a good antivirus software for FC5, I;m looking of an
> > ease of use and ease of setup as well as maintenance. I use Norton on my
> > WINxp systems but I don't have a clue where Linux is concerned
>
> You don't need antivirus with Linux.  I've never used one and never had
> a virus.

I've never been infected either... But I've seen plenty of system that have 
been.  No one is above reproach.. Just ask the BSD guys... ;)

On this topic.. Some important Linux Security Related News:
Right now there's a major local exploit in the kernel and how the new 2.6 
kernel handles core dumps.  If you're on any 2.6 system, this affects you! On 
Red Hat, you need to run a "up2date-nox -uf kernel" on whichever kernel 
you're running (plain kernel, or either kernel-smp or kernel-bigmem).  The 
version 2.4.9-42 I think is the latest U4 version (on EL4) that patches 
against the exploit.  On non-RH version, versions before 2.6.17.4  are 
vulnerable (unless backpatching has addressed this.  See your Distro/Vendor 
for details).  More info is available here:
	http://www.securityfocus.com/bid/18874
	
BTW.. A work around to updating your kernel (if you're not root'd already) 
that will alleviate the nature of this problem is to (as root) do the 
following:
	# echo "kernel.core_pattern=/root/core" >> /etc/sysctl.conf  && sysctl -p

No reboot required.  This will shift the location of the core dump file and 
keep it from being accessable from non-root users (e.g. apache won't be able 
to use it to attack this local vulnerability with your system configured like 
this).  However.. be sure to verify your specific system's location of 
"sysctl.conf" in the above work around... and verify the setting is live with 
the command:
	# sysctl -a 2>/dev/null |grep core_pattern
	kernel.core_pattern = /root/core

We've seen several non-patched systems exploited on the web in the past couple 
of weeks, but usually only those running non-secure PHP based web apps that 
leverage the said apps to gain local access via the apache user.  After 
this.. they run the local exploit (via cron) and deliver a payload (trojan or 
alternate UID 0 users).  After this the server can no longer be "trusted".  

Recommendation #1:
If you're keeping your system patched and not running any network exposed 
non-vendor apps, then you should be ok.. But a kernel upgrade or disabling 
the new CORE dump handling (with the above workaround) is still strongly 
recommended.  Especially if you allow shell or any type of login access to 
anyone at all.
Hope this helps.. 

And to the subject's point... yes.. some measure of kernel level antivirus 
might help as a last measure in some systems.. but in cases like this where 
there aren't any signatures or known worms in the wild yet..  the former 
recommendation is a better overall strategy than relying on AV as your safety 
net.

Tweeks