Linux anti-virus software and other security issues
Hello, all. We have selected Koha for our ILS and plan to run it in a virtual machine on a Windows server. The contract goes before our City Council tomorrow night. It is on the consent agenda, which means it will be voted on along with a slew of other measures. There is no debate, just up or down vote, unless a councilman has a concern. A councilman has a concern. He is the former head of our IT department, is a Windows guy, and dislikes and distrusts anything Linux. His specific concern is security. Namely, he is worried someone can hack into our system and steal patron information. He is also concerned about mal-ware in general and wants us to install antivirus software on it. So I guess my questions are, how do I answer the patron information concern, and how do I answer the malware concern? How do the rest of you handle Linux security concerns? What antivirus software do you use and from whence do you get it? Please explain it to me in a way even a Windows guy with zero understanding of Linux will understand it. Thanks in advance, Jim Maroon
Le 27/06/2011 19:43, Buster a écrit :
Hello, all.
We have selected Koha for our ILS and plan to run it in a virtual machine on a Windows server. The contract goes before our City Council tomorrow night. It is on the consent agenda, which means it will be voted on along with a slew of other measures. There is no debate, just up or down vote, unless a councilman has a concern.
A councilman has a concern.
He is the former head of our IT department, is a Windows guy, and dislikes and distrusts anything Linux. His specific concern is security. Namely, he is worried someone can hack into our system and steal patron information. He is also concerned about mal-ware in general and wants us to install antivirus software on it.
So I guess my questions are, how do I answer the patron information concern, and how do I answer the malware concern?
About the malware concern, I think that the concern can be outcome with some hardened configuration for mysql as well as http using mod_security is a solution for that.... And there are many project for system auditing... But This sounds rather to me an echo of the FUD we usually hear on Linux system. The risk under Linux resides in the same problems as with Windows, lack of mastering and sustained auditing. There are tools, like nagios, rsyslog, and even some IDS, for that. And if you need some more information, I think that some more efficient system administrator on this list or in any support company can provide some expertise on that topic.
How do the rest of you handle Linux security concerns? What antivirus software do you use and from whence do you get it? You may use clamav as antivirus software, which is Free Software, or, if you prefer some proprietary software, avast http://www.avast.com/fr-ch/linux-unix-edition or Panda http://www.pandasecurity.com/, or eset, kaspersky, Sophos...
Please explain it to me in a way even a Windows guy with zero understanding of Linux will understand it.
Thanks in advance, Jim Maroon
Hope that helps. -- Henri-Damien LAURENT
Buster <storypage@gmail.com> writes:
He is the former head of our IT department, is a Windows guy, and dislikes and distrusts anything Linux. His specific concern is security. Namely, he is worried someone can hack into our system and steal patron information. He is also concerned about mal-ware in general and wants us to install antivirus software on it.
This is a FAQ. Google ought to help. Actually, there are some antivirus software for linux. < ;-P > clamav amavis < / :-P > On a serious note - these are virus filters for mail servers -- Linux does not require antivirus software. Period. If an IT guy says that it does, he does not deserve to be in IT.
So I guess my questions are, how do I answer the patron information concern, and how do I answer the malware concern? How do the rest of you handle Linux security concerns? What antivirus software do you use and from whence do you get it?
Yes - you may need to protect the software against SQL injection attacks. You need firewalls. You need security hardening. Hmmm... I had asked a question on this topic couple of days back - "what do you guys do to harden your systems?"
Please explain it to me in a way even a Windows guy with zero understanding of Linux will understand it.
Some guys will never get it. Do drop the idea of convincing him. Such people have pre-conceived notions; and no way you can change that. What you can stress on is, (a) freedom - ability to stay unfettered. If things go wrong with one service provider, you are not restricted in your choice of alternate service providers (if in-house staff is incompetent, you can always go for outside service providers; if provider XYZ Ltd is incompetent, you can choose between ABC Ltd., CDE., inc., or Mr/Ms. Joe|jane Skoder. (b) control - by the library as the user here. You guys need to be in control of the data. HW gets obsolete every few years - and s/w needs to keep pace. Other platforms will not give you (i) a clean and hiccup free transition path, (ii) the freedom to look at alternate solutions a few years down the line. Also, no chain is stronger than its weakest link. And you are going to install Koha into a VM within Windows. I doubt that unless you drop that VM idea, things will be more secure and stable, IMHO. -- Mahesh T. Pai || With freedom comes responsibility. Do not use unauthorised copies of copyrighted material.
Buster <storypage@gmail.com> writes:
So I guess my questions are, how do I answer the patron information concern, and how do I answer the malware concern? How do the rest of you handle Linux security concerns? What antivirus software do you use and from whence do you get it?
Just stuck me - Koha has a deb package. But I run Koha on Debian, and installed Koha from sources. At a very supervifical level While both the deb package and my personal implementation uses practically identical concepts for security, the way security is implemented is very different. So, no way anybody can look for HKEY_LOCAL_SERVER_/Security/Admin/login or whatever and modify it to gain root access. Possibility of customising security frame work is practically infinite, and what you need to secure down a GNU/Linux install (and hence, a Koha installation on a Linux server) is a competent system administrator, who will make choices for your environment. Installing a software package and assuming that it will take care of your security is like filling up your car with aviation fuel and assuming that it can go as fast as a turbo prop air plane. -- Mahesh T. Pai ||
Buster
He is the former head of our IT department, is a Windows guy, and dislikes and distrusts anything Linux. His specific concern is security. Namely, he is worried someone can hack into our system and steal patron information. He is also concerned about mal-ware in general and wants us to install antivirus software on it.
So I guess my questions are, how do I answer the patron information concern, and how do I answer the malware concern? How do the rest of you handle Linux security concerns? What antivirus software do you use and from whence do you get it?
Please explain it to me in a way even a Windows guy with zero understanding of Linux will understand it.
Sorry, he's going to need to get some understanding of Linux to understand why it's different. Here are some headlines to get you started: * There are millions of pieces of malware for Windows, while there's some debate whether Linux malware has reached the thousands even now. http://www.securelist.com/en/analysis?pubid=204792070 * The security model is different and the Unix-style root account is really discouraged. root use is usually initiated by users, rather than the often-imitated Administrator password pop-ups initiated by programs on Windows (some recent desktop Linux versions have gained those pop-ups, which is a bug IMO). There's a longer discussion of privileges in http://www.pcworld.com/businesscenter/article/202452/why_linux_is_more_secur... * We do have antivirus installed on most servers (ClamAV and others) but most of their job is fighting Windows malware which passes through our servers wasting our electricity, disk and bandwidth. * Most tools we use came with the distributions but I've written at least one scanner myself (for a specific piece of PHP malware that won't affect a typical Koha server) and configured some others. There are good guides like the Securing Debian Manual if you want to be more secure than a typical workstation. http://www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html * We handle most of our security concerns by setting fairly tight policies and then following security alert services from distributors at least daily. You can automate updates, but there are pros and cons to that, as with any platform. * How you handle patron information is probably subject to your local laws and the biggest risk will probably be staff terminals. That's a matter for local IT policy: GNU/Linux will support whatever you do, as standard, through things like SELinux, or otherwise. At least with Koha on MySQL and Linux, it's in your control, rather than asking you to trust a black box from another ILS provider. Can you present it as a relative improvement over other options? Hope that helps, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for various work through http://www.software.coop/
participants (4)
-
Buster -
LAURENT Henri-Damien -
Mahesh T Pai -
MJ Ray