Do I need an anti-virus in Linux?

Hi all,

This question is often asked by new Linux users, often with a gasp of panic. What do they do now, running Linux totally exposed? The article explaining why anti-virus software is not needed in Linux. Follow me.

http://www.dedoimedo.com/computers/linux-security.html


Regards,
Mrk

 

Very good points on Windows not needing AV, I fully concur with you Mrk, thanks for the write up.

 

Very nice read. Have emailed a couple of 'must have av' friends to read as well.
(I am so glad I switched to Linux out of boredom and later frustration with XP).
Thanks.

 

Nicely done! I also agree about it not being required in Windows, either.

 

Nice article.

Mrk what about writing a tutorial about MAC's- AppArmor, SELinux etc.

 

Very nice article once again. Should be a good place to refer folks to when they inevitably ask "Which AV should I use on Linux?" About the umask part though, where you said: "Imagine that .exe files you download in Windows cannot run until you give them the right permissions. That would make all sorts of automated drive-by attack vectors less successful."

Well, I thought to mention there's many ways one can do exactly that on Windows. There's the more popular solutions that rely on third party stuff - HIPS, execution prevention tools and what not - and then there's always built-in Windows features like SRP/AppLocker, and finally of course, Windows does actually support execute permissions and if you wish, you can set your ACLs so that users don't get execute permissions on newly created files even if they're the owner of said files - then they'd have to manually give themselves execute permission.

 

Will be written eventually, but not so much as a tutorial, more of a guide.

Wind, it's about defaults, not what advanced users can do, it's what non-techiies can enjoy without so much as lifting a finger.

Mrk

 

mrk nicely done

just add one more thing which firewall i need in linux

i mean most of users also think they need some firewall aswell in linux not knowing it already got netfilter/iptables ...etc

what in reality they are looking for is gui of iptables

one more think i like to say what most i like about linux is smoothness i mean if you make a system to paranoid mode even in linux its really funny

i mean let say windows you download file it go through web scanning then from hips firewall alert sandbox geswall.......different kinda blockers....etc at end you check them on virus total/jotti sites as well you spend $$$$ dollars still worried too much

in linux you happy and sleep if hacked ok i live with if it got virus i dont mind if you want to peep in my ugly photos then you trouble too much bro you get free on facebook

 

In Ubuntu its gufw which works quite well and its in the repos.

 

yes true LOL

http://en.wikipedia.org/wiki/GUI_for_ufw

just kidding bro linuxforall

and for fedora and opensuse its already given just peep please

http://en.wikipedia.org/wiki/Comparison_of_firewalls

http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions

and

https://www.wilderssecurity.com/showthread.php?t=260185&highlight=astaro

https://www.wilderssecurity.com/showthread.php?t=261437&highlight=astaro

sorry i dont want to take it off topic so i close form here

 

Dear Mrk,

What umask would you use if you want new files to be non exe in Linux?

I currently have Ubuntu. I guess it is set up at 22.

I was about to change it to 137, which I believe will do the trick. Is this the number old linux were set up before they stop enforcing the non exe in new windows-like linuxes (Ubuntu is one of them, of course)?

Do you think it will do the job? Where should I input it?

 

022 is the default and this translates into 644 for newly created files, so they are read/write for owner, read for group and others, no executable bit. So you don't need to change anything.

umask can be set globally under /etc/profile.

I would NOT recommend making any drastic changes, unless you're really sure what you want to achieve.

Mrk

 

Well, I tried actually with 122.
The problem is that I couldn't even login back to any account. Strange.

I had to open /etc/profile in recovery mode under root (sudo vi) et change back the value to 022.

I don't know why...

 

Because you dropped executable permissions for yourself
Mrk

 

Well Mrk,

Isn't it what I want? Except that I want it only on new created files! Not on the ones I already have on the disk.

 

Examine the login scripts sourced from /etc/profile and see which ones are those, including possibly temporary files. Then, you might find out what went wrong and why you got locked out. Not an easy task, I warn you.

I'll run an experiment soon and see if I can reproduce your case ...

But what you did was:

122 translates into 544, so no write for you ... If you need a temp file for X, then it won't be writeable, and this could very well be it.

As to no execution, you might as well mount a disk/partition with no exec. But the question is, why? What are you trying to achieve? You already got 022, for files this is 644 - so no executable bit for yourself either.

Mrk

 

This is the only question to ask.
Unfortunately I have only one answer: I don't know. I didn't take time to carefully read and understand the underlying concepts of mask, and I mix everything up like file, directories...

With no write permission, it makes sense I couldn't even log in.

I think the most urgent is to go back to study.
Talking about it, coming from windows + paid antivirus, to windows + proprietary free antivirus, then windows + proprietary HIPS, windows + proprietary sandbox, then windows alone, then Linux alone, I guess I did most of the way. I set up apparmor profiles to most of my internet facing applications (except totem - I might install VLC as well).

So I should start doing things with my computer soon, instead of doing things to my computer (as Sully said if I remember properly).

 

Why not encrypt the files or the folder or even encrypt entire partition during install which linux allows or encrypt the home folder. That was the security is there and one doesn't have to deal with file permission issues. Also apparmor will take care of all issues, however bear in mind, Java in firefox refuses to load with apparmor enabled for the browser so you might have to take that particular profile off.

 

I never encrypted anything as I never learned and do not feel the need to. But for sensitive files, I give read access to root only.

Talking about Java JRE and Firefox, it's working nicely under apparmor:
these three lines should be enough:
/usr/lib/jvm/java-6-openjdk/jre/bin/java ixr,
/etc/java-*-sun/** r,
/usr/lib/jvm/java-*-sun-1.*/jre/bin/java ixr,

I saw some more lines related to Java in profiles on the net:
/etc/java-6-openjdk/** ixr,
/etc/java-6-openjdk/* ixr,
/etc/lsb-release ixr,
/etc/.java/deployment/ mrw,
/etc/.java/deployment/* mrw,
/home/ron/.java/deployment/cache/* mr,
/home/ron/.java/deployment/cache/** mr,
/tmp/* mr,
/tmp/** mr,

You should therefore be able to use Java anf firefox together.

 

Firefox profiles are already there when you install apparmor profiles from the repos but enabling Java causes the issue. Encryption is the best way to privacy, especially if its sensitive data, all the laptops I use have encrypted installs.

https://bugs.launchpad.net/ubuntu/ source/firefox-3.5/ bug/447006

Here is the bug report for apparmor blocking Java in Firefox.

 

Java works just fine on my AppArmor protected browser. Of course, I wrote my own profile, as I like having control over everything.

These lines work for me:

Code:

/etc/java-6-openjdk/** r,
/usr/lib/jvm/java-6-openjdk/jre/bin/java rix,
/usr/share/java/* r,

 

Yeah, you're right.

Apparmor is a big mess. Program designers or the ones in charge of distros should always make the apparmor profile of any internet facing application or service available. At least it would be standard and secure.

 

http://bodhizazen.net/aa-profiles/

Some additional aa profiles by bodhi zazen, Ubuntu forum admin. He also runs the security thread for apparmor at http://ubuntuforums.org/showthread.php?t=1008906 where you can find lots of useful tips about implementing apparmor in your Ubuntu.

 

Mrkvonic, a few comments .

Reboots.

Might be worth noting that until rebooted, the changes that need a reboot, (Linux or Windows) will not be applied and therefore any security fixes not applied.

UAC is not designed to be a SU/SUDO replacement. MS have stated that UAC is not a replacement for LUA in terms of OS security, but is more of a User comfort blanket for apps that run as admin unneededly. I will try and dig the link.

There are certain distros that do not sign packages. I won't name names, but worth checking.

Open source - agreed, especially combined with using trusted sources for your software (repositories). Also do not forget the community spirit in Linux. If software is buggy and open to exploits, developers listen and respond. No corperate agenda to resist change.

Also worth noting that Linux is built on a secure legacy of Unix (design).
Even though MS moved over to the much more secure NT for the insecure 16bit dos/Win95 days, there was a lot of carry over to ensure compatiblity with legacy apps (e.g. defaulting to admin rights) and APIs (kernel mode drivers should of been culled years ago).

Cheers, Nick.

 

Hi Nick,

Reboots, yup ...

UAC, not sudo definitely ... but a combination of lua + uac is a bit like ...

Signed packages, you can force installs of rpms and debs with nosig on any. I can't tell which distros permit the installation of nonsigned packages at the moment, I'll browse around.

Open-source, developers respond true, but I think diversity is another factor.

I thought I did mention the legac carryover factor ...

Cheers,
Mrk