Do I need an anti-virus in Linux?

Discussion in 'all things UNIX' started by Mrkvonic, Mar 26, 2010.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Hi all,

    This question is often asked by new Linux users, often with a gasp of panic. What do they do now, running Linux totally exposed? The article explaining why anti-virus software is not needed in Linux. Follow me.

    http://www.dedoimedo.com/computers/linux-security.html


    Regards,
    Mrk
     
  2. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Very good points on Windows not needing AV, I fully concur with you Mrk, thanks for the write up.
     
  3. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Very nice read. Have emailed a couple of 'must have av' friends to read as well.
    (I am so glad I switched to Linux out of boredom and later frustration with XP).
    Thanks.
     
  4. wat0114

    wat0114 Guest

    Nicely done! I also agree about it not being required in Windows, either.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice article.

    Mrk what about writing a tutorial about MAC's- AppArmor, SELinux etc.
     
  6. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Very nice article once again. :thumb: Should be a good place to refer folks to when they inevitably ask "Which AV should I use on Linux?" About the umask part though, where you said: "Imagine that .exe files you download in Windows cannot run until you give them the right permissions. That would make all sorts of automated drive-by attack vectors less successful."

    Well, I thought to mention there's many ways one can do exactly that on Windows. There's the more popular solutions that rely on third party stuff - HIPS, execution prevention tools and what not - and then there's always built-in Windows features like SRP/AppLocker, and finally of course, Windows does actually support execute permissions and if you wish, you can set your ACLs so that users don't get execute permissions on newly created files even if they're the owner of said files - then they'd have to manually give themselves execute permission.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Will be written eventually, but not so much as a tutorial, more of a guide.

    Wind, it's about defaults, not what advanced users can do, it's what non-techiies can enjoy without so much as lifting a finger.

    Mrk
     
  8. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    mrk nicely done :thumb:

    just add one more thing which firewall i need in linux :p

    i mean most of users also think they need some firewall aswell in linux not knowing it already got netfilter/iptables ...etc

    what in reality they are looking for is gui of iptables

    one more think i like to say what most i like about linux is smoothness i mean if you make a system to paranoid mode even in linux its really funny

    i mean let say windows you download file it go through web scanning then from hips firewall alert sandbox geswall.......different kinda blockers....etc at end you check them on virus total/jotti sites as well you spend $$$$ dollars still worried too much

    in linux you happy and sleep if hacked ok i live with if it got virus i dont mind if you want to peep in my ugly photos then you trouble too much bro you get free on facebook :D
     
    Last edited: Mar 26, 2010
  9. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    In Ubuntu its gufw which works quite well and its in the repos.
     
  10. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  11. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Dear Mrk,

    What umask would you use if you want new files to be non exe in Linux?

    I currently have Ubuntu. I guess it is set up at 22.

    I was about to change it to 137, which I believe will do the trick. Is this the number old linux were set up before they stop enforcing the non exe in new windows-like linuxes (Ubuntu is one of them, of course)?

    Do you think it will do the job? Where should I input it?
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    022 is the default and this translates into 644 for newly created files, so they are read/write for owner, read for group and others, no executable bit. So you don't need to change anything.

    umask can be set globally under /etc/profile.

    I would NOT recommend making any drastic changes, unless you're really sure what you want to achieve.

    Mrk
     
  13. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Well, I tried actually with 122.
    The problem is that I couldn't even login back to any account. Strange.

    I had to open /etc/profile in recovery mode under root (sudo vi) et change back the value to 022.

    I don't know why...
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Because you dropped executable permissions for yourself :)
    Mrk
     
  15. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Well Mrk,

    Isn't it what I want? Except that I want it only on new created files! Not on the ones I already have on the disk.
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Examine the login scripts sourced from /etc/profile and see which ones are those, including possibly temporary files. Then, you might find out what went wrong and why you got locked out. Not an easy task, I warn you.

    I'll run an experiment soon and see if I can reproduce your case ...

    But what you did was:

    122 translates into 544, so no write for you ... :) If you need a temp file for X, then it won't be writeable, and this could very well be it.

    As to no execution, you might as well mount a disk/partition with no exec. But the question is, why? What are you trying to achieve? You already got 022, for files this is 644 - so no executable bit for yourself either.

    Mrk
     
  17. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    This is the only question to ask.
    Unfortunately I have only one answer: I don't know. I didn't take time to carefully read and understand the underlying concepts of mask, and I mix everything up like file, directories...

    With no write permission, it makes sense I couldn't even log in.

    I think the most urgent is to go back to study.
    Talking about it, coming from windows + paid antivirus, to windows + proprietary free antivirus, then windows + proprietary HIPS, windows + proprietary sandbox, then windows alone, then Linux alone, I guess I did most of the way. I set up apparmor profiles to most of my internet facing applications (except totem - I might install VLC as well).

    So I should start doing things with my computer soon, instead of doing things to my computer (as Sully said if I remember properly).
     
  18. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Why not encrypt the files or the folder or even encrypt entire partition during install which linux allows or encrypt the home folder. That was the security is there and one doesn't have to deal with file permission issues. Also apparmor will take care of all issues, however bear in mind, Java in firefox refuses to load with apparmor enabled for the browser so you might have to take that particular profile off.
     
  19. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I never encrypted anything as I never learned and do not feel the need to. But for sensitive files, I give read access to root only.

    Talking about Java JRE and Firefox, it's working nicely under apparmor:
    these three lines should be enough:
    /usr/lib/jvm/java-6-openjdk/jre/bin/java ixr,
    /etc/java-*-sun/** r,
    /usr/lib/jvm/java-*-sun-1.*/jre/bin/java ixr,

    I saw some more lines related to Java in profiles on the net:
    /etc/java-6-openjdk/** ixr,
    /etc/java-6-openjdk/* ixr,
    /etc/lsb-release ixr,
    /etc/.java/deployment/ mrw,
    /etc/.java/deployment/* mrw,
    /home/ron/.java/deployment/cache/* mr,
    /home/ron/.java/deployment/cache/** mr,
    /tmp/* mr,
    /tmp/** mr,

    You should therefore be able to use Java anf firefox together.
     
  20. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Firefox profiles are already there when you install apparmor profiles from the repos but enabling Java causes the issue. Encryption is the best way to privacy, especially if its sensitive data, all the laptops I use have encrypted installs.

    https://bugs.launchpad.net/ubuntu/ source/firefox-3.5/ bug/447006

    Here is the bug report for apparmor blocking Java in Firefox.
     
    Last edited: Mar 27, 2010
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Java works just fine on my AppArmor protected browser. Of course, I wrote my own profile, as I like having control over everything.

    These lines work for me:

    Code:
    /etc/java-6-openjdk/** r,
    /usr/lib/jvm/java-6-openjdk/jre/bin/java rix,
    /usr/share/java/* r,
     
  22. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Yeah, you're right.

    Apparmor is a big mess. Program designers or the ones in charge of distros should always make the apparmor profile of any internet facing application or service available. At least it would be standard and secure.
     
  23. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
  24. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Mrkvonic, a few comments :).

    Reboots.

    Might be worth noting that until rebooted, the changes that need a reboot, (Linux or Windows) will not be applied and therefore any security fixes not applied.

    UAC is not designed to be a SU/SUDO replacement. MS have stated that UAC is not a replacement for LUA in terms of OS security, but is more of a User comfort blanket for apps that run as admin unneededly. I will try and dig the link.

    There are certain distros that do not sign packages. I won't name names, but worth checking.

    Open source - agreed, especially combined with using trusted sources for your software (repositories). Also do not forget the community spirit in Linux. If software is buggy and open to exploits, developers listen and respond. No corperate agenda to resist change.

    Also worth noting that Linux is built on a secure legacy of Unix (design).
    Even though MS moved over to the much more secure NT for the insecure 16bit dos/Win95 days, there was a lot of carry over to ensure compatiblity with legacy apps (e.g. defaulting to admin rights) and APIs (kernel mode drivers should of been culled years ago).

    Cheers, Nick.
     
  25. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,701
    Hi Nick,

    Reboots, yup ...

    UAC, not sudo definitely ... but a combination of lua + uac is a bit like ...

    Signed packages, you can force installs of rpms and debs with nosig on any. I can't tell which distros permit the installation of nonsigned packages at the moment, I'll browse around.

    Open-source, developers respond true, but I think diversity is another factor.

    I thought I did mention the legac carryover factor ...

    Cheers,
    Mrk
     
Loading...
Thread Status:
Not open for further replies.