Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms. They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement. Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network. It is EXTREMELY difficult to get a waiver to ignore a Category I finding.
To quote the most recent (March 2007) checklist:
GEN006640 – Virus Protection Software
Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file. The Mcafee command line scanner is available for most Unix/Linux operating systems. Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed. In addition, the defintions file should not be older than 14 days.
I have been researching the offerings of major (and minor) AV vendors. Please feel free to make corrections or additions to this list via the "Comments" feature of blogs.sun.com
- TrendMicro
- No host-based anti-virus software for Solaris (either platform)
- Symantec
- No host-based anti-virus software for Solaris (either platform)
- McAfee
- Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
- F-Prot
- Has anti-virus for Solaris on Sparc and X64 platforms. F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
- CA
- Web site claims support for Sun Solaris 8 and greater. Unclear on Sparc/X64 platforms.
- Central Command
- Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
- Avast
- Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms. Based in Prague,
Czech Republic.
- Clam AV Open source project. Now owned by SourceFire.
- Has binary build for Solaris on Sparc and X64 platforms at blastwave.org
- CyberSoft
- VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.
I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.
- McAfee
- Two "malware" findings. Each rated as low threat. One requires that telnet port be open which most enterprises close
- Symantec
- 11 Total findings, most of which are vulnerabilities rather than viruses. These vulnerabilities can all be dealt with via existing Solaris patches.
- Trend Micro
- 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
- F-Prot
- Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.
A similar search of the McAfee "malware" database for Windows XP returned 5300 results.
Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:
The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
Chapter 8 of the NISPOM deals with Information System (IS) Security.
8-103. The information Systems Security Manager (ISSM) shall:
8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented. All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM.
In my mind, the key portion of this excerpt would be the phrase, "as appropriate." While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.
I am doing all of this work in an attempt to get the DISA Field Security Office to
eliminate the requirement or at best, reduce its severity. If you are also running into this issue, please email me or add a comment to my blog. At this time, I understand that DISA is planning to lower the rating of this finding to Category II. I don't know when this change might occur.
Solaris has a number of features that can help secure your system without anti-virus software including:
- Signed binaries
- Basic Audit and Reporting Tool (BART)
- No stack execution
- Mandatory Access Control (when Trusted Extensions are enabled)
- Solaris Containers
Why you should care.
Solaris is known for its security. Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver. In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.
Posted by Jim WIlley on July 23, 2007 at 03:22 PM EDT #
In fact, wouldn't the Windows systems be better at protecting themselves than the Solaris systems?
Posted by Jim Laurent on July 23, 2007 at 10:42 PM EDT #
Posted by Jon Roberts on July 25, 2007 at 05:31 PM EDT #
A recompilation would be required for it to run on an X86/X64 platform.
Posted by Jim Laurent on July 27, 2007 at 08:27 AM EDT #
Posted by Frank Klum on July 29, 2007 at 07:05 PM EDT #
Posted by Michael Stevens on July 31, 2007 at 02:13 PM EDT #
Jim,
Since the people you are dealing with have not read even one decent AV book on theory, such as Szor's or even a seminal work like Ludwig's, you may not get very far with logic.
A proper argument for Accreditation can be offered in centering the conversation around what the OS 'moves' through it, file-wise, that may contain malcode, and that using a bit pattern matcher AV engine would be a sutiable tool for filtering out that possibly objectionable content. User directories, mounted shared filesystems, ftp directories where there is a high probability of something moving through that may contain malcode, etc. Those sorts of arguments. Having the scanner on the *nix OS and then no decent thought given as to why or what for is not in the 'spirit' of DCI/D 6-3 or DISA anything else. Do not be afraid of going 'toe-to-toe' with folks who would hold up the show over nonsense arguments. At the end of day it's about accomplishing the *Mission*, not hiding in a hole behind a disconnected network.
Best, HAL
Posted by Hal on August 08, 2007 at 10:50 AM EDT #
P.S. Solaris 10 *is* the best OS around. - Of course, I am biased. I also like 'winning', be it in a rowboat or on a command line.
Best, HAL
Posted by Hal on August 08, 2007 at 10:53 AM EDT #
As of Friday last, ClamAV is acquired by Sourcefire. This might make it easier to gain Govt approval for use on systems that may be sensitive to "foreign" content. http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1041607.
Posted by Dave K on August 20, 2007 at 10:28 AM EDT #
As a former Sun Education Services instructor, the question of Solaris anti-virus came up a LOT from students, especially in the fundamentals, security, and early admin courses.
I never saw an SES directive about this, but I told my students an AV program on Solaris would not hurt as part of a defense-in-depth for file, web, mail, or any other type of server interoperating with Windows servers or end-user desktops.
AV on Solaris servers can shutdown an outbreak or slowdown a wildfire, and prevent reputational backlash from Solaris-ignorant management against Solaris. It does not sound bad at all when you report to management that your Solaris boxes removed or blocked some number of Windows malware, on behalf of the beleagued Windows team(s).
Posted by Ex-SES on December 05, 2007 at 11:08 AM EST #
P.S. Yes, I agree that AV scanning is a massive waste of system resources and a major reason not to run Windows. Most people buy machines to simplify repetitive tasks or do interesting things, not just spin cycles, RAM, and I/Os on reactive scanning for exploits some OS is otherwise too anemic to defend itself against. Solaris Resource Manager and related tools let you fine down how much system resource you expend on Windows users' behalf for AV. And, don't forget to setup chargebacks to the Windows team(s) for those resource shares you are expending for them...
Posted by Ex-SES on December 05, 2007 at 11:18 AM EST #
How would AV on Solaris effect performance? Would it slow down the content reaching its destination because once it hits the system the engine would have to scan it first? Does AV for Solaris effectively quarantine, or delete bad content? If so how does that effect production goals, and what is the notification mechanism for content going to windows (ie SMB service)?
Posted by ironmask on April 04, 2008 at 02:59 PM EDT #
Each AV package works differently. My understanding of host-based AV scanners is that they are quite similar to those you run on your PC. That is, they wake up on a regular basis and search all the files on the computers against a database of "bad file definitions." Once they find a bad file, they delete or quarantee it.
Do NOT confuse this with "over the wire" AV scanners which plug into mail transfer agents or web servers to scan files on the fly before they land in your mail box or browser.
The DOD AV requirement is for a host based file system scanner.
Posted by Jim Laurent on April 04, 2008 at 04:12 PM EDT #
This requirement is now Cat II. See section 3.5.2.4 GEN006640 (page 3-225).
The SRR script is look for only one software "uvscan". You can get it through https://www.jtfgno.mil with your CAC and Internet Explorer browser.
Posted by Kyaw on May 01, 2008 at 10:46 AM EDT #
Jim,
In basic posting above, you provide data from various virus databases.
Has there been any significant change in the past year?
Posted by Cecil King on June 13, 2008 at 12:22 PM EDT #
From GEN00640: If a virus scanner is not being run weekly or the virus definitions are older than 14 days, then this is a finding.
If the virus or other malware has had a week to muck about, isn't the horse already out of the barn?
Additionally, the check is for files and a cron job, without checking the contents of the files or the contents of the program that the cron job initiates.
... FSA
Posted by Frustrated Sysadmin on July 16, 2008 at 02:29 PM EDT #
Don"t be so suprised .Yes maybe creates an disadvantage but lets face the real facts.You think that Solaris is invincible.Hmm .I"v watched how an EAL4 linux was hacked because the user( a developer) downloaded some considered safe and trustfull kit( US based download link and site ) .You will be shocked how many applications have backdoors .I really encountered few attacks, from russia and china hackers and now im paranoid regarding security, no matter the os .
Regards
Posted by Ross on January 09, 2009 at 05:29 PM EST #
We have a standalone Sun system running with SunOS 5.6/Solaris 2.6 that is not connected to any Windows based systems. According to your above list, looks like CyberSoft's VFind is the only vendor to support Solaris 2.6. To your knowledge, is there any other vendors that may support Solaris 2.6?
Thanks,
Randy
Posted by Randy Hancock on March 11, 2009 at 01:43 PM EDT #
No, as your probably know Solaris 2.6 is long EOLed by Sun and no longer supported. No patches are being made available.
http://www.sun.com/service/eosl/eosl_solaris.html
Posted by Jim Laurent on March 11, 2009 at 03:42 PM EDT #
Thanks for the info. One more... we have several SunRay1's attached to our system. Does Solaris 10 support SunRay1's?
Thanks,
Randy
Posted by Randy Hancock on March 11, 2009 at 04:01 PM EDT #
Absolutely! As you might suspect Sun has many (over 30,000) Sun Rays deployed in our company. I can tell you from personal experience that several hundred desk at our Sun Federal HQ in McLean VA are blessed with Sun Ray 1 devices deployed nearly 10 years ago. This is one of the beatiful things about the Sun Ray. They don't have to be upgraded ever 3-4 years. We all have a Solaris 10 desktop on these Sun Ray 1 units.
Posted by JIm Laurent on March 11, 2009 at 05:19 PM EDT #
Thank you for the information.
http://www.cebeci.info
Posted by new software on June 09, 2009 at 04:34 PM EDT #
[Trackback] Sun's Jim Laurent reports that the Department of Defense is writing its own secured office suite, using OpenOffice.org code as a starting point. Microsoft's "Shared Source" program, apparently, does not give them enough freedo...
http://www.globalsale.me/Aion-gold-083.aspx
http://www.cheap-gamegold.org
http://www.gamegoldvip.org
http://www.watchrolexshop.com
http://www.gamegoldme.com
Posted by replica rolex on June 24, 2009 at 05:30 AM EDT #
Yes, they want you to install McAfee VirusScan for UNIX (uvscan) and run it via cronjob weekly. Not a problem, even if most of the UNIX community think it's a silly notion. As noted above the STIG requires them to be updated every 14 days. That's a problem because they don't get released that quickly. As long as you're running uvscan weekly and updating the scan engine when it's released, you're fine. I've always created scripts to generate log files that clip and consolidate the scan results from the end of the file that each server generates, then email it to me that serve a dual purpose: (1) I can check all my servers in 60 seconds from 1 file and (2) it will impress any auditors the DoD sends to your site.
Posted by Steve on June 30, 2009 at 03:55 PM EDT #