LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-18-2016, 09:04 AM   #1
tross44
LQ Newbie
 
Registered: Oct 2016
Posts: 3

Rep: Reputation: Disabled
Post SELinux vs. Antivirus


I am trying to figure out if SELinux can replace the antivirus I have implemented on all of the business machines at work. Which is better for me to use in an enterprise network with sensitive data and why? (Antivirus or SELinux). Whate are SELinux's embedded features and technical features that make it different from an antivirus?

Last edited by tross44; 10-18-2016 at 09:15 AM.
 
Old 10-18-2016, 09:16 AM   #2
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
SeLinux is not an antivirus, it is quite different. It is a kernel module for access control security policies. It restricts access to files programs/services shouldn't be allowed to. This has nothing to do with identifying and/or cleaning viruses, worms, whatever.
 
1 members found this post helpful.
Old 10-18-2016, 09:35 AM   #3
tross44
LQ Newbie
 
Registered: Oct 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thank You Vincix. That helps me out a lot. So you would recommend I use an both an antivirus and selinux module on an enterprise server
 
Old 10-18-2016, 09:50 AM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Quote:
Originally Posted by tross44 View Post
Thank You Vincix. That helps me out a lot. So you would recommend I use an both an antivirus and selinux module on an enterprise server
Yes, I'd recommend not turning off SeLinux and use an antivirus, too. It does also depend on the services you're running on that server. On the other hand, selinux is rather tricky and it does imply a learning curve so it's going to take a little bit of time to use and implement it properly. Otherwise you might end up with limited or restricted services and won't be able to see what is going on until you understand how selinux works.

I suppose it's also important to mention that if you're running "unofficial" software (not recognized by redhat, etc.), it might be harder to implement selinux smoothly. For instance, I'm not sure how selinux would work with zimbra, especially when you want to update it (it, i.e. zimbra).

Last edited by vincix; 10-18-2016 at 09:52 AM.
 
1 members found this post helpful.
Old 10-18-2016, 10:05 AM   #5
tross44
LQ Newbie
 
Registered: Oct 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
You have been a blessing on this. Thank You so much!!!
 
Old 10-19-2016, 12:57 PM   #6
BlackRider
Member
 
Registered: Aug 2011
Posts: 295

Rep: Reputation: 101Reputation: 101
SElinux is a pain. I like GRSecurity -it has autolearning and its documentation does not make my heard hurt as much.

SElinux and similar solutions mostly try to extend the permission and security capabilities of the kernel. For example, GRSecurity patches the kernel so many code execution vulnerabilities turn into denial of services (which may be ok or not in your case). These things can become a heavy maintenance burden.

Antivirus software tries to detect malware and suspicious software. There was a thread here regarding how effective they were and if they are worth ir. Please note that antivirus software could be an attack vector itself. They are far from foolproof.

As an anecdote, some IT departments will want each workstation to have an antivirus installed in order to tick the checkbox, even if that antivirus is never run...
 
Old 10-19-2016, 02:44 PM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,901

Rep: Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506
SELinux provides the best compartmentalization possible from the security features available in Linux.

Nothing else comes close.

Turning it off on a system with it installed is just disabling security.

Anti-virus products really don't work. They can only detect what has already been known - and useless for the unknown.

The anti-virus products running on Linux only detect Windows viruses anyway.
 
1 members found this post helpful.
Old 10-19-2016, 06:31 PM   #8
BlackRider
Member
 
Registered: Aug 2011
Posts: 295

Rep: Reputation: 101Reputation: 101
I think I have seen some non Windows malware on clamav's database. It was just a very very small percentage of the whole database.
 
Old 10-19-2016, 08:04 PM   #9
JJJCR
Senior Member
 
Registered: Apr 2010
Posts: 1,850

Rep: Reputation: 337Reputation: 337Reputation: 337Reputation: 337
Lightbulb

Quote:
Originally Posted by jpollard View Post
SELinux provides the best compartmentalization possible from the security features available in Linux.

Nothing else comes close.

Turning it off on a system with it installed is just disabling security.

Anti-virus products really don't work. They can only detect what has already been known - and useless for the unknown.

The anti-virus products running on Linux only detect Windows viruses anyway.
Good insight, Jpollard. It's true indeed that the cannot detect the unknown.
 
Old 10-20-2016, 01:21 PM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Quote:
Originally Posted by jpollard View Post
SELinux provides the best compartmentalization possible from the security features available in Linux.

Nothing else comes close.

Turning it off on a system with it installed is just disabling security.

Anti-virus products really don't work. They can only detect what has already been known - and useless for the unknown.

The anti-virus products running on Linux only detect Windows viruses anyway.
The last sentence is obviously false, even though they're probably not very effective against viruses attacking the linux server itself - that I can understand. But don't talk about Windows as if it weren't used by the majority of users. It's not only.

Antivirus products do work and they're very important in general. But it does depend a lot on what you're running. If you use file-sharing, such as samba, a file security antivirus is very important. Let alone if you're running an email server.
 
Old 10-20-2016, 02:21 PM   #11
goumba
Senior Member
 
Registered: Dec 2009
Location: New Jersey, USA
Distribution: Current: Debian and OpenSUSE. Past: Arch, RedHat (pre-RHEL). FreeBSD & OpenBSD novice, Hackintosh
Posts: 1,193
Blog Entries: 7

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
Quote:
Originally Posted by vincix View Post
The last sentence is obviously false, even though they're probably not very effective against viruses attacking the linux server itself - that I can understand. But don't talk about Windows as if it weren't used by the majority of users. It's not only.
I think you misunderstood his statement. I believe he means that the anti-virus programs detect viruses that target Windows only, and not other OSes.
 
Old 10-20-2016, 03:31 PM   #12
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,901

Rep: Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506Reputation: 1506
Quote:
Originally Posted by vincix View Post
The last sentence is obviously false, even though they're probably not very effective against viruses attacking the linux server itself - that I can understand. But don't talk about Windows as if it weren't used by the majority of users. It's not only.
Pretty much only Windows has viruses. None of the viruses aimed at Linux (or MacOS for that matter) have worked very well.
Quote:

Antivirus products do work and they're very important in general. But it does depend a lot on what you're running. If you use file-sharing, such as samba, a file security antivirus is very important. Let alone if you're running an email server.
As you say - needed only to protect Windows. If Samba is used to share data with other Linux systems, then the anti-virus is still pretty useless.

And it is still true: They can only detect what has already been known - and useless for the unknown.

Last edited by jpollard; 10-20-2016 at 03:33 PM.
 
Old 10-21-2016, 01:39 AM   #13
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,517

Rep: Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619Reputation: 2619
back in 2005 se was a pain and a hassle

but today, 11 years and 2 TWO generations of software later

SElinux almost never causes issues and problems

for TESTING a server there is the permissive setting that allows you to READ the errors and FIX THEM ( if any )
then set to targeted and enforcing for production

se is default in rhel and the clones and fedora ( fedora a very BAD choice for a server)
and all the rpm's have the needed se tags

ClamAV is in the redhat and fedora repos and can be set up to scan mail on the server
rkhunter and chrootkit are also in the repos

and so is "snort"

if you are RELYING!!!! on a AV tool to keep a server safe

you ALREADY LOST THE WAR!!!!!

Last edited by John VV; 10-21-2016 at 02:15 PM. Reason: typo
 
Old 10-21-2016, 09:54 AM   #14
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,181

Rep: Reputation: 90
Quote:
Originally Posted by John VV View Post
if you are REELING!!!! on a AV tool to keep a server safe
you ALREADY LOST THE WAR!!!!!
Do you mean to say "relying"?

@goumba

I didn't misunderstand it. He made it sound as if it weren't particularly important that it detects windows viruses "anyway", as he put it.

@jpollard
If antiviruses can detect what is already known, that is already A LOT. It doesn't make them useless. I wouldn't see you fighting off KNOWN viruses 'bare-handedly' only because they're known. It's silly, really. Antiviruses are important, whether you like to acknowledge it or not. By that I don't mean to say they're sufficient, obviously.
 
Old 10-21-2016, 12:34 PM   #15
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,117
Blog Entries: 4

Rep: Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212Reputation: 3212
Actually, I find "anti-virus" to be utterly worthless. It does no good to have an automatic tool to tell you that somebody just shot your prize race-horse. You have to protect that horse, so that it is impossible for anyone to reach it. (And, to protect your own files, you need protected backups.)

"Anti-virus" software is also typically very powerful and very pervasive ... making it a very common vector for malware.

SELinux is a bit unmanageable, but other technologies like AppArmor are based on the same things and are a good bit easier to handle.

Always remember that "rogue software" (I do not use the term, "virus") is not biological. You can "catch" Ebola by being in the wrong elevator at the wrong time unless your body pro-actively fights it off, but a computer system is not that way. Probably the most important thing to do is to completely limit yourself. Do not put your "ordinary" user login in the wheel group. Segregate "system" software installs from any "user apps" that you use, put them in different places and allocate a "user app maintenance" user-id [i](which is also non-privileged). And, so on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Implementing SeLinux on Debian 5 (Lenny) -- can't install "selinux-basics" bashFUL Linux - Security 3 10-17-2011 01:16 AM
SELinux errors, SELinux and wine ziphem Linux - Security 10 01-27-2011 04:15 PM
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 04:27 AM
Antivirus survey: Do you run an antivirus program on linux? atom Linux - General 29 09-03-2009 03:22 PM
Antivirus for Lunix similar Norton Antivirus for Windows Chivozertsev Linux - Software 1 03-31-2005 07:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration