Is virus/malware protection software needed on a SUSE Linux Enterprise Server?
This document (000019608) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
Situation
When customers are running a mail server on SUSE Linux Enterprise Server and feel anti-virus/malware detection is needed, ClamAV is available to install via the SLE update channel. ClamTK (provides graphical interface for ClamAV) is available to install via packagehub.
Additionally there are commercial supported offerings available for Linux.
Resolution
SUSE provides a high level of security in the operating system and in the packages that we distribute. As security issues are discovered in various applications, SUSE provides updated packages in a way which keeps potential risk to a minimum.
https://www.suse.com/support/security/
Incident Response Process / Flaw Remediation Process see:
https://www.suse.com/support/security/flaw-remediation/
Information on SUSE's policy on product security and system hardening see:
https://www.suse.com/support/security/certifications/
SUSE Enterprise Linux includes technologies which can greatly reduce the chance of Linux-specific exploits. SELinux and AppArmor are both implementations of the kernel mandatory access control mechanism. Using these technologies allow customers flexibility to create custom access controls to limit access an exploit has on a system. While SELinux is supported, AppArmor is the preferred technology to use as it is easier to implement, default filters are included with SUSE Linux and it does not have the negative side effect of locking you out of the system when an update changes an inode that was labeled by an SELinux policy.
An addition to physical security measures would be to apply policies as outlined in the system hardening guide, STIG rules – and if certified cryptography is required utilize SUSE FIPS 140-2 certified components.
To build upon physical security many of today’s processors provide trusted execution frameworks, building applications that utilize processor trusted execution frameworks is another way to provide control over code that is executed on a system.
Along with physical security and hardening there are also security best practices to follow to add additional levels of security to your system :
• Ensure the system is updated with all patches and that all security updates are installed. An active subscription will provide access to these updates and help ensure your system is up to date.
- Run a local firewall on the system, such as firewalld or iptables, to control network connections and block any unused ports.
- Log in as a non-root user and use sudo when elevated privileges are needed.
- Utilize the audit subsystem to enable detailed logging of security relevant events to create an audit trail of security violations.
- Do not execute any untrusted code on the system, especially as a user with root privileges.
- Enable (preferred) AppArmor or SELinux. These mechanisms in the Linux kernel check for allowed operations after standard Linux discretionary access controls are checked.
- Utilize eBPF (extended Berkeley Packet Filter) to filter network packets, system calls, file descriptors, etc.
- Additionally, starting with SUSE Linux Enterprise 15 you can build your own tools to monitor filesystem activity via the use of the fanotify kernel API.
- Utilize Seccomp to restrict system calls.
- Use namespaces, chroot, containers, a hypervisor or another sandboxing technology to isolate processes and resources.
Additional Information
Additional SUSE Linux Enterprise server security and hardening details can be found in TID 000016819
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019608
- Creation Date: 17-Apr-2020
- Modified Date:15-Mar-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com