Re: Security & Compliance - A/V

[Diana Eichert]

Gack, what a way to screw up my day off.  :-)

I never thought anyone would refer to DISA STIGs in this mailing list.

On Fri, Nov 27, 2020 at 8:12 AM Ed Ahlsen-Girard  wrote:
>
SNIP
> I can verify that there is no US Defense Information Systems Agency
> (DISA) Security Technical Implementation Guide (STIG) for OpenBSD. There
> is a generic Unix hardening guide.

Re: Security & Compliance - A/V

[Ed Ahlsen-Girard]

On Wed, 25 Nov 2020 23:33:34 +0100
Peter Nicolai Mathias Hansteen  wrote:

(snip)
> I am not aware of any publicly available set of documents that
> provide the direct checkoffs for OpenBSD with respect to specific
> compliance regimes, but I’m fairly certain that you will find useful
> answers by reading OpenBSD documentation with your lists of
> requirements in hand, checking off on your list (if any) as you go
> along. 

I can verify that there is no US Defense Information Systems Agency
(DISA) Security Technical Implementation Guide (STIG) for OpenBSD. There
is a generic Unix hardening guide. 

STIGs are developed to implement National Institute of Standards and
Technology standards for IT systems, usually with deep involvement by
the vendor/developer.

It is not always possible to implement all the applicable STIGs for a
given server, at least if you want it to work.

> 
> I would recommend browsing the official OpenBSD docs at
> https://www.openbsd.org/ , with special
> attention to https://www.openbsd.org/events.html
>  and searching
> https://man.openbsd.org/  using relevant
> keywords. FWIW, perhaps even my recent presentation («OpenBSD and
> you, the 6.8 update»), linked from
> https://undeadly.org/cgi?action=article;sid=20201109055713
>  could
> provide some useful pointers.
> 
> All the best,
> Peter
> 
> 
> —
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673
> seconds.
> 
> 
> 
> 



-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL

Re: Security & Compliance - A/V

[Ed Ahlsen-Girard]

On Thu, 26 Nov 2020 11:35:45 -0500
Nick Holland  wrote:

> On 2020-11-25 17:10, Brogan Beard wrote:
>  [...]  
> 
> Something to consider: run the AV against your boxes -- elsewhere!
> 
> I have a similar situation at $DAYJOB.  Not OpenBSD, but an OS that
> similarly has little malware written for it (and an environment with
> lots of softer targets than the OS anyway).  For LOTS of reasons, we
> didn't want to put AV on the "important" systems, but we needed to
> hit that checkbox that says, "AV scans!"
> 
> Our compliance people work with me pretty well, and what we came up
> was to run the AV against our BACKUPS of those boxes.  We rsync
> the data from the systems to a central backup, and we run the AV on
> that box against the data.  Increased the backup by a few GB/box and
> grabbed the binaries, too, and ta-da, we got a pretty good AV scan
> taking place with /zero/ additional impact on the systems.
> 
> Yes, perhaps not as "real time" as a system which hooks into the OS
> and watches every disk read and write, but I don't think you even
> want that on a Unix-like OS (even if it was possible on many Unix-
> like OSs).
> 
> Nick.
> 

You can, but it's not really easy. I'm not the one who does it at $JOB,
so don't ask me how.


-- 

Edward Ahlsen-Girard
Ft Walton Beach, FL

Re: Security & Compliance - A/V

[Jacqueline Jolicoeur]

On Nov 26 11:35, Nick Holland wrote:
> I have a similar situation at $DAYJOB.  Not OpenBSD, but an OS that
> similarly has little malware written for it (and an environment with
> lots of softer targets than the OS anyway).  For LOTS of reasons, we
> didn't want to put AV on the "important" systems, but we needed to
> hit that checkbox that says, "AV scans!"
> 
> Our compliance people work with me pretty well, and what we came up
> was to run the AV against our BACKUPS of those boxes.  We rsync
> the data from the systems to a central backup, and we run the AV on
> that box against the data.  Increased the backup by a few GB/box and
> grabbed the binaries, too, and ta-da, we got a pretty good AV scan
> taking place with /zero/ additional impact on the systems.

This is a great idea.

For realtime, we can protect critical content with something like mtree(8) 
output verified with signify(1), running in security(8) daily.

Re: Security & Compliance - A/V

[Nick Holland]

On 2020-11-25 17:10, Brogan Beard wrote:
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).
> 
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?
> 
> I would like to use OpenBSD in future projects, beyond just personal
> interest. And with that, I am sure these types of questions will arise.
> 
> Thanks in advance for thoughtful comments!

Something to consider: run the AV against your boxes -- elsewhere!

I have a similar situation at $DAYJOB.  Not OpenBSD, but an OS that
similarly has little malware written for it (and an environment with
lots of softer targets than the OS anyway).  For LOTS of reasons, we
didn't want to put AV on the "important" systems, but we needed to
hit that checkbox that says, "AV scans!"

Our compliance people work with me pretty well, and what we came up
was to run the AV against our BACKUPS of those boxes.  We rsync
the data from the systems to a central backup, and we run the AV on
that box against the data.  Increased the backup by a few GB/box and
grabbed the binaries, too, and ta-da, we got a pretty good AV scan
taking place with /zero/ additional impact on the systems.

Yes, perhaps not as "real time" as a system which hooks into the OS
and watches every disk read and write, but I don't think you even
want that on a Unix-like OS (even if it was possible on many Unix-
like OSs).

Nick.

Re: Security & Compliance - A/V

[Brogan Beard]

Thanks, John. I am going to look into ClamAV in detail as some homework for
myself. I appreciate the helpful pointers!

On Wed, Nov 25, 2020 at 5:46 PM John McGuigan  wrote:

> I've seen people install ClamAV on an OpenBSD box and have it do a
> filesystem scan on a cron job just to meet audit requirements...
>
> On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard 
> wrote:
> >
> > In the enterprise context, there are often extensive security compliance
> > rules, which include but are not limited to anti-virus software
> > requirements. There are, of course, exceptions to these rules but
> generally
> > policies drive the technology in use or allow it to be used. I am not
> aware
> > of any anti-virus software that supports openbsd or any bsd for that
> matter
> > (not saying it needs it ;) ).
> >
> > How does OpenBSD handle the compliance aspects of security in regards to
> > A/V? Is there an, "it's already under the hood," response based on modern
> > security standards?
> >
> > I would like to use OpenBSD in future projects, beyond just personal
> > interest. And with that, I am sure these types of questions will arise.
> >
> > Thanks in advance for thoughtful comments!
>

Re: Security & Compliance - A/V

[Brogan Beard]

Peter,

Thank you. I was unaware of clamav support and will certainly look into
your linked documentation to better understand it's use case and
qualifications. I did know about clamav in name alone but never set out to
learn how to implement it.

I will certainly read through documentation based on the need to check off
boxes for the compliance regimes - I like how you put that. I will also
watch your presentation - thanks so much!!

Unrelated - I have one of your books, The Book of PF, 3rd edition. Thank
you for your contributions to bettering computing. I will admit that I
never finished reading it. I picked it up when I needed some help managing
a pure OpenBSD firewall running PF. Now when I begin my OpenBSD related
personal projects, it is by my side. I am familiar with commercial firewall
software but I like the joy of being in the *pilot's seat. *I think you
understand that.

I appreciate you taking the time to respond to my questions.

Take care,

Brogan

On Wed, Nov 25, 2020 at 5:33 PM Peter Nicolai Mathias Hansteen <
pe...@bsdly.net> wrote:

>
>
> 25. nov. 2020 kl. 23:10 skrev Brogan Beard :
>
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).
>
>
> You will find functional antivirus in packages, such as clamav (which I
> use in my spameater appliance), see eg
> https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html (a
> longish piece, but for reasons)
>
>
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?
>
>
> I am not aware of any publicly available set of documents that provide the
> direct checkoffs for OpenBSD with respect to specific compliance regimes,
> but I’m fairly certain that you will find useful answers by reading OpenBSD
> documentation with your lists of requirements in hand, checking off on your
> list (if any) as you go along.
>
> I would recommend browsing the official OpenBSD docs at
> https://www.openbsd.org/, with special attention to
> https://www.openbsd.org/events.html and searching https://man.openbsd.org/ 
> using
> relevant keywords. FWIW, perhaps even my recent presentation («OpenBSD and
> you, the 6.8 update»), linked from
> https://undeadly.org/cgi?action=article;sid=20201109055713 could provide
> some useful pointers.
>
> All the best,
> Peter
>
>
> —
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>
>
>
>

Re: Security & Compliance - A/V

[John McGuigan]

I've seen people install ClamAV on an OpenBSD box and have it do a
filesystem scan on a cron job just to meet audit requirements...

On Wed, Nov 25, 2020 at 3:23 PM Brogan Beard  wrote:
>
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).
>
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?
>
> I would like to use OpenBSD in future projects, beyond just personal
> interest. And with that, I am sure these types of questions will arise.
>
> Thanks in advance for thoughtful comments!

Re: Security & Compliance - A/V

[Peter Nicolai Mathias Hansteen]

> 25. nov. 2020 kl. 23:10 skrev Brogan Beard :
> 
> In the enterprise context, there are often extensive security compliance
> rules, which include but are not limited to anti-virus software
> requirements. There are, of course, exceptions to these rules but generally
> policies drive the technology in use or allow it to be used. I am not aware
> of any anti-virus software that supports openbsd or any bsd for that matter
> (not saying it needs it ;) ).

You will find functional antivirus in packages, such as clamav (which I use in 
my spameater appliance), see eg 
https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html 
 (a longish 
piece, but for reasons)

> 
> How does OpenBSD handle the compliance aspects of security in regards to
> A/V? Is there an, "it's already under the hood," response based on modern
> security standards?

I am not aware of any publicly available set of documents that provide the 
direct checkoffs for OpenBSD with respect to specific compliance regimes, but 
I’m fairly certain that you will find useful answers by reading OpenBSD 
documentation with your lists of requirements in hand, checking off on your 
list (if any) as you go along. 

I would recommend browsing the official OpenBSD docs at 
https://www.openbsd.org/ , with special attention to 
https://www.openbsd.org/events.html  and 
searching https://man.openbsd.org/  using relevant 
keywords. FWIW, perhaps even my recent presentation («OpenBSD and you, the 6.8 
update»), linked from 
https://undeadly.org/cgi?action=article;sid=20201109055713 
 could provide some 
useful pointers.

All the best,
Peter


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Security & Compliance - A/V

[Brogan Beard]

In the enterprise context, there are often extensive security compliance
rules, which include but are not limited to anti-virus software
requirements. There are, of course, exceptions to these rules but generally
policies drive the technology in use or allow it to be used. I am not aware
of any anti-virus software that supports openbsd or any bsd for that matter
(not saying it needs it ;) ).

How does OpenBSD handle the compliance aspects of security in regards to
A/V? Is there an, "it's already under the hood," response based on modern
security standards?

I would like to use OpenBSD in future projects, beyond just personal
interest. And with that, I am sure these types of questions will arise.

Thanks in advance for thoughtful comments!