Is virus/malware protection software needed on a SUSE Linux Enterprise Server?

This document (000019608) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

While SUSE does provide Open Source anti-virus/malware protection software (ClamAV) for scanning email content on a mail- or file-server hosted on SUSE Linux Enterprise Server, SUSE does not provide client based scanning software.
When customers are running a mail server on SUSE Linux Enterprise Server and feel anti-virus/malware detection is needed, ClamAV is available to install via the SLE update channel. ClamTK (provides graphical interface for ClamAV) is available to install via packagehub.

Additionally there are commercial supported offerings available for Linux.

Resolution

However, customers may not primarily be interested in a specific solution, but in a more general view about security capabilities.

SUSE provides a high level of security in the operating system and in the packages that we distribute. As security issues are discovered in various applications, SUSE provides updated packages in a way which keeps potential risk to a minimum.
 
Information on SUSE's policy on delivering security fixes see:
https://www.suse.com/support/security/

Incident Response Process / Flaw Remediation Process see:
https://www.suse.com/support/security/flaw-remediation/

Information on SUSE's policy on product security and system hardening see:
https://www.suse.com/support/security/certifications/

SUSE Enterprise Linux includes technologies which can greatly reduce the chance of Linux-specific exploits. SELinux and AppArmor are both implementations of the kernel mandatory access control mechanism. Using these technologies allow customers flexibility to create custom access controls to limit access an exploit has on a system. While SELinux is supported, AppArmor is the preferred technology to use as it is easier to implement, default filters are included with SUSE Linux and it does not have the negative side effect of locking you out of the system when an update changes an inode that was labeled by an SELinux policy.

An addition to physical security measures would be to apply policies as outlined in the system hardening guide, STIG rules – and if certified cryptography is required utilize SUSE FIPS 140-2 certified components.

To build upon physical security many of today’s processors provide trusted execution frameworks, building applications that utilize processor trusted execution frameworks is another way to provide control over code that is executed on a system.

Along with physical security and hardening there are also security best practices to follow to add additional levels of security to your system :

• Ensure the system is updated with all patches and that all security updates are installed. An active subscription will provide access to these updates and help ensure your system is up to date.
  • Run a local firewall on the system, such as firewalld or iptables, to control network connections and block any unused ports.
  • Log in as a non-root user and use sudo when elevated privileges are needed.
  • Utilize the audit subsystem to enable detailed logging of security relevant events to create an audit trail of security violations.
  • Do not execute any untrusted code on the system, especially as a user with root privileges.
  • Enable (preferred) AppArmor or SELinux. These mechanisms in the Linux kernel check for allowed operations after standard Linux discretionary access controls are checked.
  • Utilize eBPF (extended Berkeley Packet Filter) to filter network packets, system calls, file descriptors, etc.
  • Additionally, starting with SUSE Linux Enterprise 15 you can build your own tools to monitor filesystem activity via the use of the fanotify kernel API.
  • Utilize Seccomp to restrict system calls.
  • Use namespaces, chroot, containers, a hypervisor or another sandboxing technology to isolate processes and resources.

Additional Information

There are third party commercial and open source anti-virus programs available that will protect Windows clients on the network, these programs scan files looking for Windows virus signatures and can be utilized to scan files shared via Samba server or in the case of ClamAV files on a mail server.

Additional SUSE Linux Enterprise server security and hardening details can be found in TID 000016819

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019608
  • Creation Date: 15-Mar-2021
  • Modified Date:15-Mar-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center