Defensive computing with TrueOS Desktop


#1

F-PROT Antivirus for BSD Workstations

I might install it later.

Does anyone here currently use it on a FreeBSD-based system and if so, how do you find it?

ClamTk

Antivirus definitions appear to be outdated (January 1st 1900) –

– and the application’s update routine does not offer a listing for definitions.

Any ideas?

Might it help to try a command-line update (clamav) before launching the app?

clamfs

I don’t plan to use it, but I imagine it being useful. As a destination for downloads, and so on.

Vuls

Vulnerability scanner for Linux/FreeBSD …

– via https://twitter.com/benjamin_ds/status/825707573395542016

Auditing packages

@dlocklear01@mer and all: I don’t plan to experiment with Vuls (above) in the near future but you might find it of interest.

FreshPorts

Re: https://discourse.trueos.org/t/-/688/9:

  • I imagine that someone with knowledge of the database for FreshPorts will be receptive to the idea of … maybe an API for (limited) use of the database, by a project such as TrueOS, for occasional scanning of packages
  • the vast majority of the work is already done (by maintainers and so on); simple co-operation will be preferable to widespread duplication of effort.

Background reading

Antivirus for FreeBSD | The FreeBSD Forums (2015-09-04)

  • a mention of F-PROT in post 63
  • if you’re here to argue against use of anti-virus software, please refrain from repetition; first, read the 2015 topic to see whether the argument is already made.

Last but not least:


#2

I’ve not run any antivirus on my BSD or Linux workstations; I typically run a “deny all” policy on my firewalls and routinely check to see what gets denied (or change stuff if my wife complains).

In the past there have been some false positives from some av stuff when run on *nix machines because things aren’t always understood (that *nix ain’t windows).

Never looked at F-Prot so have no comment other than maybe I’ll take a peek.

Vulnerabilities:
Yep *nix will have them. They are usually in applications rather than the kernel; since there is more separation than in Windows, bad things can be mitigated. (google for Kevin Mitnick, sendmail bugs, DNS bugs, etc).
Running services like Apache, DNS, Sendmail in jails limits the damage. Proper separation of privilege in a program goes a long way to staying safe (openntpd is a good example of doing it right).
There are lots of built in tools already you can use:
sockstat gives you open socket information (includeing connections) so if you have any listening sockets you don’t need, shut them off (if you’re not printing shut off cups stuff).
you can set flags on files and filesystems.

For any vulnerability you can pretty much blame developers and designers. :slight_smile:


#3

Regarding ClamTK, you have to manually run freshclam via sudo to update the virus definitions. Ideally this should be done daily, so you can just create a cron job to automate this.


#4

So Vuls looks like it grabs a list of existing vulnerabilities (CVEs) and then compares a system to that list. That’s what a lot of the scanners do, heck that’s what humans do when they subscribe to FreeBSD security lists. They get an email, read the description, who’s at risk, then make a decision based on the system configuration.
Nothing wrong with automating it; the current package audit stuff in FreeBSD/TrueOS does much the same for installed packages (ports) so there’s a bit of overlap. If it adds in scanning of the base, even more worth while.

Tools like this are useful, but one has to be careful to take their time and learn the tool, learn what the output means (avoids knee jerk reactions). Lets say FreeBSD security announces a buffer overflow in the SMBFS kernel module: do you panic or stop and think: I’ve disabled all SMB related programs, ensured the modules are not loaded, so I can safely ignore security alert. Running the tools you’ll likely get a “hit” because your kernel version matches the one in the published CVE without regard to your specific information.

It’s all good; my opinion is good security starts with “default deny all” (OpenBSD) and add things as find you need them. The opposite “default permit all” (Windows) and “turn things off if you don’t need them” results in everything staying turned on and leaving you at risk.


#5

I can’t figure out whether this is intended for use by SMB clients, or SMB servers:

Samba-VirusFilter

On-access anti-virus filter for Samba

http://www.freshports.org/security/samba-virusfilter/


#6

Hello!

First I would like ask for pardon because my poor english (I was Larry Hagman on the PCBsd).A few years ago I tried the ClamTK in PcBSD with the above mentioned problems. Later I changed it for the ClamAv and that was better! I could setup tha ClamAv to run as a daemon so:

add these two lines to /etc/rc.conf

clamav_clamd_enable="YES"
clamav_freshclam_enable=“YES”

the update procedure, the missing update notificaton after 7 days worked perfectly and the ClamAV worked as a daemon from the system boot up!
Sorry in the TrueOS the ClamAV can’t run as a daemon and can’t update automatically (only as cron job), I must to do these manually, freshclam and clamscan -r / . Maybe more solution:

Scan a data stream: cat testfile | clamscan -
Load database from a file: clamscan -d /tmp/newclamdb -r /tmp
Scan all files (and subdirectories) in /home: clamscan -r /home
Scan a current working directory: clamscan
Scan a single fiE: clamscan filename
To check all files on the computer, displaying the name of each file: clamscan -r /
To check all files on the computer, but only display infected files an
ring a bell when found: clamscan -r --bell -i /

search and cleaning:

 sudo clamscan -r -remove /
 clamscan --remove DIRECTORY
 sudo clamscan --remove /
 sudo clamscan -r 

http://www.freebsd.org/cgi/man.cgi?query=clamscan&manpath=ports&sektion=1

I’m using this combined with some intrusion detector. For example one of my favorite is the Lynis (from same source as RkHunter). No need to install ,check all the system and after the check give some useful advice in a log file.

http://www.tecmint.com/linux-security-auditing-and-scanning-with-lynis-tool/

Maybe goods are the Snort and the Suricata, but the setup of these two is difficulter.
From the Suricata:
https://elatov.github.io/2015/01/suricata-on-freebsd-10/
http://planet.suricata-ids.org/


https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide
http://rules.emergingthreats.net/open/suricata/


#7

I think important the correct setup of the hosts.allow and hosts.denied , for the feel of security :slight_smile:


#8

I forget to wrote from some useful browser security extension for Firefox.
I like to use:

  • HTTPS Everywhere -redirect from the unsafe HTTP to the secure HTTPS protocol where it is possible
    -Perspectives - against Man in the Middle attack,this already helped for me
    -No script - against the harmful scripts and Sql injection attack, in the first times have to teach this as a firewall but later this will help for the user, this also helped for me against Sql injection

Maybe for the better anonimity:

  • User Agent Overrider
  • Disable webRTC
  • Anonymox
  • AnonTab
    If somebode know more or other ideas, please write down. :slight_smile:

#9

On top of the Agent Overrider, and Anonymox, I also run no script.


#10