Antivirus Exclusion List for Icinga Master

aclark6996 · March 16, 2021, 7:11pm

Hello Icinga community,
In the news lately there has been some reports that hackers are attacking Linux server more now. I am looking to adding antivirus software to my Icinga servers. Does anyone have any antivirus best practices or recommendations? I did not find any antivirus details in the Icinga online documentations.

Will the antivirus software slow down the Icinga2 application? Should I exclude the icinga2 process from the scan? Any other recommendations will be awesome.

Thanks in advance for your time.
Alex

aclark6996 · March 15, 2021, 1:59pm

Still looking for recommendations on antivirus file exclusion / processes on the Icinga master servers. I have installed Trend Deep Security software on the Icinga master server and have noticed a slow down when validation the configuration. Any success and recommendation would be awesome.

@theFeu can you help with the question? Does development have any suggestion on antivirus exclusion on the Icinga master servers?

Thanks in advance for your help.
Alex

theFeu · March 15, 2021, 2:10pm

Hello there,

to be honest, I’ve never heard of anyone installing any anti virus software on a linux server. I can ask around though

lorenz · March 15, 2021, 2:38pm

Tough question. IMHO antivirus seems to mostly for compliance purposes (filling the checkboxes) and not necessarily as a real asset for security.
Not only will they only detect things they already know about, they often enhance the attack surface and place themeself in a position where they are the best target for an attacker (root permissions or even integration in the kernel).

Does this help you so far? Probably not, but I would advise to put work where it is more useful, e.g. hardening systems (using SSH keys instead of passwords, keeping software up to date, removing old programs if they are not used anymore, allowing user only to access machines where they need to be, using password managers, good firewall rules, etc.) and to try to get a better overview about what is happening in your network.

As for the concern about the antivirus hindering Icinga (and other software):
This is likely, since Icinga executes other programs (check plugins) VERY OFTEN, that an antivirus might singnificantly incress ressource consumption. It seems like you already notice that in the configuration validation stage.

Al2Klimov · March 15, 2021, 3:12pm

Tbh the Docker Compose eMail solution I use privately ships an AV. Never had the feeling to actually need it (Mac user ) and it eats lots of RAM (signatures).

aclark6996 · March 15, 2021, 5:22pm

Because of the recent Microsoft Exchange hack the corporate security team is reviewing everything. AV is a requirement on all servers now even Linux.

I was think of adding the icinga2 process and the ‘/etc/icinga2/’ directory to an AV exclusion list for my master servers myself but I hoping for some feedback from the Icinga development team.

Alex

lorenz · March 15, 2021, 8:24pm

Well, I am assuming discussions about the value of this ‘solution’ are not useful at this point.
As for a practical suggestion: Try it with AV and if gets too slow, exclude icinga or turn the AV off.

log1c · March 16, 2021, 9:39am

We have MS MDATP running on the servers, even the linux ones.

As I had nothing to do with the implementation the only thing I can say is:
I don’t see any negative effects of running the MDATP daemon, apart from an increase in memory usage.
Don’t know if there had any exclusions to be done for Icinga2 and its components.

For the exclusions I would start with the icinga2 service and child processes, /etc/icinga2, /var/lib/icinga2, /var/spool/icinga2, /var/log/icinga2. Maybe the AV software can do something with the SElinux policies and exclude the icinga2 stuff there.

But this is all just guess work from my side.

stevie-sy · March 16, 2021, 2:54pm

I agree with the opinion of the others: Harden the servers with good firewall rules, enable SELinux, AppArmor or something similar.

Maybe a vulnerability scanner could be userful instead of a AV under Linux. Also you could look for a scanner which monitor the behavior of the installed programs and running proccesses. But as @lorenz wrote, icinga is running a lot of scripts/programms.

BTW: I think your question is a littlbe bit misleading. Because the AV has nothing to do with icinga itself. It has more to do with the OS. Maybe the question should be like “AV for Linux”

aclark6996 · March 16, 2021, 6:58pm

The question what based on a AV exclusion list. Unfortunately the corporate security team is requiring all server to have AV software installed because of all the recent cybersecurity attacks.

Thanks @log1c for your suggestion. The list you provided is a good starting point. Maybe @theFeu
can provide a official list. Below is my list I will exclude.

Processes
/usr/lib64/icinga2/sbin/icinga2
/usr/bin/icingacli

Directory
/etc/icinga2
/var/lib/icinga2
/var/spool/icinga2
/var/log/icinga2

@stevie-sy, you are correct the title of the question is misleading. I will update it.

Thanks all for you feedback.
Alex

stevie-sy · March 18, 2021, 7:40am

Maybe you should put the directory with your check scripts also on the list