It's time to rethink Anti-virus

Tags:

Anti-virus is always a step behind. It's a good revenue stream for anti-virus software makers. For end users it's a race to the horizon. --- Virus pattern recognition only works on patterns that have been discovered, researched, and added to the pattern database. Recent anti-virus pattern databases now detect more than 22 million patterns. Is it a wonder that anti-virus software kills computer performance? 1

The impossible pattern race is bad. The system crippling false alarms are worse. In the recent past most major anti-virus tools have crippled corporate and person computers by mistakenly quarantining a Windows system or application file.1, 2, 3

I'm not a computer virus expert. But there has to be a better way to protect us. I can think of some.

White listing defines what files are allowed to execute on a system. Any file not on the white list is denied execution. For most corporate workstations this is ideal. A few hundred executable files are white listed and the workstation becomes secure. More generic workstations, like home computers, require longer lists. This is not insurmountable. I'd rather subscribe to a ten thousand item white list than a 22 million item black list. The look ups will be shorter and new threats do not get an automatic free pass.

Mandatory access control. SELinux is the well known form of MAC. MAC is similar to white listing but goes further. Programs are not just denied execution rights. Their rights to access the rest of the system are explicitly defined. For example, a web browser may be allowed to touch printing, browser cache, and other relevant files. Anything else is denied, by default. Viruses cannot run wild on the system because they've not been defined to be allowed to do so. Set up and maintenance of such a systems is no small task. Neither is maintaining a growing list of 22 million virus definitions.

I'm not a computer virus expert. But the arms race between new viruses and new definitions can never be won. It's time for a new approach. Consider that the next time your computer is churning another anti-virus disk scan.

Evolve Thinking's free CFEngine library

Tags:

Our free CFEngine library empowers users to build and deploy new policy faster, simplify existing policy, and reduce staff training. --- We do this by offering simple reusable bundles and full data separation using CSV parameter files.

Just as CFEngine uses a handful of promises to affect so much change on a host, our small collection of bundles can accomplish most high level tasks in CFEngine.

Typical CFEngine bundles in use today are too specialized. A bundle for cron tables, a bundle for resolv.conf, and another for NTP. This is too specialized and too costly. There is a better way. Simpler bundles can offer greater flexibility and easier reuse at a lower cost. A single service bundle can promise cron tables, NTP, and more. A single editing template bundle can promise resolv.conf, the hosts file, shell profiles, and more. Our library does this and more.

Consider this data file for the bundle efl_chkconfig_enable_service. If the context class is true then the given service is enabled for boot time start using the chkconfig command.

# context(0) ;; service name(1) ;; Promisee(3)

any          ;; cfengine3       ;; Sysadmin team
web_server   ;; apache2         ;; Web team
dev.dns      ;; bind            ;; Dev team

You can call the bundle like this:

"enable with chkconfig"
usebundle => efl_chkconfig_enable_service(
   "${sys.workdir}/inputs/user_data/bundle_params/efl_chkconfig_enable_service.txt"
);

To enable a new service, change only the data file. The promisee is very important. It will help you to find all related data. Labelling a promisee "SSH services for DMZ" will help find all SSH entries, in all data files using a single search.

Our library offers a further step in data separation. The method above can be placed in a data file. The bundle efl_main takes a data file that describes method calls and parameters. For example:

# context(0) ;; promiser(1) ;; bundle(2) ;; ifelapsed(3) ;; parameter(4) ;; promisee(5)

any ;; host classes ;; efl_class_hostname ;; 1 ;; /var/cfengine/inputs/user_data/classes/efl_class_hostname-ipv6_only.txt ;; Neil Watson
any ;; chkconfig enable ;; efl_chkconfig_enable_service ;; 1 ;; /var/cfengine/inputs/user_data/bundle_params/efl_chkconfig_enable_service.txt ;; Neil Watson

When the given context is true a bundle is invoked with the given parameter and using ifelapsed.

At this release the free library offer these bundles and more:

  • Enable and disable services using chkconfig.

  • Install and remove packages.

  • Promise sysctl.conf.

  • Promise live sysctl kernel settings.

  • Delete files.

  • Copy files.

  • Edit templates.

  • Promise commands.

  • Define classes

  • Promise links.

  • Define global variables.

  • Promise that services are configured and running.

  • Promise file permissions.

In the future we'll be offering special purpose bundles that use these simple bundles, ready to use parameter files, and more.

The Evolve free library is open source and available at my Git Hub site.

Avoid the cost of renaming hundreds of hosts

Tags:

Your hosts are named after your data centre. Now you must move hundreds of hosts to another data centre. Do you rename them or abandon the naming convention?

A client of mine is facing this challenge. I've discussed host naming before.. Host are not static. They change functions and locations. Think ahead before naming them.