We are moving some of our apps/systems to the cloud.
However, some vendors for the cloud projects came back to
say that the OS is a stripped down Linux which is hardened
& that it's not applicable to install/run AV.
In view of high profile attacks and audit requirements, I
loathe to raise exemption/deviation even if the cloud VM
is not accessible to public (ie firewalled to our corporate
only). I noticed that AWS & another vendor that uses VM
on WIndows guest offers AV
Is there a quick/easy way for me to verify that the 'strip-
down Linux OS' the vendor uses in the cloud truly could
not support AV? Guess by running 'uname -a' is not
enough. Or is there a script for me to verify?
Or can I verify by checking what are the past patches
they had been applying? If it's all RedHat/Rhel patches
then, it's just simply a hardened RHEL which should
support many AV
What are the usual audit requirements for AV for a custom
Linux VM in the cloud? Don't really need an AV under what
If it's truly a stripped-down Linux say based on CentOS or
FreeBSD, can I assess the patch requirements based on
CentOS & FreeBSD? I recall when running a VA scan
against a PABX that's based on RHEL, all vulnerabilities
for RHEL are applicable & the PABX vendor produces
the patches though they are behind RedHat by a few
months in coming out with the patches.
This reminds me of IOT, many of which are appliances
that customizes their OS from Linuxes (eg: CentOS,
RHEL, Ubuntu) & FreeBSD.