how to verify cloud VM can't support AV & relevance of AV/patching on cloud VM

sunhux
sunhux used Ask the Experts™
on
We are moving some of our apps/systems to the cloud.
However, some vendors for the cloud projects came back to
say that the OS is a stripped down Linux which is hardened
& that it's not applicable to install/run AV.

In view of high profile attacks and audit requirements, I
loathe to raise exemption/deviation even if the cloud VM
is not accessible to public (ie firewalled to our corporate
only).  I noticed that AWS & another vendor that uses VM
on WIndows guest offers AV

Q1:
Is there a quick/easy way for me to verify that the 'strip-
down Linux OS' the vendor uses in the cloud truly could
not support AV?  Guess by running 'uname -a' is not
enough.  Or is there a script for me to verify?
Or can I verify by checking what are the past patches
they had been applying?  If it's all RedHat/Rhel patches
then, it's just simply a hardened RHEL which should
support many AV

Q2:
What are the usual audit requirements for AV for a custom
Linux VM in the cloud?  Don't really need an AV under what
criteria?

Q3:
If it's truly a stripped-down Linux say based on CentOS or
FreeBSD, can I assess the patch requirements based on
CentOS & FreeBSD?  I recall when running a VA scan
against a PABX that's based on RHEL, all vulnerabilities
for RHEL are applicable & the PABX vendor produces
the patches though they are behind RedHat by a few
months in coming out with the patches.

This reminds me of IOT, many of which are appliances
that customizes their OS from Linuxes (eg: CentOS,
RHEL, Ubuntu) & FreeBSD.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
Stay away from something you can't verify.  The truly paranoid can use their own O/S.. Myself I'd only go with the bigger cloud providers.

Author

Commented:
Btw, this vendor is sending SMS from the application hosted in the cloud,
so how can 'data in transit' be encrypted?  We can use TLSv1.2 for https
(data in transit) but how about SMS?

Author

Commented:
What if it's an appliance OS in the VM?

Thing is how to verify what the vendor says:
if it's truly that 'stripped-down' (or appliance)
or it's only a hardened OS that could still
support AV.

Author

Commented:
Just a last question, ie rephrasing:
what are the files  that must be present for an AV to work on Linux?

Author

Commented:
http://www.commzgate.com/page/cloud-features
The above is the service  I'm exploring/considering;  seems
like their on-prem are appliances

Author

Commented:
https://community.spiceworks.com/topic/374999-antivirus-on-the-vm-host-or-client-or-both

Or even for appliance VM (ie VMs running stripped-down Linux), agentless AV is the way
to go ie we don't install AV agent in the guest OS but at hypervisor layer?    Is this how
AWS is doing it?

Author

Commented:
Have to assess on a case by case basis.

AWS offers agentless AV
Commented:
Decided that if the service hosted in cloud (eg: can afford that the
data is lost ie we simply re-key in if it's lost & data is not sensitive,
don't need AV);   yes, AWS offers agentless AV which doesn't need
anything to be installed in the VM (useful for stripped-down OS)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial