A popular belief for many years was that Linux systems did not require anti-virus or anti-malware. Although Linux is perceived to be more secure than other desktop operating systems, there are still malware and viruses that can affect Linux computers. In fact, the amount of Linux malware has been steadily growing over the past few years. Some recent examples of attacks that targeted Linux devices include RansomEXX, GTPDOOR, AcidPour and NerbianRAT.
Linux threats have been appearing in various forms, each posing unique risks to organizations. From malware and ransomware targeting Linux servers to sophisticated backdoors infiltrating critical infrastructure, the diversity and complexity of Linux threats demand a comprehensive approach to cybersecurity.
Linux servers are being targeted for the following reasons:
- Open Source – The open source nature of Linux allows for greater visibility into its codebase, enabling malware authors to identify vulnerabilities and develop exploits more easily.
- The perception of Linux = Security – Linux servers are often perceived as more secure than other operating systems. Giving a false sense of safety can make Linux servers particularly vulnerable to exploitation if security best practices are not implemented and maintained.
- Widespread adoption – Linux has gained significant traction in various sectors, including web hosting, cloud computing, and enterprise environments. Its scalability, flexibility, and cost-effectiveness have made it a preferred choice for many organizations. With more Linux servers deployed across diverse industries, there’s a larger attack surface for threat actors to target.
- Large-scale impact – Linux emerges as a prime target for cyberattacks due to its potential for large-scale repercussions. The aftermath of such attacks not only disrupts organizations’ operations but also increases threat actors’ profits.
- High-value targets – Linux servers often host critical applications, databases, and services essential for business operations. Breaching these servers can yield valuable data or cause widespread disruption, making them lucrative targets for threat actors seeking financial gain or geopolitical motives.
In the context of a SOC 2 audit, some form of antivirus or anti-malware is generally considered necessary to address Trust Services Criteria CC6.8, The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
There are several points of focus (POF) under CC6.8 and one of the most important is:
Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software on servers and endpoint devices is configured, implemented, and maintained to provide for the interception or detection and remediation of malware.
There are several other POFs under CC6.8 and an organization that has controls to address all of these may make a case to their SOC 2 auditor for not having AV and/or anti-malware software installed on Linux machines. This will depend heavily on the nature of the entity’s business, the purpose of the Linux devices and the type of data stored or processed on them. In other words, it depends on the organization’s risk profile. If organizations decide not to install AV protection on Linux systems, they should address their rationale in their risk assessment. The risk assessment should be approved by management and the approval should be periodically refreshed.
The other POFs under CC6.8 are:
- Restricts Installation and Modification of Application and Software — The ability to install and modify applications and software is restricted to authorized individuals. Utility software capable of bypassing normal operating or security procedures is limited to use by authorized individuals and is monitored regularly.
- Detects Unauthorized Changes to Software and Configuration Parameters—Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software.
- Uses a Defined Change Control Process—A management-defined change control process is used for the implementation of software.
- Scans Information Assets From Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software. Detected malware or other software is removed prior to connection to the entity’s network.
Conclusion:
In the context of a SOC 2 audit, Linux machines should generally have some form of antivirus or anti-malware to address Trust Services Criteria CC6.8. However, there may be circumstances where a combination of other controls and / or security tools effectively reduces the risk associated with viruses and malware. For example, most companies that do not install any AV software on Linux systems have a FIM/XDR/IDS tool like OSSEC or Wazuh installed on the hosts themselves. In these cases, an organization may be able to effectively address CC6.8 without installing AV and anti-malware on Linux devices.
Thanks for reading!