EKS - antivirus and best practices

0

Hi,

For compliance and ISO reasons there could be needs of implementing antivirus (think realtime scanning, file scanning, file integrity monitoring, etc.).

What are the best practices around this and EKS? I tried to find anything around antivirus on AWS pages and documentation without any luck. When looking for the same in Google Cloud and GKE I find both information, guides and references.

The kind of questions or should I say answers I am looking for is for example: Protection of worker nodes, protection of containers running, pros & conns with different approaches and so on.

Anyone have any experience in this here?

Thanks in advance for any feedback.

Br,
A

asked 2 years ago607 views
1 Answer
0

Hi kjellkod,

I am searching for articles and documentation on recommendations and best practices on installing anti-virus in AWS EKS optimized worker nodes as well.

I particularly like this note which can be found from the article
https://cloud.google.com/solutions/installing-antivirus-and-file-integrity-monitoring-on-container-optimized-os
"
Note: Container-Optimized OS is already hardened and is engineered to prevent execution of non-containerized applications. Compliance auditors frequently accept these measures as a sufficiently secure compensating control instead of AV and possibly even FIM if properly documented.
"

Especially when you have security folks who do not understand how Linux, Kubernetes and containers works and insist on installing anti-virus on every worker-nodes, pods just for compliance sake and scanning everything. Do they even know that most anti-virus scan for files looking for Windows virus signatures. Hence if we have samba server serving files to windows clients, then it makes sense to install anti-virus on Linux to prevent the spreading of viruses. My security folks even scan /proc, /sys, /dev etc! You will realize that the anti-virus will take up all the CPU and memory and makes the server crawls. For anti-virus software that uses kernel hooks, you may start to see a lot of error messages in your /var/log/messages. If you update the kernel and the anti-virus kernel module is not up to date yet, you may not even be able to boot up properly if you enable it.
Not saying we do not need anti-virus on Linux, essence is that you must know what you are protecting and tune it properly. If not, it is just wasting precious cpu and memory.

Amazon EKS optimized Linux is based on Redhat. Look at Redhat article on "Is an virus protection software needed for Red Hat Enterprise Linux?
https://access.redhat.com/solutions/9203

Back to anti-virus on EKS worker nodes. I hope AWS will also publish something like saying that the AMI image provided is already optimized and hardened. The image is also scanned and free of virus.

We never expose worker nodes to public. Only the pods run applications which exposes the services. So is there a need to scan the worker node? Any changes to the file system will be gone when we spin up the next worker node. That is the same for containers. So if you want to scan, scan the file shares if your services uses some persistence storage to store files.
just sharing my thoughts.

Best Regards.

lancez
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions