- 最新
- 最多得票
- 最多評論
Hi kjellkod,
I am searching for articles and documentation on recommendations and best practices on installing anti-virus in AWS EKS optimized worker nodes as well.
I particularly like this note which can be found from the article
https://cloud.google.com/solutions/installing-antivirus-and-file-integrity-monitoring-on-container-optimized-os
"
Note: Container-Optimized OS is already hardened and is engineered to prevent execution of non-containerized applications. Compliance auditors frequently accept these measures as a sufficiently secure compensating control instead of AV and possibly even FIM if properly documented.
"
Especially when you have security folks who do not understand how Linux, Kubernetes and containers works and insist on installing anti-virus on every worker-nodes, pods just for compliance sake and scanning everything. Do they even know that most anti-virus scan for files looking for Windows virus signatures. Hence if we have samba server serving files to windows clients, then it makes sense to install anti-virus on Linux to prevent the spreading of viruses. My security folks even scan /proc, /sys, /dev etc! You will realize that the anti-virus will take up all the CPU and memory and makes the server crawls. For anti-virus software that uses kernel hooks, you may start to see a lot of error messages in your /var/log/messages. If you update the kernel and the anti-virus kernel module is not up to date yet, you may not even be able to boot up properly if you enable it.
Not saying we do not need anti-virus on Linux, essence is that you must know what you are protecting and tune it properly. If not, it is just wasting precious cpu and memory.
Amazon EKS optimized Linux is based on Redhat. Look at Redhat article on "Is an virus protection software needed for Red Hat Enterprise Linux?
https://access.redhat.com/solutions/9203
Back to anti-virus on EKS worker nodes. I hope AWS will also publish something like saying that the AMI image provided is already optimized and hardened. The image is also scanned and free of virus.
We never expose worker nodes to public. Only the pods run applications which exposes the services. So is there a need to scan the worker node? Any changes to the file system will be gone when we spin up the next worker node. That is the same for containers. So if you want to scan, scan the file shares if your services uses some persistence storage to store files.
just sharing my thoughts.
Best Regards.
相關內容
- 已提問 1 年前
- AWS 官方已更新 2 年前