0

There are multiple malware/rootkit scanning packages for ubuntu such as clamAV, rkhunter etc. I know how to use them manually but for multiple servers in production environment I could not find a solution which scans the servers daily and send report by email only if issues are found.

What is the solution you use for this case and how do you implement it ?

Niro
  • 1,401
  • 4
  • 20
  • 36
  • Best practice is often just another opinion. My opinion is that you do what makes sense in your environment and fits your use-cases. For me that often is to go along with was implemented already by and for the Windows servers, adjusted to what makes sense on Linux, rather than trying to re-event the wheel and having to explain pure open source and/or home grown solutions to auditors and a compliance department... – Rob Apr 04 '22 at 14:13
  • Requests for product, service, or learning material recommendations are off-topic because they attract low quality, opinionated and spam answers, and the answers become obsolete quickly. Instead, describe the business problem you are working on, the research you have done, and the steps taken so far to solve it. – djdomi Apr 04 '22 at 16:43
  • 1
    You could consider whether AWS Inspector combined with AWS Guard Duty would be sufficient to fulfill your needs. A compromised server can trigger them by behavior. – Tim Apr 04 '22 at 23:06
  • Thanks @Tim Looks like AWS Inspector is what I need. Much appreciated – Niro Apr 05 '22 at 18:09

1 Answers1

1

AWS Inspector combined with AWS Guard Duty should give you "good enough" protection that you don't need to use AV. They're behavioral rather than signature based, so they'll likely alert you when an instance starts behaving in a way that indicates malware.

Tim
  • 31,888
  • 7
  • 52
  • 78