The system must update the DoD-approved virus scan program every seven days or more frequently.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-78007	UBTU-16-030910	SV-92703r1_rule		Medium

Description
Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).

Description

Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. The virus scanning software should be configured to check for software and virus definition updates with a frequency no longer than seven days. If a manual process is required to update the virus scan software or definitions, it must be documented with the Information System Security Officer (ISSO).

STIG	Date
Canonical Ubuntu 16.04 Security Technical Implementation Guide	2020-05-29

Details

Check Text ( C-77599r1_chk )
Verify the system is using a DoD-approved virus scan program and the virus definition file is less than seven days old. Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command: # systemctl status nails nails - service for McAfee VirusScan Enterprise for Linux > Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled) > Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago If the "nails" service is not active, check for the presence of "clamav" on the system with the following command: # systemctl status clamav-daemon.socket systemctl status clamav-daemon.socket clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled) Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago If "McAfee VirusScan Enterprise for Linux" is active on the system, check the dates of the virus definition files with the following command: # ls -al /opt/NAI/LinuxShield/engine/dat/.dat -rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat -rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat -rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat If the virus definition files have dates older than seven days from the current date, this is a finding. If "clamav" is active on the system, check the dates of the virus database with the following commands: # grep -I databasedirectory /etc/clamav.conf DatabaseDirectory /var/lib/clamav # ls -al /var/lib/clamav/.cvd -rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd If the database file has a date older than seven days from the current date, this is a finding.

Check Text ( C-77599r1_chk )

Verify the system is using a DoD-approved virus scan program and the virus definition file is less than seven days old.

Check for the presence of "McAfee VirusScan Enterprise for Linux" with the following command:

# systemctl status nails

nails - service for McAfee VirusScan Enterprise for Linux

> Loaded: loaded /opt/NAI/package/McAfeeVSEForLinux/McAfeeVSEForLinux-2.0.2.; enabled)

> Active: active (running) since Mon 2015-09-27 04:11:22 UTC;21 min ago

If the "nails" service is not active, check for the presence of "clamav" on the system with the following command:

# systemctl status clamav-daemon.socket

systemctl status clamav-daemon.socket

clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon

Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)

Active: active (running) since Mon 2015-01-12 09:32:59 UTC; 7min ago

If "McAfee VirusScan Enterprise for Linux" is active on the system, check the dates of the virus definition files with the following command:

# ls -al /opt/NAI/LinuxShield/engine/dat/*.dat

-rwxr-xr-x 1 root root 243217 Mar 5 2017 avvclean.dat
-rwxr-xr-x 1 root root 16995 Mar 5 2017 avvnames.dat
-rwxr-xr-x 1 root root 4713245 Mar 5 2017 avvscan.dat

If the virus definition files have dates older than seven days from the current date, this is a finding.

If "clamav" is active on the system, check the dates of the virus database with the following commands:

# grep -I databasedirectory /etc/clamav.conf

DatabaseDirectory /var/lib/clamav

# ls -al /var/lib/clamav/*.cvd

-rwxr-xr-x 1 root root 149156 Mar 5 2011 daily.cvd

If the database file has a date older than seven days from the current date, this is a finding.

Fix Text (F-84717r1_fix)
Update the approved DoD virus scan software and virus definition files.