Running antivirus in Linux with a Stream worker?

Edward Bailey

Hello all, some customer is asking to have an antivirus (!!?!?!?) on the Linux server running a Cribl Stream worker. I found some recommendations for Edge in the documentation, but nothing for Stream. Is it supported, for Stream, having such a configuration? thanks a lot

David Maislin

https://docs.cribl.io/stream/deploy-single-instance#av|https://docs.cribl.io/stream/deploy-single-instance#av

Edward Bailey

Thanks David. So this is applicable also for a distributed deployment.

David Maislin

Yes

David Maislin

<#C01BM8PU30V|docs> <@U03CJ90F91A&gt; perhaps we should also add this info to our distributed deployment pages too.

Edward Bailey

thanks again. Do you have some performance numbers, how much degraded is the cribl system using this configuration?

xpac xpac

That is likely depending a LOT on the actual AV used and it's config

Edward Bailey

Yes, it makes sense

mferris

From working endpoint security before, I can tell you that they need antivirus on all the things all the time or auditors get upset

mferris

Lack of AV on a linux server can be mitigated by a subset of selinux, file integrity tests, root kit detectors, good monitoring, and especially auditable config. Flies with our auditors.

mferris

The ability to destroy and rebuild a node in minutes doesn't hurt either.

Edward Bailey

yes, selinux can be a good idea, but no one on the customer side is able to manage that.

mferris

Oh, that does complicate matters. /condolences