Having your datacenter audited at the office can be a painful experience. One of the toughest is known by the initialism “PCI”, which stands for Payment Card Industry. The PCI audits are in-depth, and require several layers of security, logging, and documentation. Unfortunately, many of the requirements of such audits are derived from a Windows centric environment, and make little sense in a pure Linux system. At the top of this list is the requirement for anti-virus to be installed on all servers, but how necessary is this precaution in real life?
A couple of my coworkers and I like to play a bit of a game, we pick out a system and see how long we can keep it up without requiring a reboot. (Current winner right now is sitting at 1761 days, not sure if we will be able to beat that.) There are reasons why that machine has not been updated, and we take appropriate precautions to restrict access to the box. There was even a time, years ago now, when we ran our web servers with a default install of SUSE (SuSE? SuSe?) Linux with a public IP address on the Internet, and left them there, unpatched, for years. I’m not saying this was a good idea, it certainly was not, and it is not something I would do today, but requirements were different then. We did frequent checks of the server health and monitored the logs, and never saw a problem. Talking with other Linux sysadmins and open source enthusiasts, I don’t think I’m alone with this experience.