My system is CentOS5-5.
I want to monitor the sub-directories under a specified root with clamfs, and remove any suspected file as soon as it is detected.
So far, I have installed clamav, and then clamfs. My problem is clamfs does not react when I put a file which has a virus signature under my root directory, I suspect there is no communication between clamfs and clamd.
Below I give you some details about how I configured clamav and clamfs :
/etc/clamd.conf :
LogFile /var/log/clamav/clamd.log
...
LogVerbose yes
...
LocalSocket /var/run/clamav/clamd.sock
...
User clamav
...
AllowSupplementaryGroups yes
...
I start clamd with the following command, and with root (thanks to the file above, the process clamd then belongs to the user clamav) :
service clamd start
In /etc/clamfs/clamfs.xml, I set :
- the same socket as in the file clamd.conf
- the root of the directories to scan in root parameter
- the directory which will be a copy of the root one in the mountpoint parameter
- the log file for clamfs
clamd socket="/var/run/clamav/clamd.sock
...
filesystem root="MyPathToScan"
mountpoint="CopyOfMyPathToScan"
public="yes" nonempty="yes"...
log method="file" filename="PathToLogFile" verbose="yes"
The root I want to scan with clamfs and all its subdirectories and files belong to a user01 (who belongs to the group user01). So I also set the user clamav in the group "user01".
I launch clamfs like this, with root :
clamfs /etc/clamfs/clamfs.xml
I add that my virus database is up to date.
The problems I note are the following :
- In the log file of clamfs, nothing appear when I put a file with a virus signature in my root directory, but when I run "clamscan" it is detected.
- If I run "clamdscan" in this root directory, I get the following error (I add that SELinux is "Disabled", so this is not the problem) :
lstat() failed: Permission denied.
ERROR
- If I run clamd with root user instead of clamav, I don't have the above "Permission denied", but clamfs still does not work.
Thanks for your help !
Sylvain
Best Answer
I've noticed the trouble might come from apparmor. I was trying to setup clamfs for my home dir and it just kept complaining. Then I created an apparmor config file for it worked :)
In simplicity I copied clamav armor and modified to clamfs - guesswork:
I also copied the /etc/init.d/skeleton to /etc/init.d/clamfs-home and edited to my intuition's best liking, made it executable and called update-rc.d clamfs-home defaults. Then executed with /etc/init.d/clamfs-home start and yay! Let's see if it comes back after reboot. What I'm wondering about is how to run clamfs with a non-root user...