Centos – Using the antivirus clamav with clamfs in order to scan a file system

anti-viruscentos

My system is CentOS5-5.

I want to monitor the sub-directories under a specified root with clamfs, and remove any suspected file as soon as it is detected.

So far, I have installed clamav, and then clamfs. My problem is clamfs does not react when I put a file which has a virus signature under my root directory, I suspect there is no communication between clamfs and clamd.

Below I give you some details about how I configured clamav and clamfs :

/etc/clamd.conf : 

LogFile /var/log/clamav/clamd.log
...
LogVerbose yes
...
LocalSocket /var/run/clamav/clamd.sock
...
User clamav
...
AllowSupplementaryGroups yes
...

I start clamd with the following command, and with root (thanks to the file above, the process clamd then belongs to the user clamav) : 

service clamd start

In /etc/clamfs/clamfs.xml, I set :

  • the same socket as in the file clamd.conf
  • the root of the directories to scan in root parameter
  • the directory which will be a copy of the root one in the mountpoint parameter
  • the log file for clamfs

clamd socket="/var/run/clamav/clamd.sock

...

filesystem root="MyPathToScan"
mountpoint="CopyOfMyPathToScan"
public="yes" nonempty="yes"

...

log method="file" filename="PathToLogFile" verbose="yes"

The root I want to scan with clamfs and all its subdirectories and files belong to a user01 (who belongs to the group user01). So I also set the user clamav in the group "user01".

I launch clamfs like this, with root :

clamfs /etc/clamfs/clamfs.xml

I add that my virus database is up to date.

The problems I note are the following :

  • In the log file of clamfs, nothing appear when I put a file with a virus signature in my root directory, but when I run "clamscan" it is detected.
  • If I run "clamdscan" in this root directory, I get the following error (I add that SELinux is "Disabled", so this is not the problem) :

lstat() failed: Permission denied.
ERROR

  • If I run clamd with root user instead of clamav, I don't have the above "Permission denied", but clamfs still does not work.

Thanks for your help !

Sylvain

Best Answer

I've noticed the trouble might come from apparmor. I was trying to setup clamfs for my home dir and it just kept complaining. Then I created an apparmor config file for it worked :) 

$ cat /etc/apparmor.d/usr.bin.clamfs

In simplicity I copied clamav armor and modified to clamfs - guesswork:

#include <tunables/global>

/usr/bin/clamfs {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # LP: #433764:
  capability dac_override,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamfs/* r,
  /etc/fuse.conf r,

  /usr/bin/clamfs mr,

  /tmp/ rw,
  /tmp/** krw,

  /var/run/clamav/clamd.ctl rw,

  # Allow home dir to be scanned
  /media/disk/* rw,
  /media/disk/** rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.clamfs>
}

I also copied the /etc/init.d/skeleton to /etc/init.d/clamfs-home and edited to my intuition's best liking, made it executable and called update-rc.d clamfs-home defaults. Then executed with /etc/init.d/clamfs-home start and yay! Let's see if it comes back after reboot. What I'm wondering about is how to run clamfs with a non-root user...

Related Topic