I am using inotify-tools in order to achive my task. inotify-tools has two commands inotifywait or inotifywatch. I am using inotifywait. I want to be able to extract unique paths that inotifywait will output and then take those unique file path run them through clamscan and quarantine the

files if necessary. Here's what I have come up with so far.

Following command will output to stdout file paths (could be duplicates as well):

Code:

inotifywait -rm -e modify -e create --format '%w%f' /var/ftp

I want to use uniq -u to extract unique paths from the above output

I want to run these files through clamscan for antivirus checking.

================================
One thing I can do is redirect the inotifywait output to a file and then go through the file and get the uniq -u paths and throw them through clamscan. But

when I run following command

The output keeps appending to the txt file rather then being overwritten.

I would prefer a method where I am getting an output from inotifywait "pipe" it through uniq -u and then redirect the output to a while statement where

inside it I am "clamscanning" each file and quarantining if necessary. Something likee the following:

Code:

inotifywait -rm -e modify -e create /var/ftp | uniq -u | while read each filepath; do clamscan --quite 

--move=/etc/clamav/tmp/quarantine /path-to-ftp-dir OR file & done

Can anyone please suggest the best way to do that?

or
?

Hmm I think we are on the right track. Basically what I am trying to do is when user uploads a file onto the server ( I am trying to watch it using inotifywait) then I want to be able to scan that file (real-time) and if the file has a virus (detected by clamscan) it will be put into quarantine. I executed the above command but when I upload a "virus" file to the server it doesn't get quarantined?

Then shouldn't you be using Dazuko instead?


Saying something doesn't work doesn't include information that helps us help you. Posting verbose or debug level logs, what virus (EICAR or Something Completely Different?) and what method you used exactly might.

-------------------

1st Answer) You are right I was using clamfs, and I am able to do the mount of /var/ftp directory and anything that is put into /var/ftp or it's subdirectories I am able to get it scanned and if the file contains virus it prevents any type of access. But the problem is that I have to mount /var/ftp to some other folder ex: "scannedfolder" and everything that is "scanned" in /var/ftp is put into the "scannedfolder", which kind of doesn't make sense that means a user will have access to /var/ftp to upload files and then when it comes to download they'll need access to "scannedfolder". Unless there's any other way that you can point me to.

So I didn't even bother checking other "on-access" such as Dazuko. Is Dauzuko available for RHEL?

2nd Answer) When I upload EICAR (zip or text or com anything) it is not "caught" and put away in the quarantine. When I use either of the above commands. I personally think that when the inotifywait is being piped into uniq -u this doesn't work. The output of that command does not pipe through to uniq -u because same thing was going on before when I tried doing it. If you redirect the output to a file or stdout it works. And when you redirect the output of inotifywait, using ">", to a file it is redirected fine BUT it doesn't overwrite it...it appends it as if we were outputting using ">>".

That's at least something...


If it doesn't make sense then why are you doing it?


I doubt RHEL provides a ready-made LKM or a dkms-dazuko. Did you check out dazuko.org and any 3rd party repo you use?


Using something like 'inotifywait --monitor --recursive --format '%w%f' --event create /path/to > /tmp/clampipe &' works OK which you can see with 'cat < /tmp/clampipe' when you create files. The trouble with clamscan is it doesn't like files being provided this way, just scans the $CWD and exits. I think you'll need a client that serves filenames to clamd in the same way email gets scanned.

==============

Okay soo this is what I am doing. I am trying to output inotifywait to a file (updatefile.txt) and then i denotify this file (updatefile.txt) and run a shell script everytime updatefile.txt changes. I'll just post the code. I am trying to get the name of each file and creating a clamscan process for each file and let it scan and if it's a virus it'll quarantine it and if not...well it'll leave it alone. Again I don't know if this is the best way to go about doing it or not.

=======

As far as the Mounting /var/ftp directory to "scannedfolder" this is one of requirement of clamfs...soo basically clamfs wants me to mount the "/var/ftp" directory to somewhere (This is fine so far). Clamfs keeps a watch on "/var/ftp" and all it's subdirectories (This is fine as well). So if I was to put a virus file "Eicar.com" in "/var/ftp/somefolder/Eicar.com" this will be scanned by clamfs (real-time) and sees it's a virus then what it does...it'll block ANY access to "/var/scannedfolder/Eicar.com" but I'll still be able to access "/var/ftp/somefolder/Eicar.com". Now this doesn't make sense this means a user will have to upload a file under "/var/ftp" and then i'll have to give users access to the same file in "/var/scannedfolder" (Since these are the "cleaned" up files). I hope you know what i mean.

Basically what I want is users to be able to upload files in "/var/ftp/somefolder" and get access to them in "/var/ftp/somefolder". If the file that was uploaded to "somefolder" is a virus it should not appear there at all after the upload (Since it should be quarantined...or at the very least have NO read access)