LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 01-21-2010, 12:38 PM   #1
Lincoder
LQ Newbie
 
Registered: Jan 2010
Posts: 4

Rep: Reputation: 0
Question How to utilize inotify command properly?


I am using inotify-tools in order to achive my task. inotify-tools has two commands inotifywait or inotifywatch. I am using inotifywait. I want to be able to extract unique paths that inotifywait will output and then take those unique file path run them through clamscan and quarantine the

files if necessary. Here's what I have come up with so far.

Following command will output to stdout file paths (could be duplicates as well):

Code:
inotifywait -rm -e modify -e create --format '%w%f' /var/ftp


I want to use uniq -u to extract unique paths from the above output

I want to run these files through clamscan for antivirus checking.

================================
One thing I can do is redirect the inotifywait output to a file and then go through the file and get the uniq -u paths and throw them through clamscan. But

when I run following command

Code:
inotifywait -rm -e modify -e create --format '%w%f' /var/ftp > /etc/clamav/tmp/updatedfiles.txt
The output keeps appending to the txt file rather then being overwritten.

I would prefer a method where I am getting an output from inotifywait "pipe" it through uniq -u and then redirect the output to a while statement where

inside it I am "clamscanning" each file and quarantining if necessary. Something likee the following:

Code:
inotifywait -rm -e modify -e create /var/ftp | uniq -u | while read each filepath; do clamscan --quite 

--move=/etc/clamav/tmp/quarantine /path-to-ftp-dir OR file & done


Can anyone please suggest the best way to do that?

Last edited by Lincoder; 01-21-2010 at 12:41 PM.
 
Old 01-21-2010, 04:42 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Code:
while read line; do clamscan --quiet --move=/etc/clamav/tmp/quarantine "${line}" &
done < <(inotifywait -rm -e modify -e create /var/ftp | uniq -u)
or
Code:
mkfifo /tmp/clampipe; inotifywait -rm -e modify -e create /var/ftp | uniq -u > /tmp/clampipe &
clamscan --quiet --move=/etc/clamav/tmp/quarantine  < /tmp/clampipe
?
 
Old 01-21-2010, 05:14 PM   #3
Lincoder
LQ Newbie
 
Registered: Jan 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Code:
while read line; do clamscan --quiet --move=/etc/clamav/tmp/quarantine "${line}" &
done < <(inotifywait -rm -e modify -e create /var/ftp | uniq -u)
or
Code:
mkfifo /tmp/clampipe; inotifywait -rm -e modify -e create /var/ftp | uniq -u > /tmp/clampipe &
clamscan --quiet --move=/etc/clamav/tmp/quarantine  < /tmp/clampipe
?
Hmm I think we are on the right track. Basically what I am trying to do is when user uploads a file onto the server ( I am trying to watch it using inotifywait) then I want to be able to scan that file (real-time) and if the file has a virus (detected by clamscan) it will be put into quarantine. I executed the above command but when I upload a "virus" file to the server it doesn't get quarantined?
 
Old 01-22-2010, 11:12 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by Lincoder View Post
I want to be able to scan that file (real-time)
Then shouldn't you be using Dazuko instead?


Quote:
Originally Posted by Lincoder View Post
when I upload a "virus" file to the server it doesn't get quarantined?
Saying something doesn't work doesn't include information that helps us help you. Posting verbose or debug level logs, what virus (EICAR or Something Completely Different?) and what method you used exactly might.
 
Old 01-22-2010, 04:05 PM   #5
Lincoder
LQ Newbie
 
Registered: Jan 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Then shouldn't you be using Dazuko instead?



Saying something doesn't work doesn't include information that helps us help you. Posting verbose or debug level logs, what virus (EICAR or Something Completely Different?) and what method you used exactly might.
-------------------

1st Answer) You are right I was using clamfs, and I am able to do the mount of /var/ftp directory and anything that is put into /var/ftp or it's subdirectories I am able to get it scanned and if the file contains virus it prevents any type of access. But the problem is that I have to mount /var/ftp to some other folder ex: "scannedfolder" and everything that is "scanned" in /var/ftp is put into the "scannedfolder", which kind of doesn't make sense that means a user will have access to /var/ftp to upload files and then when it comes to download they'll need access to "scannedfolder". Unless there's any other way that you can point me to.

So I didn't even bother checking other "on-access" such as Dazuko. Is Dauzuko available for RHEL?

2nd Answer) When I upload EICAR (zip or text or com anything) it is not "caught" and put away in the quarantine. When I use either of the above commands. I personally think that when the inotifywait is being piped into uniq -u this doesn't work. The output of that command does not pipe through to uniq -u because same thing was going on before when I tried doing it. If you redirect the output to a file or stdout it works. And when you redirect the output of inotifywait, using ">", to a file it is redirected fine BUT it doesn't overwrite it...it appends it as if we were outputting using ">>".
 
Old 01-23-2010, 03:04 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by Lincoder View Post
I am able to do the mount of /var/ftp directory and anything that is put into /var/ftp or it's subdirectories I am able to get it scanned and if the file contains virus it prevents any type of access.
That's at least something...


Quote:
Originally Posted by Lincoder View Post
(..) the problem is that I have to mount /var/ftp to some other folder ex: "scannedfolder" and everything that is "scanned" in /var/ftp is put into the "scannedfolder", which kind of doesn't make sense (..)
If it doesn't make sense then why are you doing it?


Quote:
Originally Posted by Lincoder View Post
Is Dauzuko available for RHEL?
I doubt RHEL provides a ready-made LKM or a dkms-dazuko. Did you check out dazuko.org and any 3rd party repo you use?


Quote:
Originally Posted by Lincoder View Post
(..) the inotifywait is being piped into uniq -u this doesn't work. The output of that command does not pipe through to uniq -u
Using something like 'inotifywait --monitor --recursive --format '%w%f' --event create /path/to > /tmp/clampipe &' works OK which you can see with 'cat < /tmp/clampipe' when you create files. The trouble with clamscan is it doesn't like files being provided this way, just scans the $CWD and exits. I think you'll need a client that serves filenames to clamd in the same way email gets scanned.
 
Old 01-23-2010, 04:12 PM   #7
Lincoder
LQ Newbie
 
Registered: Jan 2010
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
That's at least something...



If it doesn't make sense then why are you doing it?



I doubt RHEL provides a ready-made LKM or a dkms-dazuko. Did you check out dazuko.org and any 3rd party repo you use?



Using something like 'inotifywait --monitor --recursive --format '%w%f' --event create /path/to > /tmp/clampipe &' works OK which you can see with 'cat < /tmp/clampipe' when you create files. The trouble with clamscan is it doesn't like files being provided this way, just scans the $CWD and exits. I think you'll need a client that serves filenames to clamd in the same way email gets scanned.
==============

Okay soo this is what I am doing. I am trying to output inotifywait to a file (updatefile.txt) and then i denotify this file (updatefile.txt) and run a shell script everytime updatefile.txt changes. I'll just post the code. I am trying to get the name of each file and creating a clamscan process for each file and let it scan and if it's a virus it'll quarantine it and if not...well it'll leave it alone. Again I don't know if this is the best way to go about doing it or not.

Code:
#!/bin/sh

updatedfiles="/etc/clamav/tmp/notifywaitfiles/updatedfiles.txt"
tmptxtfile="/etc/clamav/tmp/tmp.txt"
singlefile="/etc/clamav/tmp/singlefile.txt"
fulllistfile="/etc/clamav/tmp/fullfilelist.txt"
clamscannedfiles="/etc/clamav/tmp/scannedfiles.txt"

cp -f $updatedfiles $tmptxtfile
:>$updatedfiles
sort $tmptxtfile | uniq -u | grep -v '^$' > $singlefile

# Build fulllist of files scanned
cat $singlefile >> $fulllistfile

#inotifywait -rm -e modify -e create --format '%w%f' /var/ftp | while read file; do 
prevFile=""
cat $singlefile | while read file; do 
	echo ${file}
	if [ $prevFile!=${file} ];
	then
		if [ -f ${file} ];
		then
			#clamscan --quite --move=/etc/clamav/tmp/quarantine ${file} &
			echo "Clamscanning ${file}" >> $clamscannedfiles
		fi
	fi
	prevFile=${file}
done
=======

As far as the Mounting /var/ftp directory to "scannedfolder" this is one of requirement of clamfs...soo basically clamfs wants me to mount the "/var/ftp" directory to somewhere (This is fine so far). Clamfs keeps a watch on "/var/ftp" and all it's subdirectories (This is fine as well). So if I was to put a virus file "Eicar.com" in "/var/ftp/somefolder/Eicar.com" this will be scanned by clamfs (real-time) and sees it's a virus then what it does...it'll block ANY access to "/var/scannedfolder/Eicar.com" but I'll still be able to access "/var/ftp/somefolder/Eicar.com". Now this doesn't make sense this means a user will have to upload a file under "/var/ftp" and then i'll have to give users access to the same file in "/var/scannedfolder" (Since these are the "cleaned" up files). I hope you know what i mean.

Basically what I want is users to be able to upload files in "/var/ftp/somefolder" and get access to them in "/var/ftp/somefolder". If the file that was uploaded to "somefolder" is a virus it should not appear there at all after the upload (Since it should be quarantined...or at the very least have NO read access)
 
  


Reply

Tags
inotify


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] The shutdown-command doesnt work properly Suppen Linux - General 4 01-14-2010 09:52 AM
ls -la command output is not working properly ratul_11 General 1 02-27-2008 01:38 PM
message command in smb.conf not working properly kamransoomro84 Linux - Desktop 0 11-07-2006 01:51 PM
Autostart command not working properly dstjames Linux - Newbie 2 01-10-2006 03:25 PM
CP command doesn't work properly? itz2000 Linux - Newbie 1 08-02-2005 02:14 PM


All times are GMT -5. The time now is 12:56 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration