LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   run clamav on mount of flashdrive (https://www.linuxquestions.org/questions/linux-security-4/run-clamav-on-mount-of-flashdrive-797286/)

schuurs 03-23-2010 08:18 AM
run clamav on mount of flashdrive
 
Hello,

I am working on a production system on which it is not advisable to enable on-access scan with use of Dazuko. However, I want to do an automatic scan with clamscan when the flashdrive is mounted. As far as I know, Kudzu is arranging the automount of the flashdrives.

Does somebody have an idea how this can be done best?

The distro I am using is RHEL5u3.

smoker 03-23-2010 08:26 AM
look into udev rules http://reactivated.net/writing_udev_rules.html

schuurs 03-24-2010 09:24 AM
Dear Smoker,

I read the document to which your link was pointing and I will try this.

Thank you

schuurs 03-25-2010 07:58 AM
I am trying the following rule.

Code:
KERNEL=="sd*1", DRIVER=="usb-storage", RUN+="/usr/local/bin/clamscan /media* > /tmp/clamav.log"
When plugging in the flashdrive, it will get the kernel name sdd1, but I cannot tell if clamscan is executed.

I tried udevtest and it will show:
Code:
main: looking at device '/block/sdd/sdd1' from subsystem 'block'
run_program: '/bin/bash -c '/sbin/lsmod | /bin/grep ^dm_multipath''
run_program: '/bin/bash' (stdout) 'dm_multipath          55257  0 '
run_program: '/bin/bash' returned with status 0
udev_rules_get_name: add symlink 'disk/by-id/usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1'
udev_rules_get_name: add symlink 'disk/by-path/pci-0000:00:1d.7-usb-0:7:1.0-scsi-0:0:0:0-part1'
udev_node_mknod: mknod(/dev/.tmp-8-49, 060600, 8, 49) failed: Permission denied
run_program: '/lib/udev/vol_id --export /dev/.tmp-8-49'
run_program: '/lib/udev/vol_id' (stderr) '/dev/.tmp-8-49: error open volume'
run_program: '/lib/udev/vol_id' returned with status 2
udev_rules_get_name: no node name set, will use kernel name 'sdd1'
unlink_secure: chown(/dev/.tmp-8-49, 0, 0) failed: No such file or directory
unlink_secure: chmod(/dev/.tmp-8-49, 0000) failed: No such file or directory
udev_device_event: device '/block/sdd/sdd1' already in database, validate currently present symlinks
udev_node_add: creating device node '/dev/sdd1', major = '8', minor = '49', mode = '0640', uid = '0', gid = '6'
udev_node_add: creating symlink '/dev/disk/by-id/usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1' to '../../sdd1'
udev_node_add: creating symlink '/dev/disk/by-path/pci-0000:00:1d.7-usb-0:7:1.0-scsi-0:0:0:0-part1' to '../../sdd1'
udev_node_remove_symlinks: removing symlink '/dev/disk/by-uuid/E0FD-1813'
delete_path: rmdir(/dev/disk/by-uuid) failed: Permission denied
udev_node_remove_symlinks: removing symlink '/dev/disk/by-label/KINGSTON'
delete_path: rmdir(/dev/disk/by-label) failed: Permission denied
main: run: '/usr/local/bin/clamscan /media/* > /tmp/clamav.log 2>&1;/usr/bin/nedit /tmp/clamav.log '
main: run: '/sbin/multipath -v0 8:49'
main: run: 'socket:/org/kernel/udev/monitor'
main: run: '/lib/udev/udev_run_devd'
main: run: 'socket:/org/freedesktop/hal/udev_event'
main: run: '/sbin/pam_console_apply /dev/sdd1 /dev/disk/by-uuid/E0FD-1813 /dev/disk/by-label/KINGSTON'

smoker 03-25-2010 08:50 AM
You are not matching properly.

I would have used something like
Code:
SUBSYSTEM=="usb", ATTRS{name}=="usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1", RUN+="/home/myusername/myscript.sh"
I don't believe that line will work as it is, you need to find the correct match.

You can't put complicated run rules in so it's best to do it in a separate script which contains the real commands.
Bear in mind that this will delay the accessing of the drive until clam has finished scanning.

There are various tools to use to get a good match pattern, the site I gave you suggests using udevinfo but there are others like udevadm

I would also consider putting a simple naming rule in which gets applied before the RUN rule so that your script will know exactly which drive to scan.
for example :
Code:
SUBSYSTEM=="usb", ATTRS{name}=="usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1", NAME="my_flash_drive"
give access to the flash drive at /dev/my_flash_drive

Again, that will not work as it is, you have to find out what the appropriate name is using the udevadm tool.

schuurs 03-29-2010 07:33 AM
I finished the udev rule and the script to scan a flash-drive for viruses when mounted.
They are working now.

"/etc/udev/rulles.d/99-scan-UsbStorage.rules"
Code:
KERNEL=="sd*1", SUBSYSTEM=="block", DRIVER=="usb-storage", NAME="flash_drive" RUN+="/etc/udev/scripts/clamscan.sh &"
"clamscan.sh"
Code:
#!/bin/ksh
file="/tmp/clamscan.log"
export DISPLAY=":0.0"

zenity --info --width=180 --title="Clam Anti Virus" --text="Executing virus scan on flashdrive" &

if [ -f $file ]; then
        rm -f $file
fi

date > $file

flashdisk_dir=`udevinfo -q all -p $(udevinfo -q path -n /dev/flash_drive) | grep "ID_FS_LABEL" | awk -F "=" '{print $2}'`

/usr/local/bin/clamscan -r --bell /media/$flashdisk_dir/* >> $file 2>&1

if [ -f $file ]; then
        file_content=`date; tail --lines 10 $file; echo "\nSee /tmp/clamscan.log for more information"`
       
        #zenity --text-info --title="Clam Anti Virus" --filename=$file &
        zenity --info --width=180 --title="Clam Anti Virus" --text="$file_content" &
fi

exit 0


All times are GMT -5. The time now is 01:54 PM.