LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-23-2010, 08:18 AM   #1
schuurs
Member
 
Registered: Feb 2010
Location: The Netherlands
Distribution: CENTOS6.2 / RHEL5.11 / RHEL 7.4
Posts: 40

Rep: Reputation: Disabled
run clamav on mount of flashdrive


Hello,

I am working on a production system on which it is not advisable to enable on-access scan with use of Dazuko. However, I want to do an automatic scan with clamscan when the flashdrive is mounted. As far as I know, Kudzu is arranging the automount of the flashdrives.

Does somebody have an idea how this can be done best?

The distro I am using is RHEL5u3.
 
Old 03-23-2010, 08:26 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
look into udev rules http://reactivated.net/writing_udev_rules.html
 
1 members found this post helpful.
Old 03-24-2010, 09:24 AM   #3
schuurs
Member
 
Registered: Feb 2010
Location: The Netherlands
Distribution: CENTOS6.2 / RHEL5.11 / RHEL 7.4
Posts: 40

Original Poster
Rep: Reputation: Disabled
Dear Smoker,

I read the document to which your link was pointing and I will try this.

Thank you
 
Old 03-25-2010, 07:58 AM   #4
schuurs
Member
 
Registered: Feb 2010
Location: The Netherlands
Distribution: CENTOS6.2 / RHEL5.11 / RHEL 7.4
Posts: 40

Original Poster
Rep: Reputation: Disabled
I am trying the following rule.

Code:
KERNEL=="sd*1", DRIVER=="usb-storage", RUN+="/usr/local/bin/clamscan /media* > /tmp/clamav.log"
When plugging in the flashdrive, it will get the kernel name sdd1, but I cannot tell if clamscan is executed.

I tried udevtest and it will show:
Code:
main: looking at device '/block/sdd/sdd1' from subsystem 'block'
run_program: '/bin/bash -c '/sbin/lsmod | /bin/grep ^dm_multipath''
run_program: '/bin/bash' (stdout) 'dm_multipath           55257  0 '
run_program: '/bin/bash' returned with status 0
udev_rules_get_name: add symlink 'disk/by-id/usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1'
udev_rules_get_name: add symlink 'disk/by-path/pci-0000:00:1d.7-usb-0:7:1.0-scsi-0:0:0:0-part1'
udev_node_mknod: mknod(/dev/.tmp-8-49, 060600, 8, 49) failed: Permission denied
run_program: '/lib/udev/vol_id --export /dev/.tmp-8-49'
run_program: '/lib/udev/vol_id' (stderr) '/dev/.tmp-8-49: error open volume'
run_program: '/lib/udev/vol_id' returned with status 2
udev_rules_get_name: no node name set, will use kernel name 'sdd1'
unlink_secure: chown(/dev/.tmp-8-49, 0, 0) failed: No such file or directory
unlink_secure: chmod(/dev/.tmp-8-49, 0000) failed: No such file or directory
udev_device_event: device '/block/sdd/sdd1' already in database, validate currently present symlinks
udev_node_add: creating device node '/dev/sdd1', major = '8', minor = '49', mode = '0640', uid = '0', gid = '6'
udev_node_add: creating symlink '/dev/disk/by-id/usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1' to '../../sdd1'
udev_node_add: creating symlink '/dev/disk/by-path/pci-0000:00:1d.7-usb-0:7:1.0-scsi-0:0:0:0-part1' to '../../sdd1'
udev_node_remove_symlinks: removing symlink '/dev/disk/by-uuid/E0FD-1813'
delete_path: rmdir(/dev/disk/by-uuid) failed: Permission denied
udev_node_remove_symlinks: removing symlink '/dev/disk/by-label/KINGSTON'
delete_path: rmdir(/dev/disk/by-label) failed: Permission denied
main: run: '/usr/local/bin/clamscan /media/* > /tmp/clamav.log 2>&1;/usr/bin/nedit /tmp/clamav.log '
main: run: '/sbin/multipath -v0 8:49'
main: run: 'socket:/org/kernel/udev/monitor'
main: run: '/lib/udev/udev_run_devd'
main: run: 'socket:/org/freedesktop/hal/udev_event'
main: run: '/sbin/pam_console_apply /dev/sdd1 /dev/disk/by-uuid/E0FD-1813 /dev/disk/by-label/KINGSTON'

Last edited by schuurs; 03-29-2010 at 07:35 AM.
 
Old 03-25-2010, 08:50 AM   #5
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 250Reputation: 250Reputation: 250
You are not matching properly.

I would have used something like
Code:
SUBSYSTEM=="usb", ATTRS{name}=="usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1", RUN+="/home/myusername/myscript.sh"
I don't believe that line will work as it is, you need to find the correct match.

You can't put complicated run rules in so it's best to do it in a separate script which contains the real commands.
Bear in mind that this will delay the accessing of the drive until clam has finished scanning.

There are various tools to use to get a good match pattern, the site I gave you suggests using udevinfo but there are others like udevadm

I would also consider putting a simple naming rule in which gets applied before the RUN rule so that your script will know exactly which drive to scan.
for example :
Code:
SUBSYSTEM=="usb", ATTRS{name}=="usb-Kingston_DataTraveler_2.0_0019E06B58BBA941D2CF029F-part1", NAME="my_flash_drive"
give access to the flash drive at /dev/my_flash_drive

Again, that will not work as it is, you have to find out what the appropriate name is using the udevadm tool.

Last edited by smoker; 03-25-2010 at 09:03 AM.
 
Old 03-29-2010, 07:33 AM   #6
schuurs
Member
 
Registered: Feb 2010
Location: The Netherlands
Distribution: CENTOS6.2 / RHEL5.11 / RHEL 7.4
Posts: 40

Original Poster
Rep: Reputation: Disabled
Talking

I finished the udev rule and the script to scan a flash-drive for viruses when mounted.
They are working now.

"/etc/udev/rulles.d/99-scan-UsbStorage.rules"

Code:
KERNEL=="sd*1", SUBSYSTEM=="block", DRIVER=="usb-storage", NAME="flash_drive" RUN+="/etc/udev/scripts/clamscan.sh &"
"clamscan.sh"
Code:
#!/bin/ksh
file="/tmp/clamscan.log"
export DISPLAY=":0.0"

zenity --info --width=180 --title="Clam Anti Virus" --text="Executing virus scan on flashdrive" &

if [ -f $file ]; then
        rm -f $file
fi

date > $file

flashdisk_dir=`udevinfo -q all -p $(udevinfo -q path -n /dev/flash_drive) | grep "ID_FS_LABEL" | awk -F "=" '{print $2}'`

/usr/local/bin/clamscan -r --bell /media/$flashdisk_dir/* >> $file 2>&1

if [ -f $file ]; then
        file_content=`date; tail --lines 10 $file; echo "\nSee /tmp/clamscan.log for more information"`
        
        #zenity --text-info --title="Clam Anti Virus" --filename=$file &
        zenity --info --width=180 --title="Clam Anti Virus" --text="$file_content" &
fi

exit 0

Last edited by schuurs; 03-29-2010 at 07:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing Clamav and Clamtk to a bootable flashdrive gcmhmedic17 Linux - Newbie 1 03-10-2010 06:05 PM
Can't mount USB flashdrive in BackTrack2 wingman358 Linux - Hardware 1 11-24-2008 02:13 AM
can not mount usb flashdrive walterbyrd Debian 14 03-18-2006 12:53 PM
i have flashdrive but i cant auto mount for fedora2 ragux Linux - Hardware 2 02-18-2006 05:53 AM
How to mount a thumbdrive/flashdrive theMayor Linux - Newbie 6 04-04-2005 11:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration