Difference between revisions of "Anti virus"
(Created page with ' == Description == ASL has a kernel space anti-virus module. As of version 2.2.6 this module is not activated by default. The basic behaviour when activated is to mark up malwar…') |
m |
||
Line 1: | Line 1: | ||
− | |||
== Description == | == Description == | ||
− | ASL has a kernel space anti-virus module. As of version 2.2.6 this module is not activated by default. The basic behaviour when activated is | + | ASL has a kernel space anti-virus/anti-malware module. As of version 2.2.6 this module is not activated by default. The basic behaviour when activated is prevent the malware from being read, and send an alert via logs. |
Line 19: | Line 18: | ||
CLAMAV_ENABLED="yes" | CLAMAV_ENABLED="yes" | ||
CLAMAV_ENABLE_DAZUKO="yes" | CLAMAV_ENABLE_DAZUKO="yes" | ||
+ | CLAMAV_TCPADDRESS="127.0.0.1" | ||
+ | CLAMAV_SCANONACCESS="yes" | ||
+ | CLAMAV_SCANONOPEN="yes" | ||
+ | CLAMAV_SCANONCLOSE="yes" | ||
+ | CLAMAV_SCANONEXEC="yes" | ||
+ | CLAMAV_CLAMUKO_MAXFILESIZE="10m" | ||
+ | |||
Step 4) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry | Step 4) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry | ||
Line 24: | Line 30: | ||
/path/to/directory | /path/to/directory | ||
/path/to/directory2 | /path/to/directory2 | ||
+ | |||
+ | We do not recommend you set your entire filesystem to be monitored. This is not necessary on most Linux systems, and in general is pointless for a privileged user like root. We recommend you only configure the system to scan directories non-priviliged users can write, upload and modify code in. For example, these directories are a good starting point for most systems: | ||
+ | |||
+ | /var/www/ | ||
+ | /home | ||
+ | /var/tmp | ||
+ | /tmp | ||
Step 5) Optional, set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry | Step 5) Optional, set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry | ||
Line 29: | Line 42: | ||
/path/to/directory/exclude1 | /path/to/directory/exclude1 | ||
/path/to/directory/exclude2 | /path/to/directory/exclude2 | ||
+ | |||
+ | If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www, you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and failure to exclude them will cause long startup times for Apache as clamd will be forced to scan every configuration file. This is unnecessary and will take several minutes to complete. The directories you should exclude are: | ||
+ | |||
+ | /var/www/vhosts/www.example.com/statistics/ | ||
+ | /var/www/vhosts/www.example.com/conf/ | ||
+ | /var/www/vhosts/www.example.com/pd/ | ||
+ | |||
+ | |||
+ | A future version of [[ASL]] will configure this automatically. | ||
Step 6) Update the security policy with: | Step 6) Update the security policy with: |
Revision as of 10:01, 4 October 2010
Description
ASL has a kernel space anti-virus/anti-malware module. As of version 2.2.6 this module is not activated by default. The basic behaviour when activated is prevent the malware from being read, and send an alert via logs.
Installation
Step 1) ASL kernel 2.6.29 and above required
Step 2) Install kernel modules
yum install kmod-dazuko
Step 3) Enable setting in /etc/asl/config
CLAMAV_ENABLED="yes" CLAMAV_ENABLE_DAZUKO="yes" CLAMAV_TCPADDRESS="127.0.0.1" CLAMAV_SCANONACCESS="yes" CLAMAV_SCANONOPEN="yes" CLAMAV_SCANONCLOSE="yes" CLAMAV_SCANONEXEC="yes" CLAMAV_CLAMUKO_MAXFILESIZE="10m"
Step 4) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry
/path/to/directory /path/to/directory2
We do not recommend you set your entire filesystem to be monitored. This is not necessary on most Linux systems, and in general is pointless for a privileged user like root. We recommend you only configure the system to scan directories non-priviliged users can write, upload and modify code in. For example, these directories are a good starting point for most systems:
/var/www/ /home /var/tmp /tmp
Step 5) Optional, set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry
/path/to/directory/exclude1 /path/to/directory/exclude2
If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www, you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and failure to exclude them will cause long startup times for Apache as clamd will be forced to scan every configuration file. This is unnecessary and will take several minutes to complete. The directories you should exclude are:
/var/www/vhosts/www.example.com/statistics/ /var/www/vhosts/www.example.com/conf/ /var/www/vhosts/www.example.com/pd/
A future version of ASL will configure this automatically.
Step 6) Update the security policy with:
asl -s -f
Step 7) Reboot
reboot