Difference between revisions of "Anti virus"

From Atomicorp Wiki
Jump to: navigation, search
m (Installation)
Line 14: Line 14:
 
   yum install kmod-dazuko
 
   yum install kmod-dazuko
  
Step 3) Enable the appropriate settings in the ASL GUI for your needs.  '''Each of the options below are documented in the ASL GUI, please see the GUI for details on what these do.'''
+
== Configuration ==
 +
 
 +
Step 1) Enable the appropriate settings in the ASL GUI for your needs.  '''Each of the options below are documented in the ASL GUI, please see the GUI for details on what these do.'''
  
 
These are the recommended settings:
 
These are the recommended settings:
Line 28: Line 30:
  
  
Step 4) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry
+
Step 2) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry
  
 
   /path/to/directory
 
   /path/to/directory
 
   /path/to/directory2
 
   /path/to/directory2
  
We do not recommend you set your entire filesystem to be monitored.  This is not necessary on most Linux systems, and in general is pointless for a privileged user like root.  We recommend you only configure the system to scan directories non-priviliged users can write, upload and modify code in.  For example, these directories are a good starting point for most systems:
+
'''We do not recommend you set your entire filesystem to be monitored.''' This is not necessary on most Linux systems, will waste CPU resources, and in general is pointless for a privileged user like root.  We recommend that you configure the system to scan directories that non-privileged users can write, upload and modify code in.  For example, these directories are a good starting point for most systems:
  
 
   /var/www/
 
   /var/www/
Line 46: Line 48:
 
   /etc/httpd/modsecurity.d/
 
   /etc/httpd/modsecurity.d/
  
Your should also not include system directories, such as /proc, /sys and /dev.   
+
Your should also '''not''' include system directories, such as /proc, /sys and /dev.   
  
Step 5) Optional, set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry
+
Step 3) Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry
  
 
   /path/to/directory/exclude1
 
   /path/to/directory/exclude1
 
   /path/to/directory/exclude2
 
   /path/to/directory/exclude2
  
If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www, you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories.  They contains dozens of files each, and failure to exclude them will cause long startup times for Apache as clamd will be forced to scan every configuration file.  This is unnecessary and will take several minutes to complete.  The directories you should exclude are:
+
If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories.  They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary).  This is unnecessary and will take several minutes to complete.  The directories you should exclude, at minimum, are:
  
 
   /var/www/vhosts/www.example.com/statistics/
 
   /var/www/vhosts/www.example.com/statistics/
Line 59: Line 61:
 
   /var/www/vhosts/www.example.com/pd/
 
   /var/www/vhosts/www.example.com/pd/
  
You can not use wildcards.  If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:
+
Replace www.example.com with your domain names.  You can not use wildcards.  If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:
  
 
   find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"
 
   find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"
Line 65: Line 67:
 
A future version of [[ASL]] will configure this automatically.
 
A future version of [[ASL]] will configure this automatically.
  
Step 6) Update the security policy with:
+
Step 4) Update the security policy with:
  
 
   asl -s -f
 
   asl -s -f
  
Step 7) Reboot
+
Step 5) Reboot
  
 
   reboot
 
   reboot

Revision as of 22:28, 10 March 2012

Description

ASL has a kernel space anti-virus/anti-malware module. As of version 2.2.6 this module is not activated by default. The basic behaviour when activated is prevent the malware from being read, and send an alert via logs.


Installation

Step 1) ASL kernel 2.6.29 and above required


Step 2) Install kernel modules

 yum install kmod-dazuko

Configuration

Step 1) Enable the appropriate settings in the ASL GUI for your needs. Each of the options below are documented in the ASL GUI, please see the GUI for details on what these do.

These are the recommended settings:

 CLAMAV_ENABLED="yes"
 CLAMAV_ENABLE_DAZUKO="yes"
 CLAMAV_TCPADDRESS="127.0.0.1"
 CLAMAV_SCANONACCESS="yes"
 CLAMAV_SCANONOPEN="yes"
 CLAMAV_SCANONCLOSE="yes"
 CLAMAV_SCANONEXEC="yes"
 CLAMAV_CLAMUKO_MAXFILESIZE="10m"


Step 2) Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory
 /path/to/directory2

We do not recommend you set your entire filesystem to be monitored. This is not necessary on most Linux systems, will waste CPU resources, and in general is pointless for a privileged user like root. We recommend that you configure the system to scan directories that non-privileged users can write, upload and modify code in. For example, these directories are a good starting point for most systems:

 /var/www/
 /home
 /var/tmp
 /tmp

DO NOT INCLUDE SIGNATURE DIRECTORIES such as:

 /var/clamav
 /var/lib/clamav
 /etc/httpd/modsecurity.d/

Your should also not include system directories, such as /proc, /sys and /dev.

Step 3) Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory/exclude1
 /path/to/directory/exclude2

If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /var/www/vhosts/www.example.com/statistics/
 /var/www/vhosts/www.example.com/conf/
 /var/www/vhosts/www.example.com/pd/

Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:

 find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"

A future version of ASL will configure this automatically.

Step 4) Update the security policy with:

 asl -s -f

Step 5) Reboot

 reboot
Personal tools