Anti virus

From Atomicorp Wiki
Revision as of 15:25, 3 January 2013 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

Description

ASL has a kernel space anti-virus/anti-malware module. This module is not activated by default. The basic behaviour when activated is to prevent the malware from being read, executed or written to the hard disk, and to send an alert via logs, email and the ASL gui.

Installation

Step 1) ASL kernel 2.6.29 and above required


Step 2) Install kernel modules

 yum install kmod-dazuko

Step 3) if your kernel is locked (this is the default), you will need to reboot your system.

Configuration

Enable

Enable the appropriate settings in the ASL GUI for your needs. Please see the ASL AntiMalware Configuration documentation.

These are the recommended settings:

Option Recommended Setting
CLAMAV_ENABLED yes
CLAMAV_ENABLE_DAZUKO yes
CLAMAV_TCPADDRESS 127.0.0.1
CLAMAV_SCANONOPEN yes
CLAMAV_SCANONCLOSE yes
CLAMAV_SCANONEXEC yes
CLAMAV_CLAMUKO_MAXFILESIZE 10m

Set directories to protect/monitor

Set directories to monitor in /etc/asl/dazuko-include. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory
 /path/to/directory2

Do not set your entire filesystem to be monitored. This is not necessary on Linux systems, will waste a tremendous amount of CPU resources, and in general is pointless for a privileged user like root (root could just turn off the system). We recommend that you configure the system to scan directories that only non-privileged users can write, upload and modify code in. For example, these directories are a good starting point for most systems:

 /var/www/
 /home
 /var/tmp
 /tmp

Note: This is a starting point, see the section on excluding directories below. Many control panel products will setup subdirectories in /home and /var/www that should never be monitored, as they are both not writable by the domain users, and contain files and logs that change often and will waste CPU resources when scanned.

DO NOT INCLUDE DIRECTORIES such as these:

Signature directories:

 /var/clamav
 /var/lib/clamav
 /etc/httpd/modsecurity.d/

Log directories:

 /home/user/apache/log
 /var/log

Build directories:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpanan

Your should also never include system directories, such as /proc, /selinux, /sys and /dev.

Set directories to exclude

Set directories to exclude in /etc/asl/dazuko-exclude. (Note this file may not exist, this is normal). One line per entry

 /path/to/directory/exclude1
 /path/to/directory/exclude2

Plesk notes

If you are running a control panel, such as Plesk, that puts apache configuration files in /var/www and if you have included /var/www in dazukos include paths (a good idea for web servers), and those configuration files and directories can only be modified by root (which is the case with Plesk), then you should exclude those directories. They contains dozens of files each, and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /var/www/vhosts/www.example.com/statistics/
 /var/www/vhosts/www.example.com/conf/
 /var/www/vhosts/www.example.com/pd/

Replace www.example.com with your domain names. You can not use wildcards. If you are using a system that puts your virtual hosts in /var/www/vhosts you can use this command to get a list of directories to ignore:

 find /var/www/vhosts/ -type d  | egrep "/(statistics|conf|pd)$"

A future version of ASL will configure this automatically.

CPanel Notes

If you are running a control panel, such as CPanel, that puts its build direcory and apache logs files in /home and if you have included /home in dazukos include paths (a good idea for CPanel web servers), and those build and logs files and directories can only be modified by root (which is the default case with Cpanel), then you should exclude those directories. They contains thousands of files and a failure to exclude them will cause long startup times for Apache as the antimalware system will be forced to scan every configuration file (which is not necessary). This is unnecessary and will take several minutes to complete. The directories you should exclude, at minimum, are:

 /home/cpeasyapache
 /home/.cpan
 /home/.cpanm
 /home/.cpcpan
 /home/cptmp
 /home/installd

If /home is mounted as its own filesystem, you will also want to exclude this directory:

 /home/lost+found

You can not use wildcards.

A future version of ASL will configure this automatically.

Other control panels

For other controls, such as Interworx, etc. you will want to exclude any configuration, log, and build (if any) directories as per the examples above (your directories will vary). In particular you will want to exclude any locally generated Apache logs. For example, with Interworx you will also want to exclude directories such as:

 /home/example/var/example.com/logs

Update policy

Update the security policy with:

 asl -s -f

Reboot

If you are not already using the ASL kernel, you will need to reboot the system into the ASL kernel.

 reboot

If you are using the ASL kernel, and you have not changed the CLAMAV* defaults, you should not need to reboot.

Personal tools