Solved File and Directory Watcher

Grzegorz

New Member

Reaction score: 5
Messages: 16

Hi,
I've installed security/clamav, and I want to scan all files when created or changed event.

I heard that kqueue(2) can do it but it's include all subdirectories and can't return file path of event firing file.

I was testing sysutils/watchman and other solution but with no results.
Despairingly i made a tail bash script that watching vsftpd log and firing Clamav, except when user is chrooted.

Is there any solution to get this functionality as I described above ?

P.S. Sorry for my English
Best regards
 
OP
Grzegorz

Grzegorz

New Member

Reaction score: 5
Messages: 16

Thanks for the reply!
I have tested auditd(8) and it's good enough, but when I try to spy /usr/home directory and event's triggering by vsFTPd with chroot option, then a path in logs is empty. Maybe someone fixed that?

---

Ok, I don't know why but after a few service restarts it's running correctly.
I've written a simple bash script that filter paths and it's working :)

Big thanks for you!
 
Last edited by a moderator:

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

Can you share your configuration changes from the default and simple script you used? That would be incredibly useful to someone trying to solve the same problem in the future. If you add that, I would appreciate it if you mark this as solved as well ("Thread tools" at the top, "Edit Thread", clicked Solved prefix).

Thanks!
 
OP
Grzegorz

Grzegorz

New Member

Reaction score: 5
Messages: 16

Hi junovitch@!

Ok, so I have installed an auditd(8) and configure like this:

Code:
[root@~]# cat /etc/security/audit_control
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#9 $
# $FreeBSD: releng/10.2/contrib/openbsm/etc/audit_control 243750 2012-12-01 11:58:08Z rwatson $
#
dir:/var/audit
dist:eek:ff
flags:fw,fc
minfree:5
naflags:fc,fw
policy:cnt,argv
filesz:50M
expire-after:50M

The important things are only: flag, naflags. We need to specify a event flag that is reported ( fw - file write, fc - file create ).

We can configure auditd to not report of some services, some user etc. But filter I do in a simple bash script.
So it is:
Code:
email=<YOUR EMAIL ADDRESS>
log=/root/VirusScan.log
subject="Virus detected"
content="Virus detected on path"

praudit /dev/auditpipe | while read line; do
  if echo "$line" | grep -q "path,"; then
      file=${line:5}
      if [[ $file == *"/usr/home/"* ]] || [[ $file == *"/usr/www/"* ]]; then
        if [ -f "$file" ]; then
            echo "$file" >> "$log"
            sudo clamdscan --no-summary  --remove "$file" | while read line; do
              if [[ $line == *": Removed."* ]]; then
                  echo "$content: $file" | mail -s "$subject" $email
              fi
            done
        fi
      fi
  fi
done

I saw a one big problem, when I uploading many files, auditd after some time doesn't give path name.
We need to restart auditd.

Maybe someone have a solution :)
Best regards!
 
Top