Author Topic: Zentyal 6.1: clamAV does not work due to missing /var/run/clamav/clamd.ctl  (Read 245 times)

erotavlas

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Hi,
I have a problem with zentyal community edition 6.1. I have clamAV that can be reached by the other processes via unix socket domain (/var/run/clamav/clamd.ctl). ClamAV works well for a while, then the file clamd.ctl disappears from the previous path and I need to manually create it or to restart the system. After boot, the file is automatically created.
I already tried with sudo apt-get install clamav-daemon.

This is my file /etc/clamav/clamd.conf
Code: [Select]
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User root
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
StreamMaxLength 10M
LogFileMaxSize 0
LogSyslog false
LogFacility LOG_LOCAL6

This is a script run with crontab

Code: [Select]
#!/bin/bash

# update
#freshclam

FILETODOWNLOAD="main.cvd daily.cvd bytecode.cvd";

for F in ${FILETODOWNLOAD}; do
 sudo rm -f /var/lib/clamav/$F
 wget http://database.clamav.net/$F -P /var/lib/clamav
 sudo chown clamav:clamav /var/lib/clamav/$F
 sudo chmod 644 /var/lib/clamav/$F
done

# scan
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
#EMAIL_MSG="Please see the log file attached.";
#EMAIL_FROM="clamav-daily@domain";
#EMAIL_TO="webmaster@domain";
DIRTOSCAN="/var/www /home/master/";

for D in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$D" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$D" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$D" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
done

Any idea?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 350
  • Karma: +83/-1
    • View Profile
Re: Zentyal 6.1: clamAV does not work due to missing /var/run/clamav/clamd.ctl
« Reply #1 on: February 20, 2020, 02:31:08 pm »
 :)

I would use auditd to know who is killing the socket.

https://linux.die.net/man/8/auditctl

Cheers!
"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
:)

I would use auditd to know who is killing the socket.

https://linux.die.net/man/8/auditctl

Cheers!

Thank you for your reply, I did not know about this useful software. Up to now I'm not still able to track which process is deleting the file. I installed auditd and I configured it as describe https://www.techrepublic.com/article/how-to-monitor-events-on-your-linux-data-center-servers-with-auditd/.
This my /etc/audit/rules.d/audit.rules:
Code: [Select]
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

-w /var/run/clamav/clamd.ctl -p wa -k clamAV
The monitor works well if I'm not reboot the server.
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV
After reboot, I have to manually restart the service in order to see the rules.
Code: [Select]
sudo auditctl -l
No rules
sudo systemctl restart auditd
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV
The service is enabled and it start:
Code: [Select]
sudo systemctl list-units | grep auditd
auditd.service                                                                                        loaded active running   Security Auditing Service                                                   
sudo systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-03-04 18:58:59 CET; 2min 9s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 753 (auditd)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/auditd.service
           └─753 /sbin/auditd

Any idea?
« Last Edit: March 05, 2020, 08:11:34 am by erotavlas »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 350
  • Karma: +83/-1
    • View Profile
 :)

I would configure my rule this way:

Code: [Select]
-w /var/run/clamav/clamd.ctl -p rwxa -k clamd.ctl

If I delete manually my clamd.ctl file:

Code: [Select]
root@pusa:~# ausearch -k clamd.ctl
...
----
time->Mon Mar  9 11:32:27 2020
type=PROCTITLE msg=audit(1583749947.984:18510): proctitle=726D00636C616D642E63746C
type=PATH msg=audit(1583749947.984:18510): item=1 name="clamd.ctl" inode=1286 dev=00:16 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1583749947.984:18510): item=0 name="/run/clamav" inode=1287 dev=00:16 mode=040755 ouid=120 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1583749947.984:18510): cwd="/run/clamav"
type=SYSCALL msg=audit(1583749947.984:18510): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=557c38004490 a2=0 a3=557c38003010 items=2 ppid=5632 pid=3808 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4 comm="rm" exe="/bin/rm" key="clamd.ctl"

Cheers!

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Hi,
I finally caught the modification:
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV

This is the log file.
Code: [Select]
sudo ausearch -k clamAV
----
time->Sat Mar 21 01:00:32 2020
type=PROCTITLE msg=audit(1584748832.856:154963): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1584748832.856:154963): item=1 name="/var/run/clamav/clamd.ctl" inode=1485 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1584748832.856:154963): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1584748832.856:154963): cwd="/"
type=SYSCALL msg=audit(1584748832.856:154963): arch=c000003e syscall=87 success=yes exit=0 a0=55bd566e47c0 a1=55bd55923726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1584748832.856:154963): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1

Any suggestion?
« Last Edit: March 22, 2020, 12:27:36 pm by erotavlas »

erotavlas

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Today, it happened again, the files were deleted again /var/run/clamav/clamd.ctl /var/run/clamav/clamd.pid
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p rwxa -k clamAV
-w /var/run/clamav/clamd.pid -p rwxa -k clamAVpid
sudo ausearch -k clamAV
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314468): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314468): item=1 name="/var/run/clamav/clamd.pid" inode=1472 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314468): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314468): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314468): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b82c50 a1=55a5d20b9694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1585695632.463:314468): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314469): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314469): item=1 name="/var/run/clamav/clamd.ctl" inode=926 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314469): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314469): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314469): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b817c0 a1=55a5d20b9726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1585695632.463:314469): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1

sudo ausearch -k clamAVpid
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314468): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314468): item=1 name="/var/run/clamav/clamd.pid" inode=1472 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314468): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314468): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314468): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b82c50 a1=55a5d20b9694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1585695632.463:314468): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1


The script reported in my first message is executed at the same time:
00 01 * * * /srv/clamscan.sh

I do not understand why it works well for many days and suddenly it maybe delete the files...



doncamilo

  • Zen Samurai
  • ****
  • Posts: 350
  • Karma: +83/-1
    • View Profile
 :)

Hi erotavlas,

if you parses the "proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565" parameter from hexa to ascii you'll find:

Code: [Select]
echo 2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565 | xxd -r -p
/usr/sbin/clamd--foreground=true

Could be something related to the on access scanning? https://www.clamav.net/documents/on-access-scanning

Cheers!

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
I read the link that you reported. I added the following lines to the file /etc/clamav/clamd.conf as described into the link.
Code: [Select]
OnAccessIncludePath /home/
OnAccessExcludeUname root ## versions >= 0.102
OnAccessPrevention yes
OnAccessDisableDDD yes

I have ClamAV 0.102.2/25769/Wed Apr  1 14:53:49 2020, curl 7.58.0 and kernel 5.3.0-45-generic.
When I installed zentyal 6.0 on July 2019 the problem was not present. Then it started to appear after the upgrade to zentyal 6.1. I cannot figure out if it is related to some change on clamAV (I think so, maybe 0.102+ version), zentyal or other components.