Author Topic: Zentyal 6.1: clamAV does not work due to missing /var/run/clamav/clamd.ctl  (Read 656 times)

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
Hi,
I have a problem with zentyal community edition 6.1. I have clamAV that can be reached by the other processes via unix socket domain (/var/run/clamav/clamd.ctl). ClamAV works well for a while, then the file clamd.ctl disappears from the previous path and I need to manually create it or to restart the system. After boot, the file is automatically created.
I already tried with sudo apt-get install clamav-daemon.

This is my file /etc/clamav/clamd.conf
Code: [Select]
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User root
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
StreamMaxLength 10M
LogFileMaxSize 0
LogSyslog false
LogFacility LOG_LOCAL6

This is a script run with crontab

Code: [Select]
#!/bin/bash

# update
#freshclam

FILETODOWNLOAD="main.cvd daily.cvd bytecode.cvd";

for F in ${FILETODOWNLOAD}; do
 sudo rm -f /var/lib/clamav/$F
 wget http://database.clamav.net/$F -P /var/lib/clamav
 sudo chown clamav:clamav /var/lib/clamav/$F
 sudo chmod 644 /var/lib/clamav/$F
done

# scan
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
#EMAIL_MSG="Please see the log file attached.";
#EMAIL_FROM="clamav-daily@domain";
#EMAIL_TO="webmaster@domain";
DIRTOSCAN="/var/www /home/master/";

for D in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$D" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$D" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$D" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
done

Any idea?

doncamilo

  • Zen Samurai
  • ****
  • Posts: 377
  • Karma: +99/-1
    • View Profile
Re: Zentyal 6.1: clamAV does not work due to missing /var/run/clamav/clamd.ctl
« Reply #1 on: February 20, 2020, 02:31:08 pm »
 :)

I would use auditd to know who is killing the socket.

https://linux.die.net/man/8/auditctl

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
:)

I would use auditd to know who is killing the socket.

https://linux.die.net/man/8/auditctl

Cheers!

Thank you for your reply, I did not know about this useful software. Up to now I'm not still able to track which process is deleting the file. I installed auditd and I configured it as describe https://www.techrepublic.com/article/how-to-monitor-events-on-your-linux-data-center-servers-with-auditd/.
This my /etc/audit/rules.d/audit.rules:
Code: [Select]
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

-w /var/run/clamav/clamd.ctl -p wa -k clamAV
The monitor works well if I'm not reboot the server.
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV
After reboot, I have to manually restart the service in order to see the rules.
Code: [Select]
sudo auditctl -l
No rules
sudo systemctl restart auditd
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV
The service is enabled and it start:
Code: [Select]
sudo systemctl list-units | grep auditd
auditd.service                                                                                        loaded active running   Security Auditing Service                                                   
sudo systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-03-04 18:58:59 CET; 2min 9s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 753 (auditd)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/auditd.service
           └─753 /sbin/auditd

Any idea?
« Last Edit: March 05, 2020, 08:11:34 am by erotavlas »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 377
  • Karma: +99/-1
    • View Profile
 :)

I would configure my rule this way:

Code: [Select]
-w /var/run/clamav/clamd.ctl -p rwxa -k clamd.ctl

If I delete manually my clamd.ctl file:

Code: [Select]
root@pusa:~# ausearch -k clamd.ctl
...
----
time->Mon Mar  9 11:32:27 2020
type=PROCTITLE msg=audit(1583749947.984:18510): proctitle=726D00636C616D642E63746C
type=PATH msg=audit(1583749947.984:18510): item=1 name="clamd.ctl" inode=1286 dev=00:16 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1583749947.984:18510): item=0 name="/run/clamav" inode=1287 dev=00:16 mode=040755 ouid=120 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1583749947.984:18510): cwd="/run/clamav"
type=SYSCALL msg=audit(1583749947.984:18510): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=557c38004490 a2=0 a3=557c38003010 items=2 ppid=5632 pid=3808 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4 comm="rm" exe="/bin/rm" key="clamd.ctl"

Cheers!

"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
Hi,
I finally caught the modification:
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p wa -k clamAV

This is the log file.
Code: [Select]
sudo ausearch -k clamAV
----
time->Sat Mar 21 01:00:32 2020
type=PROCTITLE msg=audit(1584748832.856:154963): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1584748832.856:154963): item=1 name="/var/run/clamav/clamd.ctl" inode=1485 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1584748832.856:154963): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1584748832.856:154963): cwd="/"
type=SYSCALL msg=audit(1584748832.856:154963): arch=c000003e syscall=87 success=yes exit=0 a0=55bd566e47c0 a1=55bd55923726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1807 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1584748832.856:154963): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1

Any suggestion?
« Last Edit: March 22, 2020, 12:27:36 pm by erotavlas »

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
Today, it happened again, the files were deleted again /var/run/clamav/clamd.ctl /var/run/clamav/clamd.pid
Code: [Select]
sudo auditctl -l
-w /var/run/clamav/clamd.ctl -p rwxa -k clamAV
-w /var/run/clamav/clamd.pid -p rwxa -k clamAVpid
sudo ausearch -k clamAV
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314468): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314468): item=1 name="/var/run/clamav/clamd.pid" inode=1472 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314468): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314468): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314468): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b82c50 a1=55a5d20b9694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1585695632.463:314468): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314469): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314469): item=1 name="/var/run/clamav/clamd.ctl" inode=926 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314469): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314469): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314469): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b817c0 a1=55a5d20b9726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1585695632.463:314469): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1

sudo ausearch -k clamAVpid
----
time->Wed Apr  1 01:00:32 2020
type=PROCTITLE msg=audit(1585695632.463:314468): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1585695632.463:314468): item=1 name="/var/run/clamav/clamd.pid" inode=1472 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1585695632.463:314468): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1585695632.463:314468): cwd="/"
type=SYSCALL msg=audit(1585695632.463:314468): arch=c000003e syscall=87 success=yes exit=0 a0=55a5d3b82c50 a1=55a5d20b9694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1585695632.463:314468): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1


The script reported in my first message is executed at the same time:
00 01 * * * /srv/clamscan.sh

I do not understand why it works well for many days and suddenly it maybe delete the files...



doncamilo

  • Zen Samurai
  • ****
  • Posts: 377
  • Karma: +99/-1
    • View Profile
 :)

Hi erotavlas,

if you parses the "proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565" parameter from hexa to ascii you'll find:

Code: [Select]
echo 2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565 | xxd -r -p
/usr/sbin/clamd--foreground=true

Could be something related to the on access scanning? https://www.clamav.net/documents/on-access-scanning

Cheers!

"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
I read the link that you reported. I added the following lines to the file /etc/clamav/clamd.conf as described into the link.
Code: [Select]
OnAccessIncludePath /home/
OnAccessExcludeUname root ## versions >= 0.102
OnAccessPrevention yes
OnAccessDisableDDD yes

I have ClamAV 0.102.2/25769/Wed Apr  1 14:53:49 2020, curl 7.58.0 and kernel 5.3.0-45-generic.
When I installed zentyal 6.0 on July 2019 the problem was not present. Then it started to appear after the upgrade to zentyal 6.1. I cannot figure out if it is related to some change on clamAV (I think so, maybe 0.102+ version), zentyal or other components.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 377
  • Karma: +99/-1
    • View Profile
 :)

Could you give me some feedback about your clamav system stability running the new  chosen configuration?

Some information about the work load of the on-access-scan could be useful too. How many users your system has?

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
It happened again:
Code: [Select]
sudo ausearch -k clamAV
----
time->Tue Apr 14 01:00:34 2020
type=PROCTITLE msg=audit(1586818834.021:294025): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1586818834.021:294025): item=1 name="/var/run/clamav/clamd.pid" inode=1484 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1586818834.021:294025): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1586818834.021:294025): cwd="/"
type=SYSCALL msg=audit(1586818834.021:294025): arch=c000003e syscall=87 success=yes exit=0 a0=55c79c599c50 a1=55c79c03d694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1586818834.021:294025): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1
----
time->Tue Apr 14 01:00:34 2020
type=PROCTITLE msg=audit(1586818834.021:294026): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1586818834.021:294026): item=1 name="/var/run/clamav/clamd.ctl" inode=1483 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1586818834.021:294026): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1586818834.021:294026): cwd="/"
type=SYSCALL msg=audit(1586818834.021:294026): arch=c000003e syscall=87 success=yes exit=0 a0=55c79c5987c0 a1=55c79c03d726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1781 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1586818834.021:294026): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1

ClamAV 0.102.2/25782/Tue Apr 14 13:57:42 2020 and kernel 5.3.0-46-generic.

Could be something related to the update of clamav that require a restart?
The system has just the root user and is mainly used as Web server. During the night, the system load is high/maximum, but with low priority (BOINC research project).

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile

Code: [Select]
sudo ausearch -k clamAV
----
time->Mon Apr 20 17:26:39 2020
type=PROCTITLE msg=audit(1587396399.873:182580): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1587396399.873:182580): item=1 name="/var/run/clamav/clamd.pid" inode=1475 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1587396399.873:182580): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587396399.873:182580): cwd="/"
type=SYSCALL msg=audit(1587396399.873:182580): arch=c000003e syscall=87 success=yes exit=0 a0=561f25327c50 a1=561f232ef694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1587396399.873:182580): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1
----
time->Mon Apr 20 17:26:39 2020
type=PROCTITLE msg=audit(1587396399.873:182581): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1587396399.873:182581): item=1 name="/var/run/clamav/clamd.ctl" inode=1472 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1587396399.873:182581): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587396399.873:182581): cwd="/"
type=SYSCALL msg=audit(1587396399.873:182581): arch=c000003e syscall=87 success=yes exit=0 a0=561f253267c0 a1=561f232ef726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1587396399.873:182581): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1
----
time->Mon Apr 20 17:27:43 2020
type=CONFIG_CHANGE msg=audit(1587396463.582:6): auid=4294967295 ses=4294967295 op=add_rule key="clamAV" list=4 res=0
----
time->Mon Apr 20 17:37:25 2020
type=CONFIG_CHANGE msg=audit(1587397045.714:8): auid=4294967295 ses=4294967295 op=add_rule key="clamAV" list=4 res=0
----
time->Mon Apr 20 17:39:02 2020
type=CONFIG_CHANGE msg=audit(1587397142.258:869): auid=4294967295 ses=4294967295 op=add_rule key="clamAV" list=4 res=1
----
time->Mon Apr 20 17:39:02 2020
type=PROCTITLE msg=audit(1587397142.258:870): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573
type=PATH msg=audit(1587397142.258:870): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587397142.258:870): cwd="/"
type=SOCKADDR msg=audit(1587397142.258:870): saddr=100000000000000000000000
type=SYSCALL msg=audit(1587397142.258:870): arch=c000003e syscall=44 success=yes exit=1092 a0=3 a1=7ffd773aa090 a2=444 a3=0 items=1 ppid=2840 pid=2850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditctl" exe="/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1587397142.258:870): auid=4294967295 ses=4294967295 op=add_rule key="clamAVpid" list=4 res=1
----
time->Wed Apr 22 01:00:33 2020
type=PROCTITLE msg=audit(1587510033.120:47459): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1587510033.120:47459): item=1 name="/var/run/clamav/clamd.pid" inode=1483 dev=00:18 mode=0100664 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1587510033.120:47459): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587510033.120:47459): cwd="/"
type=SYSCALL msg=audit(1587510033.120:47459): arch=c000003e syscall=87 success=yes exit=0 a0=55fa4ca54c50 a1=55fa4aff9694 a2=1 a3=ffffffe0 items=2 ppid=1 pid=1759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAVpid"
type=CONFIG_CHANGE msg=audit(1587510033.120:47459): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.pid" key="clamAVpid" list=4 res=1
----
time->Wed Apr 22 01:00:33 2020
type=PROCTITLE msg=audit(1587510033.120:47460): proctitle=2F7573722F7362696E2F636C616D64002D2D666F726567726F756E643D74727565
type=PATH msg=audit(1587510033.120:47460): item=1 name="/var/run/clamav/clamd.ctl" inode=1475 dev=00:18 mode=0140666 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1587510033.120:47460): item=0 name="/var/run/clamav/" inode=1469 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1587510033.120:47460): cwd="/"
type=SYSCALL msg=audit(1587510033.120:47460): arch=c000003e syscall=87 success=yes exit=0 a0=55fa4ca537c0 a1=55fa4aff9726 a2=b a3=ffffffe6 items=2 ppid=1 pid=1759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" key="clamAV"
type=CONFIG_CHANGE msg=audit(1587510033.120:47460): auid=4294967295 ses=4294967295op=updated_rules path="/var/run/clamav/clamd.ctl" key="clamAV" list=4 res=1
clamd --version
ClamAV 0.102.2/25789/Tue Apr 21 13:55:14 2020

So this seems to confirm the suspect that is related to the update of clamav. Each time that the clamAV is updated, the files are deleted. Why?
Regarding to the new log:
Code: [Select]
echo 2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573 | xxd -r -p
/sbin/auditctl-R/etc/audit/audit.rules
Nothing to do.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 377
  • Karma: +99/-1
    • View Profile
 :)

I think that the update process has to stop the clamd daemon. The issue is why the socket file is removed.

Check your clamav-daemon service when the system throws this error

Code: [Select]
sudo systemctl status clamav-daemon
I have found that in a Zentyal 6.1 test system  there are two ClamAV sockets, the first one in /run/clamav and the other one in the old /var/run/clamav (they seem to be independent files none is symbolic link)

According to my '/etc/clamav/clamd.conf' file we are using "LocalSocket /var/run/clamav/clamd.ctl"

Could be useful check the behavior if changing the LocalSocket directive to point the /run/clamav/clamd.ctl

Any case, use strace to trace freshclam and paste here the output (or the link to pastebin)

Cheers!
"Tanta salud goces como bondad abrigues en tu corazón"

Don Camilo.

"That place... is strong with the
dark side of the Force.  A domain
of evil it is.  In you must go."

Yoda.

erotavlas

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +3/-0
    • View Profile
Hi,
I upgraded zentyal to lastest version 6.2.2. Now I have ClamAV 0.102.3/25850, with apache 2.4.43 and PHP 7.2.24-0ubuntu0.18.04.6 with Zend OPcache v7.2.24-0ubuntu0.18.04.6.
The problem was still present. So I tried to change the PHP server configuration from fast-cgi (configuration file /etc/php/7.2/fpm/php.ini) to apache handler (configuration file /etc/php/7.2/apache2/php.ini). I do not why, but the problem of clamAV seems solved.
However, now there is another problem related to clamAV which was not present with fast-cgi. Whenever there is an upload of a file on the web server, clamAV fails:
/tmp/phpys4WKw: lstat() failed: No such file or directory. ERROR
ClamAV user has write access to web server folders and is member of www-data group.