[Resolved] 5.1RC1 and @inspectFile

Status
Not open for further replies.

bobykus

Well-Known Member
#21
More @inspectFile questions. Of course I can turn on audit log, but it did not tell me much. Like

Code:
Message: Access denied with code 403, [Rule: 'FILES_TMPNAMES' '@inspectFile /usr/local/sbin/file-inspect.pl'] [id "99"] [msg "Malware found"] [severity "CRITICAL"] [MatchedString ""]

What I need is to get clamd message in clamav log. If I run the /usr/local/sbin/file-inspect.pl even on OK file I get
Code:
Thu Dec  3 15:41:03 2015 -> fd[10]: OK
On @inspectFile /usr/local/sbin/file-inspect.pl I am getting nothing in
Code:
/var/log/clamav/clamd.log
Any clue why? I need to know a reason of positive hit logged somewhere, not just Malware found. How can I achieve it?
I have now
Code:
SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/file-inspect.pl" "log,auditlog,severity:2,phase:2,t:none,id:99,msg:'Malware found'"
 
Last edited by a moderator:

mistwang

LiteSpeed Staff
#22
What will you get if you run the same rule under Apache mod_security? Audit log only follow the rule actions. It looks alright to me.

Maybe it missing some environment variable or parameter when run file-inspect.pl through the engine. Or, there is permission problem. file-inspect.pl run as "nobody" user instead of root.

Is your file-inspect.pl using clamdscan?
 

bobykus

Well-Known Member
#23
Yes,
Code:
/usr/local/sbin/file-inspect.pl
is just a Trustwave perl script where
Code:
$cmd = "$CLAMSCAN --fdpass --multiscan --stdout --no-summary  --verbose  $FILE";
And the files are blocked OK.

BTW, why nobody? Why not web sever user?
 
Last edited by a moderator:

bobykus

Well-Known Member
#24
OK, what I found is /usr/local/sbin/file-inspect.pl running as the user which own the site, neither nobody or http. This is a source of my problems - /etc/clamd.conf must be readable by all otherwise clamdscan can not find a socket location for passing data to clamd. And socket have to be writable for all! This does not looks well on shared hosting. The requests should be filtered on web servers level with web servers privileges IMO.
 

mistwang

LiteSpeed Staff
#25
Please try

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1RC3

the file-inspect.pl should run as the user that lshttpd worker process running as.
 
Status
Not open for further replies.
Top