[Resolved] 5.1RC1 and @inspectFile

[bobykus]

More @inspectFile questions. Of course I can turn on audit log, but it did not tell me much. Like

Message: Access denied with code 403, [Rule: 'FILES_TMPNAMES' '@inspectFile /usr/local/sbin/file-inspect.pl'] [id "99"] [msg "Malware found"] [severity "CRITICAL"] [MatchedString ""]

What I need is to get clamd message in clamav log. If I run the /usr/local/sbin/file-inspect.pl even on OK file I get

Thu Dec  3 15:41:03 2015 -> fd[10]: OK

On @inspectFile /usr/local/sbin/file-inspect.pl I am getting nothing in

/var/log/clamav/clamd.log

Any clue why? I need to know a reason of positive hit logged somewhere, not just Malware found. How can I achieve it?
I have now

SecRule FILES_TMPNAMES "@inspectFile /usr/local/sbin/file-inspect.pl" "log,auditlog,severity:2,phase:2,t:none,id:99,msg:'Malware found'"

 

[mistwang]

What will you get if you run the same rule under Apache mod_security? Audit log only follow the rule actions. It looks alright to me.

Maybe it missing some environment variable or parameter when run file-inspect.pl through the engine. Or, there is permission problem. file-inspect.pl run as "nobody" user instead of root.

Is your file-inspect.pl using clamdscan?

 

[bobykus]

Yes,

/usr/local/sbin/file-inspect.pl

is just a Trustwave perl script where

$cmd = "$CLAMSCAN --fdpass --multiscan --stdout --no-summary  --verbose  $FILE";

And the files are blocked OK.

BTW, why nobody? Why not web sever user?

 

[bobykus]

OK, what I found is /usr/local/sbin/file-inspect.pl running as the user which own the site, neither nobody or http. This is a source of my problems - /etc/clamd.conf must be readable by all otherwise clamdscan can not find a socket location for passing data to clamd. And socket have to be writable for all! This does not looks well on shared hosting. The requests should be filtered on web servers level with web servers privileges IMO.

 

[mistwang]

Please try

/usr/local/lsws/admin/misc/lsup.sh -d -f -v 5.1RC3

the file-inspect.pl should run as the user that lshttpd worker process running as.

 

[bobykus]

No, it is not - now is getting strange ownership root:5469482. Mind no GID 5469482 in the system

 

[mistwang]

Updated, please try again.

 

[bobykus]

Yes, it is!