clamav-centos.md

ClamAV Setup: CentOS

• Intro
• Setup ClamAV
  • Install & Config
  • Upgrade Version
  • On-Access Scanning
  • Nightly Filesystem Scanning
  • Schedulling
• Setup Sandbox
  • Install & Config
  • Testing
• Audit
• Reference

Intro

• Default Version : v0.103.11 LTS (CentOS 7.9.2009, CentOS 8.1905)
• Latest Version : v1.3.1 (clamav-1.3.1.linux.x86_64.rpm)
• Port : 3310 / tcp
• Req. RAM : 3 - 4 GB
• Req. CPU : 1 CPU @ 2.0Ghz
• Req. Disk Space : 5 GB
• Signature Update Interval : 30 mins

Keterangan simbol saat pengaksesan text file melalui nano : ~ changes , - comment / deletion , + addition

• Pastikan sistem memiliki konfigurasi File Access Notification, FANOTIFY, dengan status aktif. ClamAV menggunakan konfigurasi tersebut untuk dapat melakukan real-time scanning & blocking terhadap file yang diakses . Apabila kedua opsi berisi is not set, cek troubleshoot
• CentOS 8 memiliki beberapa library yang missing untuk melakukan instalasi ClamAV, yaitulibjson-c.so.4 dan libclamav.so.9. Instalasi manual dilakukan dengan mengunduh package nya secara individu

Setup ClamAV

Install & Config **

sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*

## for missing dependencies only
yum search json-c && yum search clamav-lib
curl -O https://repo.almalinux.org/almalinux/8/BaseOS/x86_64/os/Packages/json-c-0.13.1-3.el8.x86_64.rpm
curl -O https://dl.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/c/clamav-lib-0.103.11-1.el8.x86_64.rpm
sudo yum install ./json-c-0.13.1-3.el8.x86_64.rpm
sudo yum install ./clamav-lib-0.103.11-1.el8.x86_64.rpm

sudo yum update -y && sudo yum install -y epel-release nano net-tools bash-completion wget gcc gcc-c++ kernel-devel make
sudo yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
sudo mkdir -p /var/isolate
sudo mkdir -p /var/log/clamav
sudo chmod 766 /var/log/clamav

getsebool -a | grep antivirus
sudo setsebool -P antivirus_can_scan_system 1
sudo setsebool -P antivirus_use_jit 1

sudo groupadd clamav
sudo useradd -g clamav -s /bin/bash -c "Clam Antivirus" clamav
sudo chown clamav:clamav -R /var/lib/clamav/

sudo chmod 640 /etc/freshclam.conf
sudo nano /etc/freshclam.conf
--
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog true
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases no
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamd.d/scan.conf
Checks 48
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

sudo nano /etc/clamd.d/scan.conf
--
#LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
#LocalSocketGroup clamav
#LocalSocketMode 666
User root
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog true
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
TCPSocket 3310
TCPAddr 127.0.0.1
OnAccessIncludePath /home
OnAccessExcludePath /var/log
OnAccessExcludePath /var/isolate
OnAccessPrevention yes
OnAccessExcludeUname clamav
OnAccessExtraScanning yes

sudo mv /usr/lib/systemd/system/clamd\@.service /usr/lib/systemd/system/clamd.service
sudo nano /usr/lib/systemd/system/clamd.service
  ~ Description = clamd scanner daemon
  ~ ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf

sudo nano /usr/lib/systemd/system/clamav-freshclam.service
  ~ ExecStart=/usr/bin/freshclam -d --config-file=/etc/freshclam.conf --foreground=true

sudo systemctl daemon-reload
sudo systemctl enable clamd.service clamav-freshclam.service
sudo systemctl restart clamd.service clamav-freshclam.service
sudo systemctl status clamd.service clamav-freshclam.service

Upgrade Version **

cd ~
sudo wget https://github.com/Cisco-Talos/clamav/releases/download/clamav-1.3.1/clamav-1.3.1.linux.x86_64.rpm
sudo yum install ./clamav-1.3.1.linux.x86_64.rpm
which clamd freshclam clamdscan clamscan clamonacc

sudo nano /lib/systemd/system/clamav-daemon.service
  ~ ExecStart=/usr/local/sbin/clamd --foreground=true

sudo nano /lib/systemd/system/clamav-freshclam.service
  ~ ExecStart=/usr/local/bin/freshclam -d --foreground=true

sudo cp /etc/clamav/*.conf /usr/local/etc/

On-Access Scanning

cat /boot/config-[kernel].x86_64 | grep FANOTIFY
  CONFIG_FANOTIFY=y
  CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y

sudo touch /usr/local/sbin/start-clamonacc.sh
sudo chmod 777 /usr/local/sbin/start-clamonacc.sh
sudo nano /usr/local/sbin/start-clamonacc.sh
  + #!/bin/bash
  + PATH="$(printenv PATH)"
  + pidof clamonacc | { read msg; kill -9 $msg; } 2>> /tmp/reboot_test.log
  + /usr/sbin/clamonacc --move=/var/isolate/ --log=/var/log/clamav/clamav-scan.log --config-file=/etc/clamd.d/scan.conf  

Nightly File System Scanning

sudo touch /usr/local/sbin/start-clamdscan.sh
sudo chmod 777 /usr/local/sbin/start-clamdscan.sh
sudo nano /usr/local/sbin/start-clamdscan.sh
  + #!/bin/bash
  + PATH="$(printenv PATH)"
  + /usr/bin/clamdscan --move=/var/isolate/ --log=/var/log/clamav/clamav-scan.log --config-file=/etc/clamd.d/scan.conf --stream /tmp/ /var/tmp/ /usr/local/bin/ /etc/systemd/system/ /lib/systemd/system/ /usr/share/ /boot/

## testing
sudo touch /usr/local/sbin/start-clamscan.sh
sudo chmod 777 /usr/local/sbin/start-clamscan.sh
sudo nano /usr/local/sbin/start-clamscan.sh
  + #!/bin/bash
  + PATH="$(printenv PATH)"
  + /usr/bin/clamscan --move=/var/isolate/ --log=/var/log/clamav/clamav-scan.log --scan-mail --scan-ole2 --scan-pdf --scan-html -r /home/ /opt/ /var/spool/

Schedulling

sudo su
EDITOR=nano crontab -e
  + * * * * * /usr/local/sbin/start-clamonacc.sh 2>> /tmp/clamav-dump.log
  + 0 0 * * * /usr/local/sbin/start-clamdscan.sh 2>> /tmp/clamav-dump.log
  + 0 0 * * * /usr/local/sbin/start-clamscan.sh 2>> /tmp/clamav-dump.log  

sudo crontab -l

Setup Sandbox

Install & Config

cd ~
wget https://github.com/netblue30/firejail/releases/download/0.9.72/firejail-0.9.72.tar.xz
mkdir firejail && tar -xf firejail-0.9.72.tar.xz -C firejail
cd firejail
./configure --prefix=/usr --enable-selinux make && sudo make install-strip
which firejail

sudo chown -R root:clamav /var/isolate/
sudo chmod -R 730 /var/isolate/  
sudo cp ~/.bashrc /var/isolate/

sudo nano /etc/firejail/sandbox.profile
  + seccomp
  + net none
  + ipc-namespace
  + caps.drop all
  + x11 none
  + private /var/isolate/

Testing

curl https://secure.eicar.org/eicar.com.txt > ~/eicar.txt
sudo su
firejail --profile=/etc/firejail/sandbox.profile

Audit

journalctl -xe
ps axjf | grep clam
sudo tail -f /tmp/clamav-dump.log
sudo tail -f /var/log/clamav/clamav.log
sudo tail -f /var/log/clamav/clamav-scan.log
sudo tail -f /var/log/clamav/freshclam.log

mem() { ps -eo rss,pid,euser,args:100 --sort %mem | grep -v grep | grep -i $@ | awk '{printf $1/1024 " MB"; $1=""; print }'; }
mem cron
mem clamd
mem clamonacc
mem freshclam

Reference

• https://gist.github.com/fernandoaleman/50b134b987297f97c803c91b591e5c52
• https://www.hostinger.com/tutorials/how-to-install-clamav-centos7
• https://www.transip.eu/knowledgebase/entry/700-installing-clamav-in-centos-almalinux/
• https://www.clamav.net/download.html#otherversions
• https://github.com/Cisco-Talos/clamav
• https://github.com/netblue30/firejail
• https://docs.clamav.net/manual/Signatures.html#hash-based-signatures
• https://stackoverflow.com/questions/3853655/in-linux-how-to-tell-how-much-memory-processes-are-using
• https://www.oreilly.com/library/view/linux-kernel-in/0596100795/ch04s02.html
• https://drive.google.com/file/d/1CauQFwoz-1Y9GE5fBh4a-Qo1U404qdc2/view?usp=sharing
• https://www.tecmint.com/error-failed-to-download-metadata-for-repo-appstream/
• https://pkgs.org/download/clamav-lib