Mailing List Archive

Preliminary Feature Question (clamonacc clamd-pid-filtering)
Dear Clamav Developers
Is anyone working on a feature for clamonacc to filter out clamd's pid, so
they don't scan themselves? This feature would allow us to run both
clamd/clamonacc as root without the need OnAccessExcludeRootUID/UID/Uname.

Other AM like McAfee and Trend-DS operate as root while also scanning root
events. My customer and I stand at the conclusion that we require
root-execution while scaning other root-process-evets, as to achieve
feature parity with commercial AM. Our deployment would be in the few 1000s
of RHEL7+8 under PCI-DSS.

I was thinking about having clamonacc watching the clamd.pid-file - But
then discovered https://bugzilla.clamav.net/show_bug.cgi?id=12595 which
discusses removal of PID-Path from config.

Please let me know if you already see blockers or issue "go for it" to this
idea. Unless I accomplish this myself, we might be able to raise a bounty.
My background is System Engineering and I am inclined to contributing
opensource. Just FYI, this is my current playground, simply installing the
EPEL packaged RPMs into a virutalmachine: https://gitlab.com/goshansp/clamav


Question Summary:
- Is it feasible to implement clamd-pid-filtering in clamonacc or am I
missing something?
- What is needed to bump clamav v1.0?
- Are there any videocalls / irc sessions scheduled? (I live in UTC and
would be eager to listen into current discussions)

I am looking forward to your answer.

Best regards and much appreciation for clamav,
Hanspeter
--
hanspeter.gosteli@gmail.com
+41794010780
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Preliminary Feature Question (clamonacc clamd-pid-filtering) [ In reply to ]
Hello Hanspeter!

We chatted about this as a team a bit after you left a question on the topic in IRC. It would absolutely make sense to filter out clamd events using the clamd pid, if the `PidFile` is enabled and/or by using the clamd user name, if the `User` option is enabled). I created an internal task to investigate it, but it's not planned on our roadmap.

You raise a good point Re: https://bugzilla.clamav.net/show_bug.cgi?id=12595 and the use of `--pid` vs the clamd.conf `PidFile`. Come to think of it, freshclam may use the `clamd.conf `PidFile` option as well, if you set `NotifyClamd /path/to/clamd.conf`. These may be both good reasons to keep the `PidFile` config option. I'll make a note of that in the Bugzilla ticket.

In an ideal world, ClamAV would be _less_ configurable and would "just work" more than it does. If I had my way, the location of the PID file would be hardcoded into the programs, and the PID file would be always-enabled so that clamonacc could depend on it. Realistically though, such a change would certainly upset a few people. I'll discuss it with the team a bit more. I don't have a good answer for you this very moment.

If you're interested in adding the ability to filter clamd events by `PidFile` and/or by `User`, a pull-request submitted to https://github.com/Cisco-Talos/clamav-devel would be welcomed. Additional information in the documentation advocating for and explaining the use of the clamd PidFile and/or User options would also be good: https://github.com/Cisco-Talos/clamav-faq/blob/master/manual/UserManual/OnAccess.md

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



> -----Original Message-----
> From: clamav-devel <clamav-devel-bounces@lists.clamav.net> On Behalf Of
> Hanspeter Gosteli
> Sent: Friday, December 4, 2020 4:53 AM
> To: clamav-devel@lists.clamav.net
> Subject: [Clamav-devel] Preliminary Feature Question (clamonacc clamd-pid-
> filtering)
>
> Dear Clamav Developers
> Is anyone working on a feature for clamonacc to filter out clamd's pid, so they
> don't scan themselves? This feature would allow us to run both
> clamd/clamonacc as root without the need
> OnAccessExcludeRootUID/UID/Uname.
>
> Other AM like McAfee and Trend-DS operate as root while also scanning root
> events. My customer and I stand at the conclusion that we require root-
> execution while scaning other root-process-evets, as to achieve feature parity
> with commercial AM. Our deployment would be in the few 1000s of RHEL7+8
> under PCI-DSS.
>
> I was thinking about having clamonacc watching the clamd.pid-file - But then
> discovered https://bugzilla.clamav.net/show_bug.cgi?id=12595 which
> discusses removal of PID-Path from config.
>
> Please let me know if you already see blockers or issue "go for it" to this idea.
> Unless I accomplish this myself, we might be able to raise a bounty.
> My background is System Engineering and I am inclined to contributing
> opensource. Just FYI, this is my current playground, simply installing the EPEL
> packaged RPMs into a virutalmachine: https://gitlab.com/goshansp/clamav
>
>
> Question Summary:
> - Is it feasible to implement clamd-pid-filtering in clamonacc or am I missing
> something?
> - What is needed to bump clamav v1.0?
> - Are there any videocalls / irc sessions scheduled? (I live in UTC and would be
> eager to listen into current discussions)
>
> I am looking forward to your answer.
>
> Best regards and much appreciation for clamav, Hanspeter
> --
> hanspeter.gosteli@gmail.com
> +41794010780
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml