Mailing List Archive

Hi there,

On Tue, 24 Sep 2019, CROFT Ian wrote:

> We have a need to have OnAccessScanning on our RHEL servers but with
> some path exclusions.

May I ask why?

> So as I read the manuals etc it seems I have to use the
> OnAccessIncludePath rather than the OnAccessMountPath.

I guess that's right unless you have separate partitions mounted for
things like /var, /usr/local, /home and whatever.

> So the filesystem layout is as such :-
>
> /
> /boot
> /home
> /var
> /var/log
> /var/tmp
> /var/log/audit

Are these all separate mount points/partitions?

> So I have set up the following IncludePath entries in scan.conf

I guess the file scan.conf is something that RH does with ClamAV.
There is no such file in any of my systems built from source.

> OnAccessIncludePath /dev

There be dragons, I wouldn't do that.

> OnAccessIncludePath /var

I wouldn't do that.

> Does anybody know where I am going wrong ?

Why do you want to scan everything under /var/log? It seems pointless
scanning a bunch of files which are effectively write-only logs. You
*might* theorize that a text file could have something written to it
which would compromise a pager or something when you tried to read the
log with it, but it seems quite a, well, a Stretch of the imagination.

I would suggest reading the release notes for version 0.102, there are
some significant changes for on-acess scanning.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks Ged - much appreciated :-

>> We have a need to have OnAccessScanning on our RHEL servers but with
>> some path exclusions.

>May I ask why? -
Ian Response - Yes the Application folks have deemed certain path not required to be scanned and are hoping to avoid any performance issues as well.

>> So as I read the manuals etc it seems I have to use the
>> OnAccessIncludePath rather than the OnAccessMountPath.

>I guess that's right unless you have separate partitions mounted for things like /var, /usr/local, /home and whatever.

>> So the filesystem layout is as such :-
>>
>> /
>> /boot
>> /home
>> /var
>> /var/log
>> /var/tmp
>> /var/log/audit

>Are these all separate mount points/partitions?
Ian Response - Yes

>> So I have set up the following IncludePath entries in scan.conf

>I guess the file scan.conf is something that RH does with ClamAV.
>There is no such file in any of my systems built from source.

>> OnAccessIncludePath /dev

>There be dragons, I wouldn't do that.
Ian response - ok noted.

>> OnAccessIncludePath /var

>I wouldn't do that.
Ian Response - why - I was going to include it then then exclude particular directories below it as required. - But the error I am getting wont let me include it in the first place.

>> Does anybody know where I am going wrong ?

>Why do you want to scan everything under /var/log? It seems pointless scanning a bunch of files which are effectively write-only logs. You
*might* theorize that a text file could have something written to it which would compromise a pager or something when you tried to read the log with it, but it seems quite a, well, a Stretch of the imagination.

>I would suggest reading the release notes for version 0.102, there are some significant changes for on-acess scanning.
Ian Response - will do.


Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

While it is not recommended to scan everything under /var (or /var
at all), the reason it fails is because you have /var submounts
(/var/log, /var/tmp).
This is currently a known bug in clamav (I reported
it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the
workaround in your case is:



OnAccessIncludePath /var/log



OnAccessIncludePath /var/tmp



OnAccessIncludePath /var


and then, if you don't want /var/log and /var/tmp, add these in the
exclude:

ExcludePath ^/var/log
ExcludePath ^/var/tmp

Franky

Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:




Hi



 



We have a need to have OnAccessScanning on our RHEL servers but with
some path exclusions.



 



So as I read the manuals etc it seems I have to use the
OnAccessIncludePath rather than the OnAccessMountPath.



 



So the filesystem layout is as such :-



 



/



/boot



/home



/var



/var/log



/var/tmp



/var/log/audit



 



So I have set up the following IncludePath entries in scan.conf



 



OnAccessIncludePath /boot



OnAccessIncludePath /dev



OnAccessIncludePath /etc



OnAccessIncludePath /home



OnAccessIncludePath /opt



OnAccessIncludePath /usr



OnAccessIncludePath /var



 



When then starting the clamd:scan service all path seem to be ok apart
from /var which gave the following error



 



ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on
device.



 



So I increased the number in /proc/sys/fs/inotify/max_user_watches
from 8192 to 32768 ( Only 21551 total directories in the whole of the
server so should cover it )



 



So now it doesn’t give me the message about space but gives this
message :-



 



ERROR: ScanOnAccess: Could not watch path ‘/var’, Success



 



And is still not monitoring for anything under /var ( eicar test files
not being picked up. ) All other paths seem to be working ok.



 



Does anybody know where I am going wrong ?



 



Cheers



 



Ian



 







Ian CROFT




Senior Infrastructure Support Analyst






Sopra Steria





Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.croft2@soprasteria.com - www.soprasteria.co.uk [1]








[2]  [3]  [4] 



Before printing, think about the environment.
The content of this message may be confidential, legally privileged
and protected by law. Unauthorized use, copying or disclosure of any
of it may be unlawful. If you are not the intended recipient please
notify the sender and remove it from your system. While attachments to
this e-mail are checked for viruses, we do not accept any liability
for any damage sustained by viruses.




 


Sopra Steria is the trading name of the following companies (all
registered in England & Wales): (i) Sopra Steria Limited (No.
04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group
Holding Ltd (No. 01588948)



Links:
------
[1] http://www.soprasteria.co.uk
[2] https://www.linkedin.com/company/soprasteria
[3] https://twitter.com/SopraSteria_uk
[4] http://blog.soprasteria.co.uk/

Great stuff – that has resolved that error.

Just need to get my head around what should and what should not be included/excluded now.

You would of thought there would be a “this is a good layout” for inclusions/exclusions for RHEL. Which you could start with in the knowledge you aren’t going to kill your system and then add/remove from it as you learn more.

Does anyone know of such a list ?

Cheers

Ian

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Franky Van Liedekerke via clamav-users
Sent: 24 September 2019 15:17
To: clamav-users@lists.clamav.net
Cc: Franky Van Liedekerke <liedekef@telenet.be>
Subject: Re: [clamav-users] RHEL ScanonAccess includepaths

While it is not recommended to scan everything under /var (or /var at all), the reason it fails is because you have /var submounts (/var/log, /var/tmp).
This is currently a known bug in clamav (I reported it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the workaround in your case is:
OnAccessIncludePath /var/log
OnAccessIncludePath /var/tmp
OnAccessIncludePath /var

and then, if you don't want /var/log and /var/tmp, add these in the exclude:

ExcludePath ^/var/log
ExcludePath ^/var/tmp

Franky

Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:

Hi

We have a need to have OnAccessScanning on our RHEL servers but with some path exclusions.

So as I read the manuals etc it seems I have to use the OnAccessIncludePath rather than the OnAccessMountPath.

So the filesystem layout is as such :-

/
/boot
/home
/var
/var/log
/var/tmp
/var/log/audit

So I have set up the following IncludePath entries in scan.conf

OnAccessIncludePath /boot
OnAccessIncludePath /dev
OnAccessIncludePath /etc
OnAccessIncludePath /home
OnAccessIncludePath /opt
OnAccessIncludePath /usr
OnAccessIncludePath /var

When then starting the clamd:scan service all path seem to be ok apart from /var which gave the following error

ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on device.

So I increased the number in /proc/sys/fs/inotify/max_user_watches from 8192 to 32768 ( Only 21551 total directories in the whole of the server so should cover it )

So now it doesn’t give me the message about space but gives this message :-

ERROR: ScanOnAccess: Could not watch path ‘/var’, Success

And is still not monitoring for anything under /var ( eicar test files not being picked up. ) All other paths seem to be working ok.

Does anybody know where I am going wrong ?

Cheers

Ian


Ian CROFT
Senior Infrastructure Support Analyst
[Sopra Steria]
Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.croft2@soprasteria.com<mailto:ian.croft2@soprasteria.com> - www.soprasteria.co.uk<http://www.soprasteria.co.uk>

[cid:image002.png@01D572ED.21574240]<https://www.linkedin.com/company/soprasteria> [cid:image003.png@01D572ED.21574240] <https://twitter.com/SopraSteria_uk> [cid:image004.png@01D572ED.21574240] <http://blog.soprasteria.co.uk/>
Before printing, think about the environment.
The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.

Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)
Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)