diff --git a/.gitignore b/.gitignore index 23bc29a..98c7cc3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ execguard migrated_apps.txt +my_bins_apps.txt diff --git a/README.md b/README.md index c1561a9..82f6099 100644 --- a/README.md +++ b/README.md @@ -32,16 +32,16 @@ This will initialize the /etc/execguard/system.db SQLite3 Database. It is in Leaning mode... All program will run as normal. ## How it works: -* NOTE: All executables are blocked that are not in the allowed.db, so the protected_dirs config does not matter! -* To add a program to this system.db Database: sudo execguard --update /THEPATH/TO/PROGRAM_GOES_HERE Beacreful when updating/add to the allowed Database as the whole point is to Block Bad Programs. +* NOTE: All executables are blocked that are not in the system.db, so the protected_dirs config does not matter! +* To add a program to this system.db Database: sudo execguard --update /THEPATH/TO/PROGRAM_GOES_HERE Becareful when updating/adding to the allowed Database as the whole point is to Block Bad Programs. * However, your systen need to run things, so be wise... * You should monitor the output of the log file: - tail -F /var/log/execguard.log ## Make a key for xxtea -This will generate a new key phrase for you that is safe in size...to be placed inside of your config.json file. Do this before you go live. +This is done automatically in install.sh. ``` -sudo execguard --newKey +execguard --newKey ``` ## /etc/execgaurd/config.json @@ -62,6 +62,12 @@ scan_interval is the number of minutes to delay before scanning the protected_di "hash_type": "sha512" } ``` +## To get root mail +``` +sudo mail -u root +OR +sudo mutt -f /var/mail/root +``` ## Install ``` cd execgaurd diff --git a/core/new_file_monitor/new_file_monitor.go b/core/new_file_monitor/new_file_monitor.go index aa1c398..fe0243a 100644 --- a/core/new_file_monitor/new_file_monitor.go +++ b/core/new_file_monitor/new_file_monitor.go @@ -90,7 +90,17 @@ func scanFile(filePath string, scannerPath string, db *sql.DB, log log.Logger) { log.Printf("Scanning file: %s\n", fileName) - cmd := exec.Command(scannerPath, "-v", filePath) + var cmd *exec.Cmd + if scannerPath == "/usr/bin/clamscan" { + cmd = exec.Command( + scannerPath, + "-v", + "--move=/var/lib/clamav/quarantine", + "--log=/var/log/clamav/results.log", + filePath) + } else { + cmd = exec.Command(scannerPath, filePath) + } output, err := cmd.CombinedOutput() if err != nil { diff --git a/install.sh b/install.sh index 083df74..dc7ee7a 100755 --- a/install.sh +++ b/install.sh @@ -203,4 +203,6 @@ case $? in esac ${USE_SUPER} ./execguard --update "$(pwd)/update_bins.sh" ${USE_SUPER} ./execguard --update "$(pwd)/sys_update.sh" +${USE_SUPER} ./execguard --update "$(pwd)/vscan_bins.sh" ./update_bins.sh +./vscan_bins.sh diff --git a/vscan_bins.sh b/vscan_bins.sh index 6a5efeb..9acce26 100755 --- a/vscan_bins.sh +++ b/vscan_bins.sh @@ -1,4 +1,74 @@ #!/bin/bash +/usr/bin/echo "Stopping execguard service if on..." +/usr/bin/sudo /usr/sbin/service execguard stop + +/usr/bin/echo "Dumping contents of Database to file..." /usr/bin/sudo /usr/bin/sqlite3 /etc/execguard/system.db "SELECT path FROM allowed;" > my_bins_apps.txt -/usr/bin/clamscan -v --infected --move=/var/lib/clamav/quarantine --file-list=my_bins_apps.txt -/usr/bin/echo "Done -- you may: rm my_bins_apps" +if [ $? -eq 0 ]; then + /usr/bin/echo "Done dumping execs to file..." +else + /usr/bin/echo "Error dumping execs to file...!" + exit 1 +fi + +/usr/bin/echo "Setting up log permissions..." +/usr/bin/sudo /usr/bin/touch /var/log/exescans.log +/usr/bin/sudo /usr/bin/chown root:adm /var/log/exescans.log +/usr/bin/sudo /usr/bin/chmod 640 /var/log/exescans.log +if [ ! -d /var/log/clamav ]; then + /usr/bin/sudo /usr/bin/mkdir -p /var/log/clamav + /usr/bin/sudo /usr/bin/chown clamav:clamav /var/log/clamav + /usr/bin/sudo /usr/bin/chmod 755 /var/log/clamav +fi +/usr/bin/sudo /usr/bin/touch /var/log/clamav/results.log +/usr/bin/sudo /usr/bin/chown clamav:clamav /var/log/clamav/results.log +/usr/bin/sudo /usr/bin/chmod 640 /var/log/exescans.log + +echo "Configuring rsyslog for exescans..." +cat << EOF | sudo tee /etc/rsyslog.d/exescans.conf +# Send exescans logs (facility local0) to a dedicated file +local0.* /var/log/exescans.log +EOF + +/usr/bin/echo "Setting up log rotation..." +cat << EOF | sudo tee /etc/logrotate.d/exescans +/var/log/exescans.log { + weekly + missingok + rotate 4 + compress + delaycompress + notifempty + create 640 root adm + su root root +} +EOF + +echo "Restarting rsyslog..." +sudo systemctl restart rsyslog + +/usr/bin/echo "Running clamScan...this will take some time!" +/usr/bin/sudo /usr/bin/clamscan -v --move=/var/lib/clamav/quarantine --file-list=my_bins_apps.txt 2>/dev/null --log=/var/log/clamav/results.log +case $? in + 0) + /usr/bin/logger -t exescans -p local0.info "System Bin clamscan Complete - All Okay..." + /usr/bin/echo "All is well!!! No Viruses found..." + ;; + 1) + /usr/bin/logger -t exescans -p local0.info "System Bin clamscan Complete - Visus Found!!! Check /var/lib/clamav/quarantine" + /usr/bin/echo "Oh, No!! Virus Found!! Check /var/lib/clamav/quarantine" + ;; + 2) + /usr/bin/logger -t exescans -p local0.info "System Bin clamscan Complete - Some Errors occurred...but should be Virus Free." + /usr/bin/echo "All done...some errors found...but should be Virus Free." + ;; + *) + /usr/bin/logger -t exescans -p local0.info "System Bin clamscan Complete - in a Unknown Status..." + /usr/bin/echo "All done unknown state..." + ;; +esac +#/usr/bin/echo "Rotating logs..." +#/usr/bin/sudo /usr/sbin/logrotate -vf /etc/logrotate.d/exescans + +/usr/bin/echo "Done -- you may: \$ rm my_bins_apps" +/usr/bin/echo "If you want to: \$ service execguard start"