[infra/tools.git] / clamav / etc / cron.daily / clamav

#!/bin/bash

# ============LICENSE_START=======================================================
#  Copyright (C) 2019 The Nordix Foundation. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================

#
# This script runs a virus scan on a Linux client using clamav. It is stored in
# /etc/cron.daily so that it does a scan daily. Once an initial scan is
# performed, the script only scans changed files. Files and directories can be
# excluded by updating the etc/clamav/clamscan_excludes.conf file.
#

# Use notify-send to put a message on the user's display
function notify-send-user() {
    #Detect the name of the display in use
    local display=":$(ls /tmp/.X11-unix/* | sed 's#/tmp/.X11-unix/X##' | head -n 1)"

    #Detect the user using such display
    local user=$(who | grep '('$display')' | awk '{print $1}')

    #Detect the id of the user
    local uid=$(id -u $user)

    sudo -u $user DISPLAY=$display DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus notify-send "$@"
}

# Set the various configuration variables for the script
SCANLOG="/var/log/clamav/scan.log"
ERRORLOG="/var/log/clamav/error.log"
SCANEXC="/etc/clamav/clamscan_excludes.conf"
SCANQNT="/var/.quatrantine"

# Check if clamav is installed
DATE=`date -u`

if [ ! -f /var/lib/clamav/daily.cvd -o ! -x /usr/bin/clamscan -o ! -d /var/log/clamav ]
then
  echo "$DATE: clamav is not installed or is incorrectly installed." >> $ERRORLOG
  notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical  "clamav: software not installed correctly"
  chmod a+r $ERRORLOG
  exit 1
fi

# Check if the excludes file exists
if [ ! -f $SCANEXC ]
then
  echo "$DATE: File $SCANEXC does not exist." >> $ERRORLOG
  chmod a+r $ERRORLOG
  notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical  "clamav: File $SCANEXC not found"
  exit 2
fi

# Read and set up the path and file excludes
. $SCANEXC >/dev/null 2>&1

# Create the scan log file if it doesn't exist
if [ -f $SCANLOG ]
then
  # Compress the previous scan log
  TIMESTAMP=`date +"%Y-%m-%d_%T"`
  gzip -9 -c $SCANLOG > ${SCANLOG}-${TIMESTAMP}.gz
else
  touch -t 000001010000 $SCANLOG
fi

# Find the files that should be scanned in this scan
SCANFIL=`mktemp "/tmp/clamscan_files.XXXXXX"`
ionice -c 3 nice find / "${FIND_PRUNE_FILTER_ARRAY[@]}" -newer ${SCANLOG} -type f "${FIND_FILE_FILTER_ARRAY[@]}" >> $SCANFIL

# Clear the daa for the previous scan
rm $SCANLOG

# Run the scan
mkdir -p $SCANQNT
ionice -c 3 nice /usr/bin/clamscan --file-list=$SCANFIL --log=$SCANLOG --infected --copy=$SCANQNT >/dev/null 2>&1

echo "Finish time: $DATE" >> $SCANLOG

chmod a+r $SCANLOG

# Check if any viruses were found
INFECTED_FILE_COUNT=`grep '^Infected files: ' /var/log/clamav/scan.log | sed 's/^Infected files: //'`
if [ "$INFECTED_FILE_COUNT" -gt "0" ]
then
  notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical  "clamav: $INFECTED_FILE_COUNT infected files found" "see $SCANLOG for details"
  exit 3
fi

rm -f $SCANFIL

exit 0