--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+# This file is sourced as a shell script
+# It's only purpose is to exclude user defined
+# file types and directories from the clamscan
+# process triggered by
+# /etc/cron.daily/clamav
+#
+# FINDFILEFILTER. This parameter should be defined as an array of "find" file filter arguments
+# See "man find" for help on file filters for the "find" command
+#
+# FINDPRUNEFILTER. This parameter should be defined as an array of "find" path prune filter arguments
+# See "man find" for help on pruning paths for the "find" command
+#
+# EXAMPLES:
+# FIND_FILE_FILTER_ARRAY=(! -iname '*.vdi' ! -iname '*.mp4' ! -name 'Hello World*')
+# FIND_PRUNE_FILTER_ARRAY="/proc|/run|/home/user/VirtualBox VMs"
+
+FIND_FILE_FILTER_ARRAY=(! -iname '*.vdi' ! -name '*.iso')
+FIND_PRUNE_FILTER_ARRAY=(\( -path /proc -o -path /run -o -path /dev -o -path /sys \) -prune -o)
--- /dev/null
+#!/bin/bash
+
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+#
+# This script runs a virus scan on a Linux client using clamav. It is stored in
+# /etc/cron.daily so that it does a scan daily. Once an initial scan is
+# performed, the script only scans changed files. Files and directories can be
+# excluded by updating the etc/clamav/clamscan_excludes.conf file.
+#
+
+# Use notify-send to put a message on the user's display
+function notify-send-user() {
+ #Detect the name of the display in use
+ local display=":$(ls /tmp/.X11-unix/* | sed 's#/tmp/.X11-unix/X##' | head -n 1)"
+
+ #Detect the user using such display
+ local user=$(who | grep '('$display')' | awk '{print $1}')
+
+ #Detect the id of the user
+ local uid=$(id -u $user)
+
+ sudo -u $user DISPLAY=$display DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus notify-send "$@"
+}
+
+# Set the various configuration variables for the script
+SCANLOG="/var/log/clamav/scan.log"
+ERRORLOG="/var/log/clamav/error.log"
+SCANEXC="/etc/clamav/clamscan_excludes.conf"
+SCANQNT="/var/.quatrantine"
+
+# Check if clamav is installed
+DATE=`date -u`
+
+if [ ! -f /var/lib/clamav/daily.cld -o ! -x /usr/bin/clamscan -o ! -d /var/log/clamav ]
+then
+ echo "$DATE: clamav is not installed or is incorrectly installed." >> $ERRORLOG
+ notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical "clamav: software not installed correctly"
+ exit 1
+fi
+
+# Check if the excludes file exists
+if [ ! -f $SCANEXC ]
+then
+ echo "$DATE: File $SCANEXC does not exist." >> $ERRORLOG
+ notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical "clamav: File $SCANEXC not found"
+ exit 2
+fi
+
+# Read and set up the path and file excludes
+. $SCANEXC >/dev/null 2>&1
+
+# File permissions for file creations
+umask 0027
+
+# Create the scan log file if it doesn't exist
+if [ -f $SCANLOG ]
+then
+ # Compress the previous scan log
+ TIMESTAMP=`date +"%s"`
+ gzip -9 -c $SCANLOG > ${SCANLOG}-${TIMESTAMP}.gz
+else
+ touch -t 000001010000 $SCANLOG
+fi
+
+# Find the files that should be scanned in this scan
+SCANFIL=`mktemp "/tmp/clamscan_files.XXXXXX"`
+ionice -c 3 nice find / "${FIND_PRUNE_FILTER_ARRAY[@]}" -newer ${SCANLOG} -type f "${FIND_FILE_FILTER_ARRAY[@]}" >> $SCANFIL
+
+# Clear the daa for the previous scan
+rm $SCANLOG
+
+# Run the scan
+mkdir -p $SCANQNT
+ionice -c 3 nice /usr/bin/clamscan --file-list=$SCANFIL --log=$SCANLOG --infected --copy=$SCANQNT >/dev/null 2>&1
+
+DATE=`date -u`
+echo "Finish time: $DATE" >> $SCANLOG
+
+# Check if any viruses were found
+INFECTED_FILE_COUNT=`grep '^Infected files: ' /var/log/clamav/scan.log | sed 's/^Infected files: //'`
+if [ "$INFECTED_FILE_COUNT" -gt "0" ]
+then
+ notify-send-user -i /usr/share/pixmaps/clamtk.png -u critical "clamav: $INFECTED_FILE_COUNT infected files found" "see $SCANLOG for details"
+ exit 3
+fi
+
+rm -f $SCANFIL
+exit 0
Code Review / infra / tools.git / commitdiff