ClamAV on Centos7

ClamAV on Centos7

by Web HEP -
Number of replies: 8

Hello,

we have a Moodle 2.6 installed on a RHEL 6.6 with clamAV (V. 0.98.3-1.el6) installed. Everything is working fine. Now we would like to "migrate" to Moodle 2.8 on a centos 7 server but we have some problem with the clamAV configuration (V. 0.98.7-1) on our new VM.

I've installed clamAV with globally the same configuration used in our previous installation (RHEL 6.6).. When I try to upload a file on Moodle, I receive this message : 

########################################################
Failed to parse reply: "No file descriptor received. ERROR"


----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
########################################################

If I try to perform a scan locally on a 777 file and I have following error :
clamdscan /var/tmp/testpdf.pdf
########################################################
/var/tmp/testpdf.pdf: lstat() failed: No such file or directory. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
[root@xxxxxx tmp]#
########################################################

We don't have any error when starting the deamon.
########################################################
# systemctl start clamd@scan
# systemctl status clamd@scan
clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled)
   Active: active (running) since mer 2015-07-01 11:37:27 CEST; 1s ago
 Main PID: 10203 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
           └─10203 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes

jui 01 11:37:27 xxx.xxx.xx systemd[1]: Started Generic clamav scanner daemon.
########################################################

Of course, selinux is set to "permissive" and we have disabled the firewall in order to perform our tests.

If I set clamscan in stateof clamdscan on Moodle settings, it's working.. but takes a lot of time when scanning files.. (using the deamon, is a way faster)

If someone can help or has an idea, it would be really appreciated ! smile

Regards,
Diego
Average of ratings: -
In reply to Web HEP

Re: ClamAV on Centos7

by Jeff White -

I thought ClamAV or any other antivirus tool would not be able to scan files loaded onto Moodle's moodledata after the fact and can only be scanned as it is being received since the file is encrypted once loaded to moodledata. 

You are saying Moodle is slow when scanning the files or do you mean uploading files is slow when Clam AV is configured within Moodle? 

Average of ratings: -
In reply to Jeff White

Re: ClamAV on Centos7

by Web HEP -

Hello Jeff,

Thanks for your reply. Well in fact, Moodle is scanning a file before moving it to moodledata directory. Moodle use the Php "exec" function to execute clamdscan.

For example : exec ( /usr/bin/clamdscan --stdout --fdpass '/tmp/phpbR83ik');



// You are saying Moodle is slow when scanning the files or do you mean uploading files is slow when Clam AV is configured within Moodle?
Yes. When I specify /usr/bin/clamscan in state of /usr/bin/clamdscan (d for deamon), it works but takes 8s to scan a 7k pdf file..., because clamAV needs to load all his virus databases before testing the file...That why we're defintely trying to make it work with the deamon smile

Regards,
Diego





Average of ratings: -
In reply to Web HEP

Re: ClamAV on Centos7

by Paul Verrall -

It seems you have already ruled Moodle out of the equation as your clamdscan fails from the command line. 

At the risk of sounding unhelpful you may get more useful assistance from a RHEL/Centos or ClamAV forum....

Average of ratings: -
In reply to Paul Verrall

Re: ClamAV on Centos7

by Web HEP -

Hello Paul,

Thanks for your message. Yes, you're totally right.. I was hoping that we were not the only one on earth using Moodle with CentOS 7 and ClamAv smile

I will post the solution if we found it one day tongueout

Regards,

Diego

Average of ratings: -
In reply to Web HEP

Re: ClamAV on Centos7

by Jarno Huuskonen -

Hi,

Are you using apache as your webserver ? AFAIK CentOS/RHEL 7 apache uses has (systemd) PrivateTmp=true

(systemctl show httpd.service | grep PrivateTmp)

Try setting (create etc/systemd/system/httpd.service.d/httpd.conf:

[Service]

PrivateTmp=false

) and restart apache (systemctl daemon-reload / systemctl restart httpd).


-Jarno

Average of ratings:Useful (3)
In reply to Jarno Huuskonen

Re: ClamAV on Centos7

by Web HEP -

Hello !

Thanks for your reply and sorry for my late answer. I have tested but unfortunately got the same error sad

No file descriptor received. ERROR

Are you using same config on your side  (and is it working smile) ?

Regards,

Diego

Average of ratings: -
In reply to Web HEP

Re: ClamAV on Centos7

by Jarno Huuskonen -
Hi, Yes, setting "PrivateTmp=false" fixed moodle / clamdscan for us.
(we compile clamav ourselves. Are you using clamav from epel repository ?).
(AFAIK epel clamd@scan.service also has PrivateTmp=true ... maybe test with false (and remember to restart service)).
Does clamdscan work as user apache (create /tmp/mytest.file file):
su -s/bin/bash - apache
chmod 644 /tmp/mytest.file
clamdscan --stdout --fdpass /tmp/mytest.file
-Jarno
Average of ratings: -
In reply to Web HEP

Re: ClamAV on Centos7

by Web HEP -

Hello,

We finally figured out and found a way to make it work correctly for us on CentOS 7! If someone else is interested, here is our little "walkthrough" :

#install epel
yum install epel-release -y

#install clamAV
yum install clamav clamav-scanner-systemd clamav-update

#edit clamav config
vi /etc/clamd.d/scan.conf


/etc/clamd.d/scan.conf*
PREVIOUS* BECAME*
Example#Example
#LocalSocket /var/run/clamd.scan/clamd.sockLocalSocket /var/run/clamd.scan/clamd.sock
#FixStaleSocket yesFixStaleSocket yes

*check other settings to match with your needs...

#Update freshclam config
vi /etc/freshclam.conf


/etc/freshclam.conf
PREVIOUS BECAME
Example#Example


#Add a symbolic link in order to use defined config
ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

#Allow auto-update
vi /etc/sysconfig/freshclam


/etc/sysconfig/freshclam
PREVIOUS BECAME
FRESHCLAM_DELAY=disabled-warn # REMOVE ME#FRESHCLAM_DELAY=disabled-warn


#Allow clam to scan files (selinux)
setsebool -P antivirus_can_scan_system 1

#Start clam and enable it on startup
systemctl start clamd@scan
systemctl enable clamd@scan

#Add user clamscan and clamupdate to apache group (!!!) > so http will be allowed to use clamdscan (access to clamav socket...)
usermod -a -G clamscan apache
usermod -a -G clamscan clamupdate

#Create a selinux package in order to allow apache to use clamav
cd /usr/share/selinux/packages/
mkdir clamdscan
#Create a file "clamdscan.te" with following contents
vi /usr/share/selinux/packages/clamdscan/clamdscan.te
module clamdscan 1.0;
require {
type httpd_t;
type httpd_tmp_t;
type clamscan_exec_t;
type clamscan_t;
type clamd_t;
class dir {read search getattr};
class file {read open getattr execute};
class sock_file write;
class unix_stream_socket connectto;
class fifo_file {getattr write};
class process sigchld;
}

#============= httpd_t ==============
allow httpd_t clamscan_exec_t:dir {read search getattr};
allow httpd_t clamscan_exec_t:file {read open getattr execute};
allow httpd_t clamscan_exec_t:sock_file write;
allow httpd_t clamscan_exec_t:unix_stream_socket connectto;

#============= clamscan_t ===========
allow clamscan_t httpd_t:fifo_file {getattr write};
allow clamscan_t httpd_t:process sigchld;
allow clamscan_t httpd_tmp_t:file {read getattr};

#============== clamd_t =============
allow clamd_t httpd_tmp_t:file {read getattr open};
#Compile selinux module
cd clamdscan
checkmodule -M -m -o clamdscan.mod clamdscan.te
#Create a package with this module
semodule_package -o clamdscan.pp -m clamdscan.mod
#Install package
semodule -i clamdscan.pp

#reboot the server..
reboot

#make some tests tongueout
freshclam
su -s/bin/bash - apache
touch /tmp/mytest.file
chmod 644 /tmp/mytest.file
clamdscan --stdout --fdpass /tmp/mytest.file

#on moodle adminisatration change these settings
runclamonupload => must be ticked
pathtoclam => /usr/bin/clamdscan

Regards,
Diego
Average of ratings:Useful (3)