CentOS 8にアンチウィルスソフトのClamAVをインストールしてみました。
ClamAV
https://www.clamav.net/
2020年の5つのベストの(本当に無料の)Linux用アンチウイルス保護
https://ja.safetydetectives.com/blog/best-antivirus-for-linux-ja/
Sophos Antivirus for Linux Free版の提供が終了したので、代替としてClamAVはどうだろうか。と思ったら以前、インストールしたことあった。
- epel repositoryのインストール
- ClamAVインストール
- 設定ファイルの編集
- 定義ファイルの更新
- /var/log/freshclam.logの作成
- 定義ファイルの更新
- Database informationの確認
- 自動更新の設定
- 起動ユーザの指定
- PIDファイルの保存場所を変更と作成
CentOS版ClamAVはepel repositoryに含まれています。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@centos8 ~]# dnf -y install epel-release [root@centos8 ~]# dnf search clam =============================== Name & Summary Matched: clam ================================ clamd.x86_64 : The Clam AntiVirus Daemon clamav-filesystem.noarch : Filesystem structure for clamav clamav.x86_64 : End-user tools for the Clam Antivirus scanner clamav-milter.x86_64 : Milter module for the Clam Antivirus scanner clamav-lib.x86_64 : Dynamic libraries for the Clam Antivirus scanner clamav-data.noarch : Virus signature data for the Clam Antivirus scanner clamav-update.x86_64 : Auto-updater for the Clam Antivirus scanner data-files clamav-devel.x86_64 : Header files and libraries for the Clam Antivirus scanner clamav-unofficial-sigs.noarch : Scripts to download unofficial clamav signatures |
取り合えず必要そうなclamd, clamav, clamav-milter, clamav-updateをインストールしました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
[root@centos8 ~]# dnf install clamd clamav clamav-milter clamav-update Last metadata expiration check: 0:01:18 ago on Sat Nov 21 14:24:48 2020. Dependencies resolved. ============================================================================================= Package Architecture Version Repository Size ============================================================================================= Installing: clamav x86_64 0.102.4-1.el8 epel 454 k clamav-milter x86_64 0.102.4-1.el8 epel 123 k clamav-update x86_64 0.102.4-1.el8 epel 128 k clamd x86_64 0.102.4-1.el8 epel 118 k Installing dependencies: clamav-filesystem noarch 0.102.4-1.el8 epel 42 k clamav-lib x86_64 0.102.4-1.el8 epel 825 k libprelude x86_64 5.2.0-1.el8 epel 326 k sendmail-milter x86_64 8.15.2-32.el8 AppStream 82 k Transaction Summary ============================================================================================= Install 8 Packages Total download size: 2.0 M Installed size: 7.0 M Is this ok [y/N]: y Downloading Packages: (snip) Installed: clamav-0.102.4-1.el8.x86_64 clamav-filesystem-0.102.4-1.el8.noarch clamav-lib-0.102.4-1.el8.x86_64 clamav-milter-0.102.4-1.el8.x86_64 clamav-update-0.102.4-1.el8.x86_64 clamd-0.102.4-1.el8.x86_64 libprelude-5.2.0-1.el8.x86_64 sendmail-milter-8.15.2-32.el8.x86_64 Complete! |
設定ファイル /etc/freshclam.confを編集します。またdefault設定からの変更を確認するにはclamconfコマンドを使用します。
インストール時はDatabase info signatures: 0になっています。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@centos8 ~]# clamconf -n Checking configuration files in /etc Config file: clamd.d/scan.conf ------------------------------ LogSyslog = "yes" User = "clamscan" Config file: freshclam.conf --------------------------- DatabaseMirror = "database.clamav.net" Config file: mail/clamav-milter.conf ------------------------------------ ERROR: Please edit the example config file /etc/mail/clamav-milter.conf Software settings ----------------- Version: 0.102.4 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav Total number of signatures: 0 (snip) |
default /etc/freshclam.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
[root@centos8 ~]# cat /etc/freshclam.conf ## ## Example config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## # Comment or remove the line below. #Example # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) #DatabaseDirectory /var/lib/clamav # Path to the log file (make sure it has proper permissions) # Default: disabled #UpdateLogFile /var/log/freshclam.log # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). # in bytes just don't use modifiers. If LogFileMaxSize is enabled, # log rotation (the LogRotate option) will always be enabled. # Default: 1M #LogFileMaxSize 2M # Log time with each message. # Default: no #LogTime yes # Enable verbose logging. # Default: no #LogVerbose yes # Use system logger (can work together with UpdateLogFile). # Default: no #LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 #LogFacility LOG_MAIL # Enable log rotation. Always enabled when LogFileMaxSize is enabled. # Default: no #LogRotate yes # This option allows you to save the process identifier of the daemon # Default: disabled #PidFile /var/run/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) #DatabaseOwner clamupdate # Use DNS to verify virus database version. Freshclam uses DNS TXT records # to verify database and software versions. With this directive you can change # the database verification domain. # WARNING: Do not touch it unless you're configuring freshclam to use your # own database verification domain. # Default: current.cvd.clamav.net #DNSDatabaseInfo current.cvd.clamav.net # database.clamav.net is now the primary domain name to be used world-wide. # Now that CloudFlare is being used as our Content Delivery Network (CDN), # this one domain name works world-wide to direct freshclam to the closest # geographic endpoint. # If the old db.XY.clamav.net domains are set, freshclam will automatically # use database.clamav.net instead. DatabaseMirror database.clamav.net # How many attempts to make before giving up. # Default: 3 (per mirror) #MaxAttempts 5 # With this option you can control scripted updates. It's highly recommended # to keep it enabled. # Default: yes #ScriptedUpdates yes # By default freshclam will keep the local databases (.cld) uncompressed to # make their handling faster. With this option you can enable the compression; # the change will take effect with the next database update. # Default: no #CompressLocalDatabase no # With this option you can provide custom sources for database files. # This option can be used multiple times. Support for: # http(s)://, ftp(s)://, or file:// # Default: no custom URLs #DatabaseCustomURL http://myserver.example.com/mysigs.ndb #DatabaseCustomURL https://myserver.example.com/mysigs.ndb #DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb #DatabaseCustomURL ftp://myserver.example.com/example.ldb #DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb #DatabaseCustomURL file:///mnt/nfs/local.hdb # This option allows you to easily point freshclam to private mirrors. # If PrivateMirror is set, freshclam does not attempt to use DNS # to determine whether its databases are out-of-date, instead it will # use the If-Modified-Since request or directly check the headers of the # remote database files. For each database, freshclam first attempts # to download the CLD file. If that fails, it tries to download the # CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo # and ScriptedUpdates. It can be used multiple times to provide # fall-back mirrors. # Default: disabled #PrivateMirror mirror1.example.com #PrivateMirror mirror2.example.com # Number of database checks per day. # Default: 12 (every two hours) #Checks 24 # Proxy settings # The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind # of proxy is used. # http:// HTTP Proxy. Default when no scheme or proxy type is specified. # https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS) # socks4:// SOCKS4 Proxy. # socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname. # socks5:// SOCKS5 Proxy. # socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname. # Default: disabled #HTTPProxyServer https://proxy.example.com #HTTPProxyPort 1234 #HTTPProxyUsername myusername #HTTPProxyPassword mypass # If your servers are behind a firewall/proxy which applies User-Agent # filtering you can use this option to force the use of a different # User-Agent header. # Default: clamav/version_number #HTTPUserAgent SomeUserAgentIdString # Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for # multi-homed systems. # Default: Use OS'es default outgoing IP address. #LocalIPAddress aaa.bbb.ccc.ddd # Send the RELOAD command to clamd. # Default: no #NotifyClamd /path/to/clamd.conf # Run command after successful database update. # Default: disabled #OnUpdateExecute command # Run command when database update process fails. # Default: disabled #OnErrorExecute command # Run command when freshclam reports outdated version. # In the command string %v will be replaced by the new version number. # Default: disabled #OnOutdatedExecute command # Don't fork into background. # Default: no #Foreground yes # Enable debug messages in libclamav. # Default: no #Debug yes # Timeout in seconds when connecting to database server. # Default: 30 #ConnectTimeout 60 # Timeout in seconds when reading from database server. # Default: 0 #ReceiveTimeout 1800 # With this option enabled, freshclam will attempt to load new # databases into memory to make sure they are properly handled # by libclamav before replacing the old ones. # Default: yes #TestDatabases yes # This option enables support for Google Safe Browsing. When activated for # the first time, freshclam will download a new database file # (safebrowsing.cvd) which will be automatically loaded by clamd and # clamscan during the next reload, provided that the heuristic phishing # detection is turned on. This database includes information about websites # that may be phishing sites or possible sources of malware. When using this # option, it's mandatory to run freshclam at least every 30 minutes. # Freshclam uses the ClamAV's mirror infrastructure to distribute the # database and its updates but all the contents are provided under Google's # terms of use. # See https://transparencyreport.google.com/safe-browsing/overview # and https://www.clamav.net/documents/safebrowsing for more information. # Default: no #SafeBrowsing yes # This option enables downloading of bytecode.cvd, which includes additional # detection mechanisms and improvements to the ClamAV engine. # Default: yes #Bytecode no # Include an optional signature databases (opt-in). # This option can be used multiple times. #ExtraDatabase dbname1 #ExtraDatabase dbname2 # Exclude a standard signature database (opt-out). # This option can be used multiple times. #ExcludeDatabase dbname1 #ExcludeDatabase dbname2 |
取り合えずこんな設定に変更。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@centos8 ~]# clamconf -n Checking configuration files in /etc Config file: clamd.d/scan.conf ------------------------------ LogSyslog = "yes" User = "clamscan" Config file: freshclam.conf --------------------------- LogFileMaxSize = "2097152" LogTime = "yes" LogRotate = "yes" PidFile = "/var/run/freshclam.pid" UpdateLogFile = "/var/log/freshclam.log" Checks = "4" DatabaseMirror = "database.clamav.net" MaxAttempts = "5" OnErrorExecute = "date | mail -s "ClamAV Defs Update Success" hogehoge@example.jp" OnOutdatedExecute = "date | mail -s "ClamAV Defs Update Failure" hogehoge@example.jp" (snip) |
/var/log/freshclam.logが無いよと。
|
1 2 3 4 5 |
[root@centos8 ~]# freshclam -v ERROR: Can't open /var/log/freshclam.log in append mode (check permissions!). ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log). ERROR: initialize: libfreshclam init failed. ERROR: Initialization error! |
|
1 2 |
[root@centos8 ~]# touch /var/log/freshclam.log [root@centos8 ~]# chown clamupdate:clamupdate /var/log/freshclam.log |
最初なので詳細モード(-v)にしています。更新できました。
|
1 2 3 4 5 6 7 8 9 |
[root@centos8 ~]# freshclam -v Sat Nov 21 17:34:32 2020 -> ClamAV update process started at Sat Nov 21 17:34:32 2020 Sat Nov 21 17:34:32 2020 -> *Current working dir is /var/lib/clamav/ Sat Nov 21 17:34:32 2020 -> *Querying current.cvd.clamav.net Sat Nov 21 17:34:32 2020 -> *TTL: 1800 (snip) Sat Nov 21 17:35:21 2020 -> Database test passed. Sat Nov 21 17:35:21 2020 -> bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg) Sat Nov 21 17:35:21 2020 -> *fc_update_database: bytecode.cvd updated. |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos8 ~]# clamconf -n Checking configuration files in /etc (snip) Software settings ----------------- Version: 0.102.4 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav daily.cvd: version 25994, sigs: 4347226, built on Fri Nov 20 22:09:26 2020 main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 22:56:15 2019 bytecode.cvd: version 331, sigs: 94, built on Fri Sep 20 01:12:33 2019 Total number of signatures: 8912222 (snip) |
今回はsystemdで設定してみました。定義ファイルの更新にプログラム常駐してリソース消費するのが嫌ならcrondにする方が良さそうですが。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@centos8 ~]# systemctl list-unit-files | grep clam clamav-freshclam.service disabled clamav-milter.service disabled clamd@.service disabled clamonacc.service disabled [root@centos8 ~]# systemctl enable clamav-freshclam Created symlink /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service -> /usr/ lib/systemd/system/clamav-freshclam.service. [root@centos8 ~]# systemctl start clamav-freshclam [root@centos8 ~]# systemctl status clamav-freshclam * clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2020-11-21 17:40:14 JST; 5s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Process: 68128 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=2) Main PID: 68128 (code=exited, status=2) Nov 21 17:40:14 centos8.rootlinks.net systemd[1]: Started ClamAV virus database updater. Nov 21 17:40:14 centos8.rootlinks.net freshclam[68128]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log). Nov 21 17:40:14 centos8.rootlinks.net freshclam[68128]: ERROR: initialize: libfreshclam init failed. Nov 21 17:40:14 centos8.rootlinks.net freshclam[68128]: ERROR: Initialization error! Nov 21 17:40:14 centos8.rootlinks.net freshclam[68128]: ERROR: Can't open /var/log/freshclam.log in append mode (check permissions!). Nov 21 17:40:14 centos8.rootlinks.net systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Nov 21 17:40:14 centos8.rootlinks.net systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'. |
あれ? “ERROR: Can’t open /var/log/freshclam.log in append mode (check permissions!).”
/var/log/freshclam.log のOwnerやpermissionsを試行錯誤しましたが、エラーが解決できないのでfreshclamの起動ユーザをclamupdateに変更しました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@centos8 ~]# vi /usr/lib/systemd/system/clamav-freshclam.service [root@centos8 ~]# cat /usr/lib/systemd/system/clamav-freshclam.service [Unit] Description=ClamAV virus database updater Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents # If user wants it run from cron, don't start the daemon. ConditionPathExists=!/etc/cron.d/clamav-freshclam Wants=network-online.target After=network-online.target [Service] ExecStart=/usr/bin/freshclam -d -u clamupdate --foreground=true StandardOutput=syslog [Install] WantedBy=multi-user.target |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@centos8 ~]# systemctl restart clamav-freshclam [root@centos8 ~]# systemctl status clamav-freshclam * clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-11-21 19:14:11 JST; 8s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Main PID: 5324 (freshclam) Tasks: 1 (limit: 49295) Memory: 1.9M CGroup: /system.slice/clamav-freshclam.service `-5324 /usr/bin/freshclam -d -u clamupdate --foreground=true Nov 21 19:14:11 centos8.rootlinks.net systemd[1]: Started ClamAV virus database updater. Nov 21 19:14:11 centos8.rootlinks.net freshclam[5324]: Sat Nov 21 19:14:11 2020 -> !Can't save PID to file /var/run/freshclam.pid: No > Nov 21 19:14:11 centos8.rootlinks.net freshclam[5324]: Sat Nov 21 19:14:11 2020 -> ClamAV update process started at Sat Nov 21 19:14:11 2020 Nov 21 19:14:11 centos8.rootlinks.net freshclam[5324]: Sat Nov 21 19:14:11 2020 -> daily.cvd database is up to date (version: 25994, sigs: 434722> Nov 21 19:14:11 centos8.rootlinks.net freshclam[5324]: Sat Nov 21 19:14:11 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f> Nov 21 19:14:11 centos8.rootlinks.net freshclam[5324]: Sat Nov 21 19:14:11 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f> |
今度は“Can’t save PID to file /var/run/freshclam.pid”
freshclam.confを編集してPIDファイルの場所を”/var/run/freshclam/freshclam.pid”にしました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
[root@centos8 ~]# vi /etc/freshclam.conf PidFile = /var/run/freshclam/freshclam.pid [root@centos8 ~]# mkdir /var/run/freshclam [root@centos8 ~]# chown clamupdate:clamupdate /var/run/freshclam [root@centos8 ~]# systemctl restart clamav-freshclam [root@centos8 ~]# systemctl status clamav-freshclam * clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2020-11-21 19:19:02 JST; 2s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Main PID: 5351 (freshclam) Tasks: 1 (limit: 49295) Memory: 1.9M CGroup: /system.slice/clamav-freshclam.service `-5351 /usr/bin/freshclam -d -u clamupdate --foreground=true Nov 21 19:19:02 centos8.rootlinks.net systemd[1]: Started ClamAV virus database updater. Nov 21 19:19:02 centos8.rootlinks.net freshclam[5351]: Sat Nov 21 19:19:02 2020 -> ClamAV update process started at Sat Nov 21 19:19:02 2020 Nov 21 19:19:02 centos8.rootlinks.net freshclam[5351]: Sat Nov 21 19:19:02 2020 -> daily.cvd database is up to date (version: 25994, sigs: 4347226, f-level: 63, builder: raynman) Nov 21 19:19:02 centos8.rootlinks.net freshclam[5351]: Sat Nov 21 19:19:02 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Nov 21 19:19:02 centos8.rootlinks.net freshclam[5351]: Sat Nov 21 19:19:02 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg) |
エラーは無くなりました。
1日4回(6時間毎)にチェックしていますがログを確認すると動いていましたが、定義ファイルの更新はありませんでした。どれぐらいの頻度で更新されるのかな。
|
1 2 3 4 5 6 |
Sun Nov 22 07:27:07 2020 -> Received signal: wake up Sun Nov 22 07:27:07 2020 -> ClamAV update process started at Sun Nov 22 07:27:07 2020 Sun Nov 22 07:27:08 2020 -> daily.cld database is up to date (version: 25995, sigs: 4347666, f-level: 63, builder: raynman) Sun Nov 22 07:27:08 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Sun Nov 22 07:27:08 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg) Sun Nov 22 07:27:08 2020 -> -------------------------------------- |
あとはlogrotateが動いてくれればいいのだけど。
logrotateでOwnerが変わって更新出来なくなるって記事を幾つか見かけたので。