Tiny Core Linux
Tiny Core Extensions => TCE Talk => Topic started by: remus on November 30, 2011, 10:12:29 PM
-
I'm in the process of building a remastered tinycore CD that works as a Samba file server for windows clients.
I'd like to give the server some kind of resident anti virus protection, so that if a windows user tries to copy an infected file to the server, the server will detect the infection and block the file copy process.
I know there is a clam av extension, that seems to be a on demand scanner. Anyone know if Clam av can do this or if there is an extension that does the job ?
-
Hi remus
Samba-Vscan looks like what you are looking for. Not sure if it's actively being supported.
-
Searching on internet i found this 4 prog: clamfs, avfs, dazuko and samba-vscan (http://www.linuxquestions.org/questions/debian-26/clamav-real-time-on-access-scanning-658885/)
-
Thx Rich, I found those as well.
I could not find them as extensions, so I've started reading the wiki about how to create an extension. The process looks doable.
-
Hi remus
This link provides a little more information about the interfaces mentioned by vinnie.
http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/ (http://www.clamav.net/lang/en/download/third-party-tools/3rdparty-fs/)
-
Thx Rich,
Avfs looks like a good solution, I'm currently trying to find the install files.
-
Having trouble finding an active Avfs website. I did find something that seemed to be related to virtual file systems, not anti virus file systems.
Sooo I'm on to looking into clamfs.
I've just had a quick read through "make your own extension" wiki, and I think I have to learn a bit about "compiling from source" and getting dependencies.
I can start googling the subject in general, I would appreciate any suggestions that might be tinycore specific :)
-
clamav is already available as an extension :)
-
Thx for input coreplayer2, clamav is on demand scanning, and does not provide on access real time anti virus protection.
clamfs configuration file does not appear to be included with clamav. I've run sudo find / -name clamfs which gets no results.
-
Hi remus
clamfs is not part of clamav. It is a separate file system interface. Go to:
http://clamfs.sourceforge.net/ (http://clamfs.sourceforge.net/)
and scroll down. You will find links for source code and a Debian package if you wish to try to
adapt that, as well as an Ubuntu link.
-
Hi Rich,
Yep, I've been following the compile instructions at http://clamfs.sourceforge.net/ (http://clamfs.sourceforge.net/)
Problem 1: required me to install compiletc - which I read about here: http://wiki.tinycorelinux.net/wiki:creating_extensions (http://wiki.tinycorelinux.net/wiki:creating_extensions)
Problem 2: is about boost.
checking for boostlib >= 1.33... configure: error: We could not detect the boost libraries (version 1.33 or higher). If you have a staged boost library (still not installed) please specify $BOOST_ROOT in your environment and do not give a PATH to --with-boost option. If you are sure you have boost installed, then check your version number looking in <boost/version.hpp>. See http://randspringer.de/boost (http://randspringer.de/boost) for more documentation.
I'm not sure what to do about this, I've tried installing boost, and rebooted. However no cigar
-
Hi remus
You probably also need boost-dev.tcz
-
problem 2 solved by installing boost-dev
problem 3 : fuse.h missing - solved with fuse extension
problem 4 : rlog.h : searching extensions for rlog does not get any 100% hits, but references to other software
-
problem 4 : solved : manually downloaded and installed from source package rlog-1.4.tar.gz from http://code.google.com/p/rlog/ (http://code.google.com/p/rlog/)
problem 5 : Poco/ExpireLRUCache.h : wish me luck :)
-
Hi remus
Good luck.
-
problem 5 : Poco/ExpireLRUCache.h : no fixed
- I've downloaded 1.4.2p1-all.tar.gz
- extracted files
- when I run ./configure I get the following new error message
tc@box:/mnt/sda1/install/Poco/poco-1.4.2p1$ ./configure
expr: syntax error
expr: syntax error
Configured for Linux
Any suggestions welcome.
I'm signing off for the day ;)
-
Hi remus
Maybe try commenting out small sections of ./configure until you find what it's complaining about.
-
Try installing GNU expr. Can't recall which extension has it.
-
problem 5 : Poco/ExpireLRUCache.h : no fixed
tc@box:/mnt/sda1/install/Poco/poco-1.4.2p1$ ./configure
expr: syntax error
expr: syntax error
Configured for Linu
Thx curaga,
Searching for "expr" with the appbrowser got a few hits, I decided to try coreutils and that fixed the "expr: syntax error" error when I run ./configure.
running make, and then make install for the poco libs still does not fix the dependency, perhaps I've installed a conflicting extension while trying to fix this, i'm looking into it.
-
While trying to install the poco-1.4.2p1.tar library's I've run into the following error.
Install Method
./configure - ok
make - not ok
tc@box:/mnt/sda1/install/Poco/poco-1.4.2p1$ make -s
** Building shared library (debug) /mnt/sda1/install/Poco/poco-1.4.2p1/lib/Linux/i686/libPocoNetd.so.11
/usr/local/bin/ld: cannot find -lPocoFoundationd
collect2: ld returned 1 exit status
make[1]: *** [/mnt/sda1/install/Poco/poco-1.4.2p1/lib/Linux/i686/libPocoNetd.so.11] Error 1
make: *** [Net-libexec] Error 2
Fun and games :)
I've posted a request for advice at the pocoproject.org forum's and am waiting for moderator to approve the message.
-
The frustration continues :)
Had to wipe my flash drive, and just got started with clamfs again.
I've installed all the usual suspects, and when I try to run
./configure in the clamfs folder I get a new error
$ ./configure
checking for a BSD-compatible install... /usr/local/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/local/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for g++... g++
checking for C++ compiler default output file name...
configure: error: C++ compiler cannot create executables
See `config.log' for more details.
I have the compiletc extension installed.
Hope springs eternal that I will eventually figure this all out :)
Suggestions welcome.
-
Assuming you've checked that all the extensions in compiletc are actually loaded, what does config.log say?
-
checked that all the extensions in compiletc are actually loaded
Hi Juanito, you are talking about the dependencies, or the little bits and pieces that make up compiletc right ? Can you tell me how to check they are all loaded ?
-
Solved the Problem with compiletc Juanito, I wiped the flash drive and installed compiletc again, I'm back in business, and dealing with dependency problems as before.
-
Progress made.
Problem 6 : Installing poco-1.4.2p1.tar
Request for help on the Poco forums led to a solution.
http://pocoproject.org/forum/viewtopic.php?f=12&t=5201&p=8413#p8413 (http://pocoproject.org/forum/viewtopic.php?f=12&t=5201&p=8413#p8413)
Basicly, I had to move the poco-1.4.2p1.tar source file to an internal Hard Drive Partiton to compile it.
Compile time was just under 30 Minutes and took up a bit over 200mb of disk space.
Problem 7 : checking for libccgnu2 via ccgnu2-config... configure: error: libccgnu2 not found!
-
Problem 7 : checking for libccgnu2 via ccgnu2-config... configure: error: libccgnu2 not found!
As per debian, this is part of the libcommoncpp2 source package
-
Thanks Juanito,
I did find something here as well: http://www.t2-project.org/packages/commonc++.html (http://www.t2-project.org/packages/commonc++.html)
I did not find libcommoncpp2 at : http://distro.ibiblio.org/tinycorelinux/4.x/x86/tcz/ (http://distro.ibiblio.org/tinycorelinux/4.x/x86/tcz/) so I'll see what I can find on google.
-
I'd say you're probably looking for this:
ftp://ftp.gnu.org/gnu/commoncpp/commoncpp2-1.8.1.tar.gz
-
Thx Juanito,
I'll have a crack at it now.
I'll have to figure out where all these programs I'm installing are getting installed to, so I can add the paths /opt/.filetool.lst
-
You can do it like this:
$ touch mymarker
$ sudo make install
$ sudo find / -not -type 'd' -cnewer mymarker | grep -v "\/proc\/" | grep -v "^\/sys\/" | tee files
$ vi files
..but I'd recommend making an extension out of the files installed rather than adding them to your backup
-
I'll follow your advice.
Step one: work out how to get all the dependencys installed and the main app working.
Step two: turn it all into an extension.
How's that sound.
-
Problem 7 : checking for libccgnu2 via ccgnu2-config... configure: error: libccgnu2 not found!
I downloaded: commoncpp2-1.8.1.tar.gz
Un Zip with tar
sudo ./configure was ok
sudo make failed
applog.cpp: In member function 'void ost::logger::logFileName(const char*, bool)':
applog.cpp:345:43: error: 'S_IREAD' was not declared in this scope
applog.cpp:345:53: error: 'S_IWRITE' was not declared in this scope
applog.cpp:345:61: error: 'mkfifo' was not declared in this scope
applog.cpp: In constructor 'ost::AppLog::AppLog(const char*, bool, bool)':
applog.cpp:459:46: error: 'S_IREAD' was not declared in this scope
applog.cpp:459:56: error: 'S_IWRITE' was not declared in this scope
applog.cpp:459:64: error: 'mkfifo' was not declared in this scope
applog.cpp: In member function 'void ost::AppLog::logFileName(const char*, bool, bool)':
applog.cpp:565:46: error: 'S_IREAD' was not declared in this scope
applog.cpp:565:56: error: 'S_IWRITE' was not declared in this scope
applog.cpp:565:64: error: 'mkfifo' was not declared in this scope
make[2]: *** [applog.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
-
Hi remus
This might help:
http://forum.openscenegraph.org/viewtopic.php?p=39676#39676 (http://forum.openscenegraph.org/viewtopic.php?p=39676#39676)
-
Thx Rich,
Post you've linked http://forum.openscenegraph.org/viewtopic.php?p=39676#39676 (http://forum.openscenegraph.org/viewtopic.php?p=39676#39676) says I need to change S_IREAD to S_IRUSR & S_IWRITE to S_IWUSR
After reading the INSTALL file I found a section about setting values to variables and passing it to the ./configure script, so I did this.
sudo S_IRUSR=S_IREAD S_IWUSR=S_IWRITE ./configureor
sudo S_IREAD=S_IRUSR S_IWRITE=S_IWUSR ./configure
Did not do the truck :(
Error output
applog.cpp: In constructor 'ost::logger::logger(const char*, bool)':
applog.cpp:300:43: error: 'S_IREAD' was not declared in this scope
applog.cpp:300:53: error: 'S_IWRITE' was not declared in this scope
applog.cpp:300:61: error: 'mkfifo' was not declared in this scope
applog.cpp: In member function 'void ost::logger::logFileName(const char*, bool)':
applog.cpp:345:43: error: 'S_IREAD' was not declared in this scope
applog.cpp:345:53: error: 'S_IWRITE' was not declared in this scope
applog.cpp:345:61: error: 'mkfifo' was not declared in this scope
applog.cpp: In constructor 'ost::AppLog::AppLog(const char*, bool, bool)':
applog.cpp:459:46: error: 'S_IREAD' was not declared in this scope
applog.cpp:459:56: error: 'S_IWRITE' was not declared in this scope
applog.cpp:459:64: error: 'mkfifo' was not declared in this scope
applog.cpp: In member function 'void ost::AppLog::logFileName(const char*, bool, bool)':
applog.cpp:565:46: error: 'S_IREAD' was not declared in this scope
applog.cpp:565:56: error: 'S_IWRITE' was not declared in this scope
applog.cpp:565:64: error: 'mkfifo' was not declared in this scope
make[1]: *** [applog.lo] Error 1
make[1]: Leaving directory `/mnt/sda1/common/commoncpp2-1.8.1/src'
make: *** [check-recursive] Error 1
-
Hi remus
You need to change it in the source code. Open the file called applog.cpp and make the changes
in there.
-
I've made variable name modifications to src/applog.ccp
changed S_IREAD to S_IRUSR & S_IWRITE to S_IWUSR
Remaining Error:
applog.cpp:345:60: error: 'mkfifo' was not declared in this scope
I'll have a look on google.
-
Hi remus
Open applog.cpp and look for two lines that say:
#include <sys/types.h>
#include <sys/stat.h>
in that order near the beginning of the file. If they are not there, add them and try again.
-
Thx Rich,
That got commoncpp2-1.8.1.tar.gz installed.
Problem 7 : checking for libccgnu2 via ccgnu2-config... configure: error: libccgnu2 not found!
[SOLVED]
Made changes to src/applog.ccp (S_IREAD to S_IRUSR & S_IWRITE to S_IWUSR)
Added-
#include <sys/types.h>
#include <sys/stat.h>
To list of include files at top of applog.ccp
clamfs now passes ./configure
There is a make error
scancache.cxx:40:56: error: expected template-name before '<' token
scancache.cxx:40:56: error: expected '{' before '<' token
scancache.cxx: At global scope:
scancache.cxx:40:56: error: expected unqualified-id before '<' token
make[2]: *** [scancache.o] Error 1
make[2]: Leaving directory `/mnt/sda1/clamfs/clamfs-1.0.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/sda1/clamfs/clamfs-1.0.1'
make: *** [all] Error 2
I'm googling for solutions now
-
Hi remus
Found this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564971#16 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564971#16)
It suggests this patch for scancache.cxx
ScanCache::ScanCache(long int elements, long int expire):
- ExpireLRUCache<ino_t, CachedResult>::ExpireLRUCache<ino_t, CachedResult>(elements, expire) {
+ ExpireLRUCache<ino_t, CachedResult>::ExpireLRUCache(elements, expire) {
See the line with the - sign in front of it? Find the matching line in the source file and replace it with
the line with the + sign in front of it, leave out the + sign of course. The error message indicates it's
line 46.
-
Thx Again Rich,
Problem : 8 : scancache.cxx:40:56: error: expected template-name before '<' token
[SOLVED]
I found the line in src/scancache.cxx and replaced it. I then did the following
: make clean
: ./configure
: make
: sudo make install
Its installed :)
I'm pretty nackered after all that.
I"ve yet to test it, after a bit of googling, I found this: http://www.rexswain.com/eicar.html (http://www.rexswain.com/eicar.html)
I'll use that to test it after I've taken a bit of a break from this.
I'll do up some neat and tidy documentation on the procedure to get to this stage.
I'll start making extensions out of these sources.
-
Hi remus
Glad to hear it finally compiled and that you will be adding it as an extension.
I was beginning to think I would have to label you as a troublemaker with all those errors. :)
-
Thanks to:
Rich, Juanito, vinnie, coreplayer2, curaga
For your patients and help.
Sorry I made such a mess of this :)
I'm happy to say that I learn't a few things I did not know before I started.
-
Errors continue.
Last night I ran the clamfs program with
clamfsOutput was to the effect that I must run "clamfs" with path to clamfs.xml to load config.
Well that was enough for me last night.
I loaded up tinycore today, and of course had to reinstall everything as I am a long way off from learning how to make an extension, and this time when I run clamfs I get the following error.
clamfs: error while loading shared libraries: librlog.so.5: cannot open shared object file: No such file or directory
find command locates file here:
/usr/local/lib/librlog.so.5
file contents looks like this
^?ELF^A^A^A^@^@^@^@^@^@^@^@^@^C^@^C^@^A^@^@^@PA^@^@4^@^@^@dL^F^@^@^@^@^@4^@ ^@^E^@(^@$^@!^@^A^@^@^@^@^@^$
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^G^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^P$
^@¥^K^@^@^ÐW^@^@^N^@^@^@^R^@
^@^Ü^X^@^@°^?^@^@ö ^@^@^R^@
^@Ó^X^@^@^@^@^@^@^@^@^@^@^R^@^@^@^Ñ^E^@^@^Àv^@^@T^@^@^@^R^@
^@B^U^@^@0y^@^@^Í^@^@^@"^@
^@Ç^X^@^@^@^@^@^@^@^@^@^@^R^@^@^@¥^W^@^@^Ð}^@^@ ^@^@^@^R^@
^@[^Z^@^@^Ù^Í^@^@^T^@^@^@!^@^L^@^^^N^@^@^@^@^@^@^@^@^@^@^R^@^@^@¼^K^@^@ W^@^@^N^@^@^@^R^@
^@J^Y^@^@°^É^@^@a^@^@^@^R^@
^@Ô^A^@^@^@^@^@^@^@^@^@^@^R^@^@^@µ^B^@^@ÐR^@^@¯^A^@^@^R^@
^@^×^Y^@^@^@¶^@^@0^@^@^@!^@^S^@^ß^H^@^@pH^@^@^Ó^@^@^@^R^@
^@^H^X^@^@^P~^@^@4^@^@^@^R^@
^@[^P^@^@ m^@^@^Ö^@^@^@"^@
Any one else had a crack at installing clamfs ?
Am I the only one getting error after error ?
-
clamfs: error while loading shared libraries: librlog.so.5: cannot open shared object file: No such file or directory
find command locates file here:
/usr/local/lib/librlog.so.5
When you see an error like this, it's possible that a new library has been installed, but the system hasn't been updated. To do this enter: $ sudo ldconfig..and try again
-
That did the trick Juanito.
$ sudo ldconfig
ldconfig: /usr/lib/libstdc++.so.6.0.16-gdb.py is not a shared library, skipping
tc@box:/usr/local/bin$ clamfs
16:16:25 (clamfs.cxx:963) ClamFS v1.0.1
16:16:25 (clamfs.cxx:964) Copyright (c) 2007,2008 Krzysztof Burghardt <krzysztof@burghardt.pl>
16:16:25 (clamfs.cxx:965) http://clamfs.sourceforge.net/
16:16:25 (clamfs.cxx:971) ClamFS need to be invoked with one parameter - location of configuration file
16:16:25 (clamfs.cxx:972) Example: clamfs /etc/clamfs/home.xml
This is the expected output.
Any theory's as to why this happened today and not last night ?
I had not made any changes to the system.
-
I've seen that "make install" issues the "ldconfig" command with some source packages, but not with others. Perhaps you compiled the source in a different order this time?
Note that once you make extensions out of the source this will be taken care of automatically.
-
ClamFS requires the clamav daemon (clamd) to be running in order to do its job.
Each time I start clamfs I get the following error message.
21:00:57 (clamav.cxx:61) error: cannot connect to clamd
21:00:57 (clamfs.cxx:1064) cannot start without running clamd, make sure it works
So I check what was running with
psAnd clamd was no longer running...
I start clamd with the following command
clamdheres outputs from the clamd.log file when I run clamd
Tue Dec 27 20:29:43 2011 -> +++ Started at Tue Dec 27 20:29:43 2011
Tue Dec 27 20:29:43 2011 -> clamd daemon 0.97.2 (OS: linux-gnu, ARCH: i386, CPU: i686)
Tue Dec 27 20:29:43 2011 -> Log file size limited to 2097152 bytes.
Tue Dec 27 20:29:43 2011 -> Reading databases from /usr/local/share/clamav
Tue Dec 27 20:29:43 2011 -> Not loading PUA signatures.
Tue Dec 27 20:29:43 2011 -> Bytecode: Security mode set to "TrustSigned".
Tue Dec 27 20:29:55 2011 -> Loaded 1006584 signatures.
Tue Dec 27 20:29:58 2011 -> LOCAL: Removing stale socket file /tmp/clamd.socket
Tue Dec 27 20:29:58 2011 -> LOCAL: Unix socket file /tmp/clamd.socket
Tue Dec 27 20:29:58 2011 -> LOCAL: Setting connection queue length to 200
Tue Dec 27 20:29:58 2011 -> Limits: Global size limit set to 104857600 bytes.
Tue Dec 27 20:29:58 2011 -> Limits: File size limit set to 26214400 bytes.
Tue Dec 27 20:29:58 2011 -> Limits: Recursion level limit set to 16.
Tue Dec 27 20:29:58 2011 -> Limits: Files limit set to 10000.
Tue Dec 27 20:29:58 2011 -> Limits: Core-dump limit is 0.
Tue Dec 27 20:29:58 2011 -> Archive support enabled.
Tue Dec 27 20:29:58 2011 -> Algorithmic detection enabled.
Tue Dec 27 20:29:58 2011 -> Portable Executable support enabled.
Tue Dec 27 20:29:58 2011 -> ELF support enabled.
Tue Dec 27 20:29:58 2011 -> Mail files support enabled.
Tue Dec 27 20:29:58 2011 -> OLE2 support enabled.
Tue Dec 27 20:29:58 2011 -> PDF support enabled.
Tue Dec 27 20:29:58 2011 -> HTML support enabled.
Tue Dec 27 20:29:58 2011 -> Self checking every 600 seconds.
Tue Dec 27 20:29:58 2011 -> Listening daemon: PID: 2999
Tue Dec 27 20:29:58 2011 -> MaxQueue set to: 100
As I learn't how to setup clamd.conf file I did get some errors here and there about file permissions, which I've sorted out.
I've attached the clamd.conf file.
-
Hi remus
After starting clamfs, check the output of dmesg to see if clamd logged any entries there. Also
look for a clamd.log file and see what that says.
-
Hi Rich,
watch "dmesg | tail -20"Gave me an opportunity to observe dmesg as I tested.
The first time I tried it, I got a warning or error message in dmesg putty window stating a low or out of memory problem of some type. Sorry I did not copy and paste from putty :(
So I shutdown my virtual machine, and changed its allocated memory from 256mb to 512mb of ram.
Rebooted, and now once clamd is run it is stable, and does not disappear from view with the top command.
However, I changed allocated ram back to 256mb to see if the problem was reproducable, and it was not... Perhaps this is a problem of VM Workstation.
Anyway, clamfs now starts, however it does NOT detect the eicar test file.
I've tried
: file eicar.com: cat eicar.comAnd no warning is issued.
NO messages are getting to dmesg now.
I've added boot code syslog and I get a bit of info in /var/log/messages when running
clamfs clamfs.xmlDec 28 15:09:51 (none) user.info clamfs: logs goes to syslog
Dec 28 15:09:51 (none) user.info clamfs: extension ACL size is 47 entries
Dec 28 15:09:51 (none) user.info clamfs: deleting cache
Dec 28 15:09:51 (none) user.info clamfs: --- begin of statistics ---
Dec 28 15:09:51 (none) user.info clamfs: Early cache hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Early cache miss: 0
Dec 28 15:09:51 (none) user.info clamfs: Late cache hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Late cache miss: 0
Dec 28 15:09:51 (none) user.info clamfs: Whitelist hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Blacklist hit: 0
Dec 28 15:09:51 (none) user.info clamfs: Files bigger than maximal-size: 0
Dec 28 15:09:51 (none) user.info clamfs: open() function called 0 times (allowed: 0, denied: 0)
Dec 28 15:09:51 (none) user.info clamfs: Scan failed 0 times
Dec 28 15:09:51 (none) user.info clamfs: --- end of statistics ---
Dec 28 15:09:51 (none) user.info clamfs: deleting stats
Dec 28 15:09:51 (none) user.info clamfs: deleting extensions ACL
Dec 28 15:09:51 (none) user.info clamfs: closing logging targets
Dec 28 15:09:51 (none) user.warn clamfs: exiting
Dec 28 15:10:51 (none) user.info clamfs: logs goes to syslog
Dec 28 15:10:51 (none) user.info clamfs: extension ACL size is 47 entries
Dec 28 15:10:51 (none) user.info clamfs: deleting cache
Dec 28 15:10:51 (none) user.info clamfs: --- begin of statistics ---
Dec 28 15:10:51 (none) user.info clamfs: Early cache hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Early cache miss: 0
Dec 28 15:10:51 (none) user.info clamfs: Late cache hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Late cache miss: 0
Dec 28 15:10:51 (none) user.info clamfs: Whitelist hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Blacklist hit: 0
Dec 28 15:10:51 (none) user.info clamfs: Files bigger than maximal-size: 0
Dec 28 15:10:51 (none) user.info clamfs: open() function called 0 times (allowed: 0, denied: 0)
Dec 28 15:10:51 (none) user.info clamfs: Scan failed 0 times
Dec 28 15:10:51 (none) user.info clamfs: --- end of statistics ---
Dec 28 15:10:51 (none) user.info clamfs: deleting stats
Dec 28 15:10:51 (none) user.info clamfs: deleting extensions ACL
Dec 28 15:10:51 (none) user.info clamfs: closing logging targets
Dec 28 15:10:51 (none) user.warn clamfs: exiting
I can't seem to find out how to stop / restart the clamd so I have to reboot each time I try something new and re install clamfs, i've created a sh script for it, to save my hands, but its taking ages.
-
I can't seem to find out how to stop / restart the clamd so I have to reboot each time I try something new and re install clamfs, i've created a sh script for it, to save my hands, but its taking ages.
If you started clamd from a terminal window, then <ctrl-c> should stop it.
If you started clamd from elsewhere, the you can use "ps aux | grep clamd" to find its process ID (pid) and then use "kill pid" to stop it.
Eventually, (if clamd does not install its own init.d script), you could write a /usr/local/etc/init.d/clamd modeled along the lines of those in existing extensions to start/stop/restart clamd
-
Documentation http://www.clamav.net/doc/latest/html/node28.html (http://www.clamav.net/doc/latest/html/node28.html) says the clamd supports a shutdown comand, I've tried.
shutdown clamdand
clamd shutdown
No luck so far.
I tried
sudo kill 2270
And that shut it down.
Thanks Juanito.
-
Progress made.
Running clamd as tc is ok if:
- make sure tc.staff owns the folder(s) that contains the following files (log file, socket file, pid file)
ClamFS gives bugger all useful error messages, nothing useful turned up in /var/log/messages or /bin/dmesg or the clamd.log file. Heres what got it working
- Run it as root sudo clamfs path.to.clamfs.xml- clamfs.xml needs values for variables to be encased in quotes , example: variable="yes" or variable="no"
If everything is ok there will be a clamfs entry visible if you run the top command, and it stays there until you kill the clamfs pid
Current Status.
Once clamd/clamfs are running, the mounted clamfs folder will not allow the eicar test file to be copied to it from the linux command line.
However I can still copy the eicar test virus to a samba share that is mounted as a clamfs folder.
-
setfacl error
I am trying acl modification to the clamfs root folder based on a howto I found here: http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/ (http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/)
Heres the command I'm trying
$ setfacl -R -b -d -m user:clamav:rx /home/tc/public/Produces the following error
setfacl: /home/tc/public/: Operation not supported
suggestions welcome
-
Bit of googling gave me the hint to add acl to the appropriate fstab line, heres the website link
http://www.linuxquestions.org/questions/mandriva-30/setfacl-test-operation-not-supported-266804/ (http://www.linuxquestions.org/questions/mandriva-30/setfacl-test-operation-not-supported-266804/)
I can't see a /home line in my fstab file, so I'm guessing some guru stuff is going on.
Heres my current fstab file
# /etc/fstab
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
/dev/zram0 swap swap defaults,noauto 0 0
/dev/fd0 /mnt/fd0 auto noauto,users,exec 0 0 # Added by TC
/dev/sda1 /mnt/sda1 ext3 noauto,users,exec,relatime 0 0 # Added by TC
/dev/sdb1 /mnt/sdb1 vfat noauto,users,exec,umask=000 0 0 # Added by TC
/dev/sr0 /mnt/sr0 auto noauto,users,exec 0 0 # Added by TC
suggestions welcome
-
Hi remus
However I can still copy the eicar test virus to a samba share that is mounted as a clamfs folder.
I would try to get this resolved before complicating the situation with ACL. If I understand it correctly
(and I'm not sure that I do) what you want to do is something like this:
sudo mkdir /mnt/share1
mount /mnt/sda1I'm assuming sda1 is the hard drive you are looking to share.
In clamfs.xml root="/mnt/sda1" mountpoint="/mnt/share1"
root is what you are trying to protect. mountpoint is where clamfs mounts its virtual file system.
sudo clamfs path.to.clamfs.xmlIn smb.conf
[Public]
path = /mnt/share1Start Samba:
sudo /usr/local/etc/init.d/samba startAny client that connects to the server will use the share called Public. Locally you would access it
through /mnt/share1. You can only protect one path in the xml file. If you want to protect more paths,
create another xml file with a different name and start a second copy of clamfs using that xml file.
Hope this helps.
-
I made a bit of progress with it.
Its seems to be about finding the right combination of permissions.
The following ownership and permissions get the system working almost perfect.
An explanation.
there is a clamav user and a clamav group, for clamav software.
there is a johns user of the office group, this user and group is for samba access.
sudo chown -R clamav.office root.foldersudo chmod -R 775 root.folder
sudo chown -R johns.office mount.pointsudo chmod -R 775 mount.point
This permissions configuration gives the following results.
Copying the eicar.com test file to a samba share from windows allows the file to be copied :(
Trying to copy the file again and overwriting the original fails :)
Its almost perfect, I'd like to have a crack with acl settings if I can get the info for the fstab file.
-
The howto on the following web page is written by the developer of clamfs
http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/ (http://blog.burghardt.pl/2007/11/wine-with-on-access-clamav-scanning/)
In his howto he says
Set permissions
ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.
Set default ACL for directories (files created in those directories will inherit ACL):
$ setfacl -R -b -d -m user:clamav:rx .wine/root
Now set all files and directories to be readable by clamav:
$ setfacl -R -m user:clamav:rx .wine/root
I've seen references to acl and clamfs on other websites.
I've had no luck with the setfacl command in tinycore linux.
I've added /etc/fstab to my /opt/.filetool.lst file
And then added ,acl to every line in the current fstab file, with no positive result.
I also found this method.
sudo /sbin/tune2fs -o +acl /dev/sda1While doing this gives no errors, I still got the "operation not supported" error
I've checked that acl AND acl-dev are installed onboot.
-
Hi remus
This may or may not be causing a problem:
tc@box:~$ grep _ACL /usr/src/linux/.config
# CONFIG_JFS_POSIX_ACL is not set
CONFIG_FS_POSIX_ACL=y
# CONFIG_XFS_POSIX_ACL is not set
# CONFIG_TMPFS_POSIX_ACL is not set
# CONFIG_NFS_V3_ACL is not set
# CONFIG_NFSD_V3_ACL is not set
It's the TMPFS one I'm referring to. Running stat shows the following:
tc@box:~$ stat -f /mnt/sda1/
File: "/mnt/sda1/"
ID: 80100000000 Namelen: 260 Type: msdos
Block size: 4096 Fundamental block size: 4096
Blocks: Total: 988944 Free: 743344 Available: 743344
Inodes: Total: 0 Free: 0
tc@box:~$ stat -f /mnt/bb/
File: "/mnt/bb/"
ID: 0 Namelen: 4096 Type: cifs
Block size: 4096 Fundamental block size: 4096
Blocks: Total: 73219671 Free: 72545403 Available: 72545403
Inodes: Total: 286208 Free: 250876
tc@box:~$ stat -f /mnt/
File: "/mnt/"
ID: 0 Namelen: 255 Type: tmpfs
Block size: 4096 Fundamental block size: 4096
Blocks: Total: 115841 Free: 100664 Available: 100664
Inodes: Total: 64356 Free: 39256
Although sda1 and bb are listed as msdos and cifs, they are located in /mnt which is listed as tmpfs,
as are most directories in Tinycore. Whether this is relevant, I don't know. Maybe one of the smarter
forum members can shed some light.
-
Yes, we have ACLs disabled for all fs since so few need them (you're the first in all of TC's life so far).
-
Is it possible for me to enable ACLs ?
-
Yes, by recompiling the kernel - you'd just need to use the existing tinycore .config and change one or more of the acl settings Rich highlighted
-
I do not have
/usr/src/linux/.config on my system
$ grep _ACL /usr/src/linux/.config
grep: /usr/src/linux/.config: No such file or directory
I've installed linux-headers-3.0.3-tinycore.tcz and the file appeared
running rich's grep command displays same settings.
I'll add the file to .filetools.lst, make changes save, reboot and see what happens.
--> IF <-- messing with ACL permissions gets clamfs working, does that mean its ok to try and release a tc linux extension that makes such a change to other peoples tc linux systems ???
-
No, it would be preferable to use a "normal" group scenario for a posted extension.
Grab the kernel config from one of our mirrors:
ftp://ftp.nluug.nl/pub/metalab/distributions/tinycorelinux/4.x/x86/release/src/kernel/ (ftp://ftp.nluug.nl/pub/metalab/distributions/tinycorelinux/4.x/x86/release/src/kernel/)
-
copy config-3.0.3-tinycore to the unpacked source as .config after "make mrproper"
Don't use linux-headers-3.0.3-tinycore (this is for compiling out of kernel modules), but do use compiletc + perl5 + bash + ncurses-dev
Edited after seeing previous reply
-
No, it would be preferable to use a "normal" group scenario for a posted extension.
It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side :)
If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?
------------------------------------------------------
Juanito
So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s (http://wiki.tinycorelinux.net/wiki:custom_kernel?s)[]=kernel
If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.
-
So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s (http://wiki.tinycorelinux.net/wiki:custom_kernel?s)[]=kernel
If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.
The wiki instructions are almost correct - you don't need any patches and it's vmlinuz you need rather than bzImage, but otherwise it looks about right for tc-4.x
You can make your own local extensions rather than making a massive backup
-
It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side :)
If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?
Your link says both ways should work, ACLs only allow more fine-grained permissions.
I'm afraid even with one user, the ACLs would still be bloat for everyone else and so outside our scope.
-
I've got clamfs to the stage where it allows the eicar test virus file to be copied to the samba file share from windows. But once the file is on the server, clamfs STOPS any other access to the file.
-I can't over write the file.
-I can't open the file.
-I can't copy the file back to windows.
-I can DELETE the file.
This is without messing with ACLs.
I can create an extension out of it as is, and make a link to the tcz file on this forum thread. Giving others who are interested a chance to tinker with it. What do you think curaga ?
-
Hi remus
Copying the eicar.com test file to a samba share from windows allows the file to be copied
Trying to copy the file again and overwriting the original fails
What happens if you try that same test with a clean file?
-
Please submit the extension the usual way, binary links aren't allowed.
-
Hi remus
What happens if you try that same test with a clean file?
Never mind, I found the answer the answer on your post at the Debian User Forums.
It sounds to me like it's working. As I understand it, it does not stop you from writing an infected file
to a directory, rather, it stops you from reading (or executing, which requires reading) the file once
it is there. Prior to saving a file, a test is first done to see if it exists so that you can confirm whether
you wish to overwrite it. If the test is done by attempting to open the file and checking if it exists,
that might trigger clamfs to block the attempt.
Personally, I want to offer you a pat on the back for your perseverance and what you have achieved.
I suggest you package it up into an extension and submit it so that others can do some testing too.
Under Comments: in the info file, give a step by step on how to set it up, including an example that
clearly shows which directory is being protected and which is the access point to that directory.
Once again, congratulations on your accomplishment.
-
Thx Rich,
I'll start following the extension creation wiki, and I'll be sure to include details regarding setup.
-
I just got a reply from the clamav mailing list about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.
I'm told by a random mailing list user this behavior is by design. And is also how clamav + dazuko works.
-
Hi remus
about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.
Naturally, "Roaches check in, but they don't check out", that way they can't spread.
-
Naturally, "Roaches get in, but they can't get out", that way they can't spread.
Yeah, its better than the samba file server acting as a virus infection source for the windows computers on the network.
I'm about ready to submit my first extension which is one of clamfs deps "RLOG - a C++ logging library" which has no deps of its own. Kind of like a practice run.
find usr -not -type d > rlog.tcz.list
Gave me a handy list of everything that gets installed.
So do I just delete the /tmp/package/usr/local/share/doc/ dir and thats my doc free tcz right ?
And do it in reverse to create the rlog-doc.tcz ?
-
Hi remus
So do I just delete the /tmp/package/usr/local/share/doc/ dir and thats my doc free tcz right ?
And do it in reverse to create the rlog-doc.tcz ?
That sounds right. If that eicar is not too big, you might want to add it so an end user can quickly
and easily test that they have properly configured clamfs.
-
Including the eicar test file is doable, its only 68 bytes.
I'm running the command submitqc4 in the dir that contains all the required files for an extension.
And its taking a long time with no output, is this normal ?
-
Hi remus
Depending on the number of files in the extension and the speed of you hardware, it may take a
little while before you see a response. I used it for an extension containing only one executable
file and it took 10 seconds before I saw any output.
-
I've submitted the deps for ClamFS as extensions, and am preparing to do the same for ClamFS.
I'm getting around to writing up the steps needed to get everything working (as the comments in the info file) and need a bit of guidance.
The default clamd.conf file (which is for the clam antivirus daemon) has the default location for the clamd log file as
/tmp/clamd.logI did a bit of research (self inflicted learning) and discovered that log files are often located at
/var/log
Should I change the location to /var/log or leave it in the default location ?
-
If it's not too much trouble, I think /var/log makes more sense (and this is probably what fhs recommends)
-
There is a required entry
LocalSocket /tmp/clamd.socket
I've done some googling but can't seem to find a Filesystem Hierarchy Standard reference to where socket files are supposed to go. I'll stick with >/tmp/clamd.socket< unless anyone has some input
-
Hi remus
Cups uses /var/run/cups/cups.sock
-
Thx Rich,
I also looked up "mysql socket" on google, and its non consistent, sometimes its /tmp/mysql.sock or /var/lib/mysql/mysql.sock
Part of my setup guide gets the user to check if they already have clamd running BEFORE making changes to the clamd.conf file.
$ top output might be too busy for some.
I've got this so far.
$ ps | grep clamd
2568 root clamd
2648 tc grep clamd
Is there a command that just gives a single line of output ?
-
Hi remus
This might work:
ps | grep clamd | grep -v grep
-
Thx Rich,
Does the trick.
-
Hi remus
And geany uses /tmp/geany_socket.XXXXXXXX where XXXXXXXX appears to be a hex number.
-
I've put together clamfs as a tcz extension, and have started writing a simple guide to setting it up.
A little problem I'm hitting is that the clamd.conf file AND the clamfs.xml file both need to be edited in order to get things working. However a default install of clamav and clamfs give me what I think are links to the actual files. If I try to edit the link or the actual file I get the following error.
Error writing clamfs.xml: Read-only file system
Heres what the link looks like
tc@box:/usr/local/etc/clamfs$ ls -l
total 0
lrwxrwxrwx 1 root root 50 Feb 7 13:15 clamfs.xml -> /tmp/tcloop/clamfs/usr/local/etc/clamfs/clamfs.xml
Heres the tce.insalled/clamfs.xml file I'm using
#!/bin/sh
[ -d /usr/local/etc/clamfs ] || mkdir /usr/local/etc/clamfs
[ -f /usr/local/etc/clamfs/clamfs.xml ] || cp -p /usr/local/share/clamfs/files/
clamfs.xml /usr/local/etc/clamfs/
I've run into this problem before and was instructed to copy the file from /tmp/tcloop/clamfs/usr/local/etc/clamfs/clamfs.xml and replace the file located at /usr/local/etc/clamfs/clamfs.xml which works.
Is this the way it should be done to conform to anti bloat policy for creating extensions ?
Is it OK to setup the extension's tce.installed script so that a real writable file is saved to /usr/local/etc/clamfs/clamfs.xml ? And if so, how do I do that in my tce.installed script ?
-
If the default config file is sufficient, you need do nothing, and no additional memory is used.
If you need to edit the config file, rename it to clamfs.xml.bak.
Then cp clamfs.xml.bak clamfs.xml.
Make your changes, add usr/local.etc.clamfs/clamfs.xml to /opt/.filetool.lst and do a backup.
-
Default config files are insufficient.
So the end user has no choice but to:
cd /usr/local/etc/clamfs
sudo mv clamfs.xml clamfs.xml.bak
sudo cp /tmp/tcloop/clamfs/usr/local/etc/clamfs/clamfs.xml .
sudo echo "usr/local/etc/clamfs/clamfs.xml" >> /opt/.filetool.lst
Just thought I'd ask, I understand and support the goals of tinycore :)
LESSS IS MORE :)
I could include a script for the end user to run.
-
Hi remus
Or you could do what other extensions do and give the instructions in the Comments field of the
info file.
-
Thanks Rich,
I've been looking at the comments in a few other extensions and have decided i'll do the same.
-
clamfs.tcz is now available.
Thanks again to everyone who helped me put this together.