[clamav-users] RHEL ScanonAccess includepaths

Tue Sep 24 14:17:23 UTC 2019

While it is not recommended to scan everything under /var (or /var
at all), the reason it fails is because you have /var submounts
(/var/log, /var/tmp).
This is currently a known bug in clamav (I reported
it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the
workaround in your case is:

OnAccessIncludePath /var/log

OnAccessIncludePath /var/tmp

OnAccessIncludePath /var

and then, if you don't want /var/log and /var/tmp, add these in the
exclude:

ExcludePath ^/var/log
ExcludePath ^/var/tmp

Franky

Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:

Hi

We have a need to have OnAccessScanning on our RHEL servers but with
some path exclusions.

So as I read the manuals etc it seems I have to use the
OnAccessIncludePath rather than the OnAccessMountPath.

So the filesystem layout is as such :-

/

/boot

/home

/var

/var/log

/var/tmp

/var/log/audit

So I have set up the following IncludePath entries in scan.conf

OnAccessIncludePath /boot

OnAccessIncludePath /dev

OnAccessIncludePath /etc

OnAccessIncludePath /home

OnAccessIncludePath /opt

OnAccessIncludePath /usr

OnAccessIncludePath /var

When then starting the clamd:scan service all path seem to be ok apart
from /var which gave the following error

ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on
device.

So I increased the number in /proc/sys/fs/inotify/max_user_watches
from 8192 to 32768 ( Only 21551 total directories in the whole of the
server so should cover it )

So now it doesn’t give me the message about space but gives this
message :-

ERROR: ScanOnAccess: Could not watch path ‘/var’, Success

And is still not monitoring for anything under /var ( eicar test files
not being picked up. ) All other paths seem to be working ok.

Does anybody know where I am going wrong ?

Cheers

Ian

Ian CROFT

Senior Infrastructure Support Analyst

Sopra Steria

Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.croft2 at soprasteria.com - www.soprasteria.co.uk [1]

 [2]  [3]  [4] 

Before printing, think about the environment. 
The content of this message may be confidential, legally privileged
and protected by law. Unauthorized use, copying or disclosure of any
of it may be unlawful. If you are not the intended recipient please
notify the sender and remove it from your system. While attachments to
this e-mail are checked for viruses, we do not accept any liability
for any damage sustained by viruses.

Sopra Steria is the trading name of the following companies (all
registered in England & Wales): (i) Sopra Steria Limited (No.
04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group
Holding Ltd (No. 01588948) 

Links:
------
[1] http://www.soprasteria.co.uk
[2] https://www.linkedin.com/company/soprasteria
[3] https://twitter.com/SopraSteria_uk
[4] http://blog.soprasteria.co.uk/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190924/b7fcf917/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4959 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190924/b7fcf917/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 559 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190924/b7fcf917/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 482 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190924/b7fcf917/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 694 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190924/b7fcf917/attachment-0003.png>