Great stuff – that has resolved that error.
Just need to get my head around what should and what should not be included/excluded now.
You would of thought there would be a “this is a good layout” for inclusions/exclusions for RHEL. Which you could start with in the
knowledge you aren’t going to kill your system and then add/remove from it as you learn more.
Does anyone know of such a list ?
Cheers
Ian
From: clamav-users <clamav-users-bounces@lists.clamav.net>
On Behalf Of Franky Van Liedekerke via clamav-users
Sent: 24 September 2019 15:17
To: clamav-users@lists.clamav.net
Cc: Franky Van Liedekerke <liedekef@telenet.be>
Subject: Re: [clamav-users] RHEL ScanonAccess includepaths
While it is not recommended to scan everything under /var (or /var at all), the reason it fails is because you have /var submounts (/var/log, /var/tmp).
This is currently a known bug in clamav (I reported it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the workaround in your case is:
OnAccessIncludePath /var/log
OnAccessIncludePath /var/tmp
OnAccessIncludePath /var
and then, if you don't want /var/log and /var/tmp, add these in the exclude:
ExcludePath ^/var/log
ExcludePath ^/var/tmp
Franky
Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian:
Hi
We have a need to have OnAccessScanning on our RHEL servers but with some path exclusions.
So as I read the manuals etc it seems I have to use the OnAccessIncludePath rather than the OnAccessMountPath.
So the filesystem layout is as such :-
/
/boot
/home
/var
/var/log
/var/tmp
/var/log/audit
So I have set up the following IncludePath entries in scan.conf
OnAccessIncludePath /boot
OnAccessIncludePath /dev
OnAccessIncludePath /etc
OnAccessIncludePath /home
OnAccessIncludePath /opt
OnAccessIncludePath /usr
OnAccessIncludePath /var
When then starting the clamd:scan service all path seem to be ok apart from /var which gave the following error
ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on device.
So I increased the number in /proc/sys/fs/inotify/max_user_watches from 8192 to 32768 ( Only 21551 total directories in the whole of the server so should cover it )
So now it doesn’t give me the message about space but gives this message :-
ERROR: ScanOnAccess: Could not watch path ‘/var’, Success
And is still not monitoring for anything under /var ( eicar test files not being picked up. ) All other paths seem to be working ok.
Does anybody know where I am going wrong ?
Cheers
Ian
Ian CROFTSenior Infrastructure Support Analyst
Sopra Steria
101 Dalton Avenue
Birchwood Park, Cheshire
Warrington WA3 6YF - United Kingdom
Phone: 07966 825245
ian.croft2@soprasteria.com - www.soprasteria.co.uk
Before printing, think about the environment.
The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.
Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948)
