DazukoFS triggers the ClamAV Anti-Virus engine to build a Secure Linux Defense System

In windows, scanning viruses in real time seems to be a matter of course. When a user performs a file access operation, the user will scan the file for viruses, this may be the advantage of a closed system. A single operating system core can easily operate any function, but it is not so lucky in the open Linux system world.
 
In Linux, is there a solution that can meet the requirements for instant virus scanning? The answer is yes. Maybe someone will say that ClamAV, which is the most famous in Linux system, is not enough. Indeed, this method can solve most of the problems, but it feels a little worse, not instant enough. It would be perfect if scanning is performed during document access.
 
Therefore, this article will use ClamAV and the core modules of DazukoFS to build a Linux security defense system that can scan viruses in real time. The required suites are as follows.
Operating System: RHEL5.4 (Kernel 2.6.18)
Core module for real-time monitoring document access: DazukoFS
Anti-Virus Software: ClamAV
Supported Kernel: Kernel 2.6.36
 
1. Introduction to DazukoFS
Dazukofs is a stackable file system that allows applications in the user space to perform access control online. It was initially developed to support network virus scanners, but also for any application that wants to implement online file access control.
Note: DazukoFS is completely independent from Dazuko. DazukoFS uses a different user interface and drive. Because they do not share code or resources, DazukoFS and DazukoFS can be used at the same time. However, DazukoFS is designed to replace Dazuko as an online file access control solution.
 
Ii. UpgradeLinuxKernel
This document uses the latest version of DazukoFS 3.1.4 and supports Linux kernel 2.6.36. the Linux operating system kernel version used in this instance is 2.6.18. We need to perform a kernel upgrade. The procedure is as follows.
1. Download The 2.6.36 kernel original code
1. wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.gz
2. decompress the kernel
1. tar-zxvf linux-2.6.36.tar.gz
3. Place the decompressed kernel in the/usr/src directory.
(1) cp linux-2.6.36/usr/src
4. Copy the original Kernel configuration file
1. cp/boot/config-2.6.18-***/usr/src/. config
6. fine-tune Kernel Parameters
1. make menuconfig # modify General setup-> [*] enable deprecated sysfs features to support old userspace tools. Keep the rest unchanged. If you are interested, you can study it in depth.
7. Compile and install
1. make bzImage
2. make modules
3. make modules_install
4. make install
8. Modify the boot sequence
1. vim/etc/grub. conf # change default = 0 to default = 1
9. restart the system
1. reboot
After the operating system is restarted, run the uname-r command to check whether the kernel version is 2.6.36.
 
Iii. InstallationDazukoFS
1. Download DazukoFS and MD5
1. wget http://dazuko.dnsalias.org/files/dazukofs-3.1.4.tar.gz
2. wget http://dazuko.dnsalias.org/files/dazukofs-3.1.4.tar.gz.md5
2. MD5 file integrity verification
1. md5sum dazukofs-3.1.4.tar.gz> dazukofs-3.1.4.tar.gz.check.md5
2. diff dazukofs-3.1.4.tar.gz.check.md5 dazukofs-3.1.4.tar.gz... md5
3. decompress and install DazukoFS
1. tar-zxvf dazukofs-3.1.4.tar.gz
2. cd dazukofs-3.1.4
3. make & make dazukofs_install
4. Load DazukoFS
1. modprobe dazukofs
5. Check whether the load is successful
1. dmesg | grep dazukofs
6. Create a test directory
1. mkdir/tmp/dazukofs_test
7. mount a DazukoFS File System
1. mount-t dazukofs/tmp/dazukofs_test
8. Check that the DazukoFS file system is mounted.
1. mount | grep dazukofs
9. Uninstall the DazukoFS File System
1. umount/tmp/dazukofs_test
 
4. Mount the disk when the system is started
If you want to mount a machine when it is started, you can configure the/etc/fstab file to Add the following entries in the file.
1./usr dazukofs 0 0
2./opt dazukofs 0 0
 
V. InstallationClamAV
1. download the latest software and signature
1. wget http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz
2. wget http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz.sig
2. Software Integrity Verification
This section describes how to use GPG for signature verification.
1. gpg -- verify clamav-0.97.7.tar.gz.sig
Lack of public Key, verification failed, but the obtained Key is 15497F03
Download the public key from the Public Key Server
1. gpg -- keyserver subkeys.pgp.net -- recv-key 15497F03
Verify again
1. gpg -- verify clamav-0.97.7.tar.gz.sig
The message "Good signature" indicates that the signature is correct.
3. Create a clamav group and a user
1. groupadd clamav
2. usradd-g clamav-s/bin/false-d/dev/null clamav
4. decompress and install
1. make
2. make install
5. Configure ClamAV
1. vim/usr/local/clamav/etc/clamd. conf

Example Comment out, otherwise it will not work properly LogFile/tmp/clamd. log Remove comments and use the default location. TCPSocket 3310 Remove the comment and use 3310 as the ClamAV port. TCPAddr 127.0.0.1 Allow only local connections User root DazukoFS must use devfs to transmit relevant information, so it must be executed by the root user. Otherwise, the relevant information cannot be obtained correctly. ClamukoScanOnAccess To enable the instant scan function, you must first load the DazukoFS Core Module ClamukoScannerCount The thread that will be started during scanning. The default value is 3. ClamukoMaxFileSize Maximum size of a single file that can be scanned. The default value is 10 MB. That is, only files smaller than 10 MB are scanned. If the value is set to 0, no size limit is imposed.

 
1. vim/usr/local/clamav/etc/freshclam. conf

Example Comment out, otherwise it will not work properly

6. Download the virus Database
Download the virus library file when running ClamAV for the first time.
1./usr/local/clamav/bin/freshclam
Note: The downloaded virus database file is stored in the/usr/local/clamav/share/clamav directory by default. If this directory does not exist, you need to create a new directory and change the directory owner and group to clamav.
7. Start the ClamAV Server
1./usr/local/clamav/sbin/clamd
You can check whether port 3310 is enabled.
1. netstat-na | grep 3310
View clamd logs
1. tail-f/tmp/clamd. log
 
Vi. Test
1. Test the clamav scanning function
1./usr/local/clamav/bin/clamscan-r/usr # regression scan directory/all files under usr
2./usr/local/clamav/bin/clamscan-r-I/usr # Only infected files are displayed.
3./usr/local/clamav/bin/clamscan-r -- remove/usr # regression scan. immediately delete the virus.
4./usr/local/clamav/bin/clamscan-r -- bell/usr # regression scan. Virus rings are detected.
2. Test the Instant Access Scanning Function
Download the test virus and put it in the/home directory.
1. wget https://secure.eicar.org/eicar.com.txt
DazukoFS file system mount/home Directory
1. mount-t dazukofs/home
After you try to edit eicar.com.txt, a message "Permission Denied" will be prompted to refuse to edit and view logs.
Tail-f/tmp/clamd. log will find "Clamuko:/home/eicar.com.txt: Eicar-Test-Signature FOUND"
Indicates that the virus is detected immediately.
 
7. Problems Found
1. dazukofs does not support write operations on memory ing files, but supports read operations;
2. Do not use DazukoFS for the root file system or Dazukofs for the pseudo File System (/proc,/dev,/sys)