doc:appunti:linux:sa:procmail_sanitizer_clamav
This is an old revision of the document!
Scansione antivirus con procmail, sanitizer e clamav
Se si utilizza procmail come local delivery agent, è sufficiente aggiungere questa regola in $HOME/.procmailrc per abilitare il filtro antivirus con il programma sanitizer:
PATH=/usr/local/bin:/usr/bin:/bin SHELL=/bin/bash MAILDIR=$HOME/Maildir/ ORGMAIL=$MAILDIR DEFAULT=$MAILDIR #LOGFILE=$HOME/procmail.log #VERBOSE=yes #------------------------------------------------------------------------- # Filter the mail with ClamAV #------------------------------------------------------------------------- :0 fw | /usr/bin/sanitizer /etc/sanitizer.cfg
Il programma sanitizer si configura tramite /etc/sanitizer.cfg:
#------------------------------------------------------------------------- # Active features. #------------------------------------------------------------------------- feat_verbose = 0 # Warn user about unscanned parts, etc. feat_log_inline = 0 # Inline logs: 0 = Off, 1 = Maybe, 2 = Force feat_log_stderr = 0 # Print log to standard error. feat_log_xml = 0 # Don't use XML format for logs. feat_log_trace = 0 # Omit trace info from logs. feat_log_after = 0 # Don't add any scratch space to part headers. feat_files = 1 # Enable filename-based policy decisions. feat_mime_files = 1 # Always check the mime-type's default name too. feat_force_name = 0 # Force all parts (except text/html parts) to # have file names. feat_boundaries = 0 # Replace all boundary strings with our own # NOTE: Always breaks PGP/MIME messages! feat_lengths = 1 # Protect against buffer overflows and null # values. feat_scripts = 1 # Defang incoming shell scripts. feat_html = 0 # Defang active HTML content. feat_webbugs = 0 # Web-bugs are allowed. feat_trust_pgp = 0 # Don't scan PGP signed message parts. feat_uuencoded = 1 # Sanitize inline uuencoded files. feat_forwards = 1 # Sanitize forwarded messages. feat_testing = 0 # This isn't a test-case configuration. feat_fixmime = 1 # Fix invalid MIME, if possible. feat_paranoid = 0 # Don't be excessively paranoid about MIME headers etc. #------------------------------------------------------------------------- # Create saved files using this template. The directory must exist and # be writable by the user running the sanitizer. # $d - Day of month (01-31) # $m - Month number (01-12) # $y - Two digit year (00-99) # $Y - Four digit year # $H - Hour (00-23) # $M - Minute (00-59) # $S - Second (00-59) # # $P - This process's PID, in hex. # $T - The current Unix time, in hex. # $T - The current Unix time, in hex. # $F - A safe version of the original file name. # $ - A random character, from [A-Z0-9]. #------------------------------------------------------------------------- file_name_tpl = /home/quarantine/$Y$m$d-$T-$F.$$ #------------------------------------------------------------------------- # Message used to replace attachments saved and removed. #------------------------------------------------------------------------- msg_file_save = *****ANTIVIRUS*****\n msg_file_save += ATTENZIONE:\n msg_file_save += Questa mail conteneva in allegato il file "%FILENAME"\n msg_file_save += che e' risultato infetto da virus o potenzialmente dannoso.\n msg_file_save += Il file e' stato rimosso al fine di evitarne la diffusione involontaria.\n msg_file_save += %SAVEDNAME\n msg_file_save += *******************\n #------------------------------------------------------------------------- # We have 2 policies, in addition to the file_default_policy. #------------------------------------------------------------------------- file_list_rules = 2 #------------------------------------------------------------------------- # 1) Scan some attachments for virus with Clam AntiVirus. #------------------------------------------------------------------------- # This policy apply to attachments whose file name did not match any # previous policy and matches this regular expression. # The policy action can be: # # accept Don't alter the attachment at all. # defang Alter the attachment's file name. # mangle Change completely the attachment's file name. # save Remove the attachment from the message, replace it with a # text message and save the attachment into a local file. # drop The attachment will be deleted and replaced with message. # unknown Indeterminate result, check the next policy. # #------------------------------------------------------------------------- # Archives, executables, scripts, etc. This is a perl regular # expression, see "man perlre" for info. The (?i) prefix makes # the regexp case insensitive. file_list_1 = (?i)\.( file_list_1 += 7z|bat|com|chm|cmd|cpl|exe|pif|scr|sys file_list_1 += |dat|doc|m?db|ppt|pps|ppsx|rtf|xls|xlsm|xlsx|wp.? file_list_1 += |class|pl|vb[es]|[sp]?html?|php\d? file_list_1 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz|g?z|bz\d? file_list_1 += )$ # Virus scanner command line. The three exit codes represent the # following scan conditions: clean, disinfected, infected. file_list_1_scanner = 0:1:1:/usr/bin/clamdscan --fdpass --quiet %FILENAME # What policy to apply for each exit code, plus a catch-all default. file_list_1_policy = unknown:save:save:unknown #------------------------------------------------------------------------- # 2) White list, this extensions (or Content-Type) will be accepted. #------------------------------------------------------------------------- file_list_2 = (?i)\.( file_list_2 += 7z|ai|ang|an6|asc|bmp|bz2|cl|csv|dat|doc|docx|dwg|dxf|fh|gif|gz|html?|ics|indd file_list_2 += |jc3|jc4|jc5|jpe?g|m?db|mov|p7m|od[btsgfp]|ot[btspgf]|pcx|pdf|png|pps|ppsx|ppt|pptx file_list_2 += |psd|pub|rtf|snp|sxc|tiff?|tgz|txt|vcf|wav|wp.?|xls|xlsm|xlsx|xml|zip file_list_2 += )$ file_list_2_scanner = 0; file_list_2_policy = accept; #------------------------------------------------------------------------- # Default policy: accept, but mangle file name. #------------------------------------------------------------------------- file_default_policy = defang #------------------------------------------------------------------------- # String used to mangle file names. #------------------------------------------------------------------------- msg_defanged = ANTIVIRUS
Cosa succede se clamd è fermo
Questi sono gli exit code del prorgamma clamdscan:
0 | File OK. |
---|---|
1 | Infected file. |
2 | Could not connect to clamd on LocalSocket. |
Quindi se il demone non risponde si ottiene un codice di uscita 2, quindi non si applicano le tre possibili condizioni (clean, disinfected, infected), verrà applicata la policy catch-all, che nell'esempio sopra è save (rimozione del file e salvataggio in quarantena).
: Forse questa non è la condizione ottimale, altrimenti una interruzione dell'antivirus porta alla perdita di tutti gli allegati.
doc/appunti/linux/sa/procmail_sanitizer_clamav.1592465355.txt.gz · Last modified: 2020/06/18 09:29 by niccolo