On Thu, 2006-06-29 at 08:29 +0100, Paul Howarth wrote:
On Wed, 2006-06-28 at 22:15 -0500, Marc Schwartz wrote:
On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote:
That might be dontaudit-able. Is /var/lib/clamav any user's home directory?
The /var/lib/clamav tree appears to be owned by 'clamav', both user and group:
$ ls -l /var/lib total 264 ... drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav ...
ls -l /var/lib/clamav total 8832 -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075 -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd
$ cat /etc/passwd | grep clamav clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin
$ cat /etc/group | grep clamav clamav:x:101:
The search in /var/lib/clamav is probably a result of something running as that user, perhaps procmail. Does the clamav user get any mail?
Paul,
Good call. Yes indeed.
It would appear that clamav (the user) gets mail when there are problems with the hourly database updates. For example, if there are DNS problems or other issues with server access. I do see these coming from the root account, which then get forwarded to my user account via the postfix mapping. I had not paid attention, until now, regarding the multiple e-mail addresses in the To: field.
After doing some searching, it turns out that this is configured in /etc/crond./clamav-update.
In that file, mail is targeted (by default) to go to root, postmaster, webmaster and clamav. Now that I have looked at the content of /var/spool/mail/clamav, I do note that the mail is indeed sent to the aforementioned users.
Of course, postmaster and webmaster do not exist on my system as users.
Also, in the file is the following:
## It is ok to execute it as root; freshclam drops privileges and becomes ## user 'clamav' as soon as possible 0 */3 * * * root /usr/share/clamav/freshclam-sleep
From other sources, it would appear that the freshclam programs, even if
started as root, will setuid to clamav. This is configured in /etc/freshclam.conf. The default is:
# By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) #DatabaseOwner clamav
I could adjust the e-mail targets or other settings if you need me to.
I think the email targets are OK; you should just alias clamav, webmaster, and postmaster (every mail system should have a postmaster) to root, which in turn is aliased to you.
Paul,
I aliased clamav to root. postmaster and webmaster were already aliased to root.
I am also now in Enforcing mode.
We should probably give this a good 24 hours to run through the various cycles of e-mails and cron jobs.
If anything comes up in the mean time, I'll post back.
Just for reference, current policies loaded:
amavis 1.0.4 clamav 1.0.1 dcc 1.0.0 myclamav 0.1.5 mydcc 0.1.8 mypostfix 0.1.0 mypyzor 0.2.3 myspamassassin 0.1.1 procmail 0.5.4 pyzor 1.0.1 razor 1.0.0
Thanks for all the help.
Marc