first commit

Dockerfile

@@ -0,0 +1,28 @@
+FROM debian:jessie-slim
+MAINTAINER Dietrich Rordorf <dr@ediqo.com>
+
+USER root
+
+# copy assets to image
+COPY ./assets /usr/local
+
+# install antivirus and dependencies, get the latest clamav and maldet signatures
+RUN apt-get update && \
+    apt-get install -y apt-utils clamav clamav-daemon curl inotify-tools supervisor host tar wget chkconfig && \
+    mkdir -p /var/log/supervisor && \
+    mkdir -p /var/log/cron && \
+    cd /usr/local/ && chmod +x *.sh && sync && \
+    cd /usr/local/bin && chmod +x *.sh && sync && \
+    /usr/local/install_maldet.sh && \
+    /usr/local/install_antivirus.sh && \
+    apt-get -y remove curl apt-utils && \
+    rm -rf /var/cache/* && \
+    freshclam && \
+    maldet -u -d
+
+# export volumes (uncomment if you do not mount these volumes at runtime or via docker-compose)
+# VOLUME /data/av/queue
+# VOLUME /data/av/ok
+# VOLUME /data/av/nok
+
+ENTRYPOINT ["/usr/local/entrypoint.sh"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Dietrich Rordorf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,91 @@
+# gjyoung1974/docker-malware-scan
+
+## Antivirus & Antimalware as a Microservice / as a Docker Container
+
+gjyoung1974/docker-malware-scan is a docker image malware scanner. Y
+
+The resulting Docker image runs inotify as the main process that watches a pre-defined volume for file write events and calls clamscan for each new file that is written into the volume. We do *not* use the ClamAV daemon, which has a constant, large memory consumption. 
+
+### Notes
+- **The image may only be built once per hour on the same IP address due to download limitations of the ClamAV signatures**
+- the image is maintained by Gordon Young,      
+
+### Quick start
+
+Try out the setup, copy the docker-compose.yml file from the [repository](https://github.com/gjyoung1974/docker-malware-scan) to your local file system and run:
+
+    docker-compose up -d
+
+### Introduction
+
+Build for [gjyoung1974/docker-malware-scan](https://hub.docker.com/r/gjyoung1974/docker-malware-scan/)     
+Docker image running [Linux Malware Detect (LMD)](https://github.com/rfxn/linux-malware-detect) with [ClamAV](https://github.com/vrtadmin/clamav-devel) as the scanner.     
+
+gjyoung1974/docker-malware-scan provides a plug-in container to e.g. scan file uploads in web applications before further processing.     
+
+The container requires three volume mounts from where to take files to scan, and to deliver back scanned files and scan reports.    
+
+The container auto-updates the LMD and ClamAV virus signatures once per hour.     
+
+Optionally, an email alert can be sent to a specified email address whenever a virus/malware is detected in a file.     
+
+
+### Required volume mounts
+
+Please provide the following volume mounts at runtime (e.g. in your docker-compose file). The antivirus container expects the following paths to be present when running:
+
+        /data/av/queue         --> files to be checked
+        /data/av/ok            --> checked files (ok)
+        /data/av/nok           --> scan reports for infected files
+
+Additionally, you may mount the quarantine folder and provide it to the antivirus container at the following path (this might be useful if you want to process the quarantined files from another container):
+
+        /data/av/quarantine    --> quarantined files
+
+
+
+### Docker Pull & Run
+
+To install the container, pull it from the Docker registry (latest tag refers to
+the master branch, use dev tag for dev branch):
+
+    docker pull gjyoung1974/docker-malware-scan:latest
+
+To run the docker container, use the following command. If you pass an email address as the last argument, email alerts will be activated and sent to this email address whenever a virus is detected.
+
+    docker run -tid --name docker-antivirus gjyoung1974/docker-malware-scan [email@example.net]
+
+
+### Docker Build & Run
+
+To build your own image, clone the repo and cd into the cloned repository root folder. Then, build as follows:
+
+    docker build -t docker-antivirus .
+
+To start the built image, run the following command. Optionally pass an email address to activate email alerts when a virus/malware is detected:
+
+    docker run -tid --name docker-antivirus docker-antivirus:latest [email@example.net]
+
+
+### Testing
+
+You can use the [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) to test the AV setup. (Caution: create the file yourself and copy-past the file content that can be found on the linked Wikipedia article.)
+
+
+### Mounting volumes with docker-compose
+
+Here is an exmple entry that you can use in your docker-compose file to easily plug in the container into your existing network. Replace "networkid" with your actual netwerk id. Optionally turn on email alerts by uncommenting the "command". Finally, make sure the ./data/av/... folders exist on your local/host system or change the paths.
+
+
+    docker-malware-scan:
+      image: gjyoung1974/docker-malware-scan
+      container_name: docker-malware-scan
+      # uncomment and set the email address to receive email alerts when viruses are detected
+      #command:
+      # - /usr/local/install_alerts.sh email@example.net
+      volumes:
+        - ./data/queue:/data/av/queue
+        - ./data/ok:/data/av/ok
+        - ./data/nok:/data/av/nok
+      networks:
+        - yournetworkid

assets/bin/launcher.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# inotify watches the queue and launches the AV scanner when new files are written, keeps the docker container running as well!
+#
+#  -m /data/av/queue                monitor /data/av/queue forever
+#  -r                            watched directory recursively
+#  -q                            quiet (only print events)
+#  -t 0                          never timeout
+#  -e moved_to,close_write       only fire if a file is moved to or written into the watched directory
+#
+printf "Waiting for changes to /data/av/queue ...\n"
+inotifywait -m -r -q -t 0 -e moved_to,close_write /data/av/queue |
+while read -r path action file; do
+     /usr/local/bin/scanner.sh
+done

assets/bin/scanfile.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+now=`date +'%Y-%m-%d %T'`
+printf "[${now}]\n"
+
+# scan with ClamAV first (faster)
+clamscan -rio --enable-stats --move /data/av/quarantine /data/av/scan
+
+# scan with maldet second, if file still in /data/av/scan
+files=$(shopt -s nullglob dotglob; echo /data/av/scan/*)
+if (( ${#files} ))
+then
+    maldet -a /data/av/scan/
+fi
+
+# maldet quarantines into /usr/local/maldetect/quarantine, move to /data/av/quarantine
+files=$(shopt -s nullglob dotglob; echo /usr/local/maldetect/quarantine/*)
+if (( ${#files} ))
+then
+    for file in "/usr/local/maldetect/quarantine"/* ; do
+        filename=`basename $file`
+        printf "  --> Moving maldet quarantined file to /data/av/quarantine/${filename}\n"
+        mv -f $file "/data/av/quarantine/${filename}"
+    done
+fi

assets/bin/scanner.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+files=$(shopt -s nullglob dotglob; echo /data/av/queue/*)
+if (( ${#files} ))
+then
+    printf "Found files to process\n"
+    for file in "/data/av/queue"/* ; do
+        filename=`basename $file`
+        mv -f $file "/data/av/scan/${filename}"
+        printf "Processing /data/av/scan/${filename}\n"
+        /usr/local/bin/scanfile.sh > /data/av/scan/info 2>&1
+        if [ -e "/data/av/scan/${filename}" ]
+        then
+            printf "  --> File ok\n"
+            mv -f "/data/av/scan/${filename}" "/data/av/ok/${filename}"
+            printf "  --> File moved to /data/av/ok/${filename}\n"
+            rm /data/scan/info
+        elif [ -e "/data/av/quarantine/${filename}" ]
+        then
+            printf "  --> File quarantined / nok\n"
+            mv -f "/data/av/scan/info" "/data/av/nok/${filename}"
+            printf "  --> Scan report moved to /data/av/nok/${filename}\n"
+        fi
+    done
+    printf "Done with processing\n"
+fi

assets/entrypoint.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+printf "Updating antivirus configuration ...\n"
+sed -i -e "s/{ALERT}/0/g" /usr/local/maldetect/conf.maldet
+sed -i -e "s/{EMAIL}//g" /usr/local/maldetect/conf.maldet
+if [[ $# -eq 1 && $1 = *[!\ ]* ]] ; then
+    email=$1
+    /usr/local/install_alerts.sh $email
+fi
+printf "Done\n"
+
+PATHS=(/data/av/scan /data/av/quarantine /data/av/queue /data/av/ok /data/av/nok /var/log/cron)
+for i in ${PATHS[@]}; do
+    mkdir -p ${i}
+done
+
+printf "Fetching latest ClamAV virus definitions ...\n"
+freshclam
+
+printf "Fetching latest Maldet malware signatures ...\n"
+maldet -u -d
+
+# start supervisors, which spawns cron and inotify launcher
+printf "Starting supervisord ...\n"
+/usr/bin/supervisord -c /usr/local/supervisor.conf

assets/install_alerts.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+if [[ $# -eq 1 && $1 = *[!\ ]* ]] ; then
+    email=$1
+    sed -i -e "s/email_alert=\"0\"/email_alert=\"1\"/g" /usr/local/maldetect/conf.maldet
+    sed -i -e "s/email_addr=\"\"/email_addr=\"${email}\"/g" /usr/local/maldetect/conf.maldet
+    printf "Enbaled email alerts for ${email}\n"
+fi

assets/install_antivirus.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# setup cron to update virus signatures hourly
+cd /usr/local
+crontab -l > tempcrons
+echo "5 * * * * /usr/bin/freshclam >> /var/log/cron/general.log 2>&1" >> tempcrons
+echo "10 * * * * /usr/local/sbin/maldet -u -d >> /var/log/cron/general.log 2>&1" >> tempcrons
+crontab tempcrons
+rm tempcrons

assets/install_maldet.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+mkdir -p /tmp/maldetect-current
+cd /tmp
+curl -S -L -O http://www.rfxn.com/downloads/maldetect-current.tar.gz && \
+# tar contains a folder like maldetect-1.6.2
+tar -xzvf /tmp/maldetect-current.tar.gz -C /tmp/maldetect-current
+cd ./maldetect-current
+maldetversion=$(ls -d */ | grep maldetect)
+# run install with bash to support advanced operators
+cd $maldetversion && bash ./install.sh
+ln -s /usr/local/maldetect/maldet /bin/maldet
+hash -r
+yes | rm -R /tmp/maldetect-current

assets/maldetect/conf.maldet

@@ -0,0 +1,260 @@
+##
+# Linux Malware Detect v1.5
+#             (C) 2002-2016, R-fx Networks <proj@r-fx.org>
+#             (C) 2016, Ryan MacDonald <ryan@r-fx.org>
+# This program may be freely redistributed under the terms of the GNU GPL v2
+##
+#
+##
+# [ General Options ]
+##
+
+# Enable or disable e-mail alerts, this includes application version
+# alerts as well as automated/manual scan reports. On-demand reports
+# can still be sent using '--report SCANID user@domain.com'.
+# [0 = disabled, 1 = enabled]
+email_alert="0"
+
+# The destination e-mail addresses for automated/manual scan reports
+# and application version alerts.
+# [ multiple addresses comma (,) spaced ]
+email_addr=""
+
+# Ignore e-mail alerts for scan reports in which all malware hits
+# have been automatically and successfully cleaned.
+# [0 = disabled, 1 = enabled]
+email_ignore_clean="1"
+
+# This controls the daily automatic updates of LMD signature files
+# and cleaner rules. The signature update process preserves any
+# custom signature or cleaner files. It is highly recommended that this
+# be enabled as new signatures a released multiple times per-week.
+# [0 = disabled, 1 = enabled]
+autoupdate_signatures="1"
+
+# This controls the daily automatic updates of the LMD installation.
+# The installation update process preserves all configuration options
+# along with custom signature and cleaner files. It is recommended that
+# this be enabled to ensure the latest version, features and bug fixes
+# are always available.
+# [0 = disabled, 1 = enabled]
+autoupdate_version="1"
+
+# This controls validating the LMD executable MD5 hash with known
+# good upstream hash value. This allows LMD to replace the the
+# executable / force a reinstalltion in the event the LMD executable
+# is tampered with or corrupted. If you intend to make customizations
+# to the LMD executable, you should disable this feature.
+# [0 = disabled, 1 = enabled]
+autoupdate_version_hashed="1"
+
+# When defined, the import_config_url option allows a configuration file to be
+# downloaded from a remote URL. The local conf.maldet and internals.conf are
+# parsed followed by the imported configuration file. As such, only variables
+# defined in the imported configuration file are overridden and a full set of
+# configuration options is not explicitly required in the imported file.
+import_config_url=""
+
+# The expiry interval for refreshing the local cached version of the imported
+# configuration file. The default is every 12h (43200 sec) which should be ok
+# for most setups.
+import_config_expire="43200"
+
+# When defined, the import_sigs_*_url options allow for the custom signature
+# files to be downloaded from a remote URL. THIS WILL OVERWRITE ANY LOCAL CUSTOM
+# SIGNATURE FILES! It is recommended for large-scale deployments to define these
+# variables within a import_config_url file.
+import_sigs_md5_url=""
+import_sigs_hex_url=""
+
+##
+# [ SCAN OPTIONS ]
+##
+
+# The maximum directory depth that the scanner will search, a value
+# of 10-15 is recommended.
+# [ changing this may have an impact on scan performance ]
+scan_max_depth="1"
+
+# The minimum file size in bytes for a file to be included in LMD scans.
+# [ changing this may have an impact on scan performance ]
+scan_min_filesize="24"
+
+# The maximum file size for a file to be included in LMD scans. Accepted
+# value formats are b, k, M. When using the clamscan engine, the max_filesize
+# will be dynamically set based on the largest known filesize from the MD5
+# hash signature file.
+# [ changing this may have an impact on scan performance ]
+scan_max_filesize="20M"
+
+# The maximum byte depth that the scanner will search into a files content.
+# The default signature rules expect a depth size of at least 65536 bytes.
+# [ changing this may have an impact on scan performance ]
+scan_hexdepth="65536"
+
+# Use named pipe (FIFO) for passing file contents hex data instead of stdin
+# default; improved performance and greater scanning depth. This is highly
+# recommended and works on most systems. The hexfifo will be disabled
+# automatically if for any reason it can not be successfully utilized.
+# [ 0 = disabled, 1 = enabled ]
+scan_hexfifo="1"
+
+# The maximum byte depth that the scanner will search into a files content
+#s when using named pipe (FIFO). Improved performance allows for greater
+# scan depth over default scan_hexdepth value.
+# [ changing this may have an impact on scan performance ]
+scan_hexfifo_depth="524288"
+
+# If installed, use ClamAV clamscan binary as default scan engine which
+# provides improved scan performance on large file sets. The clamscan
+# engine is used in conjunction with native ClamAV signatures updated
+# through freshclam along with LMD signatures providing additional
+# detection capabilities.
+# [ 0 = disabled, 1 = enabled ]
+scan_clamscan="1"
+
+# Include the scanning of known temporary world-writable paths for
+# -a|--al and -r|--recent scan types.
+scan_tmpdir_paths="/data/av/scan"
+
+# Allows non-root users to perform scans. This must be enabled when
+# using mod_security2 upload scanning or if you want to allow users
+# to perform scans. When enabled, this will populate 'pub/' with user
+# owned quarantine, session and temporary paths to faciliate scans.
+# [ 0 = disabled, 1 = enabled, disabled by default ]
+scan_user_access="0"
+
+# Process CPU scheduling (nice) priority level for scan operations.
+# [ -19 = high prio , 19 = low prio, default = 19 ]
+scan_cpunice="-17"
+
+# Process IO scheduling (ionice) priority levels for scan operations.
+# (uses cbq best-effort scheduling class [-c2])
+# [ 0 = most favorable IO, 7 = least favorable IO ]
+scan_ionice="0"
+
+# Set hard limit on CPU usage for find and clam(d)scan processes. This
+# requires the 'cpulimit' binary to be available on the server. The values
+# are expressed as relative percentage * N cores on system. An 8 CPU core
+# server would accept values from 0 - 800, 12 cores 0 - 1200 etc...
+scan_cpulimit="0"
+
+# As a design and common use case, LMD typically only scans user space paths
+# and as such it makes sense to ignore files that are root owned. It is
+# recommended to leave this enabled for best performance.
+# [ 0 = disabled, 1 = enabled ]
+scan_ignore_root="1"
+
+# This allows for specific user or groups to be ignored entirely from scan
+# file lists. This option should be used with care and is not ideal for
+# ignoring false positives. Instead, you should use one of the ignore files,
+# such as ignore_paths, to exclude a specific file name or path from scans.
+# [ comma or white spaced list of user and group names ]
+scan_ignore_user=""
+scan_ignore_group=""
+
+# The maximum amount of time, in seconds, that the 'find' file list generation
+# will run before it is terminated. All 'find' results up to the point of
+# termination will be fully scanned. If performing a full scan of all user paths
+# on a large server, it is reasonable to expect the find operation may take a
+# long time to complete and as such this feature may interfere. In such cases,
+# this feature can be disabled/modified on a per-scan basis using the
+# '-co|--config-option' CLI option, such as:
+# "maldet -co scan_find_timeout=0 -a /home/?/public_html".
+# [ 0 = disabled, 14400 = 4hr recommended timeout ]
+scan_find_timeout="0"
+
+# The daily cron 'find' operation performed by LMD detects recently created/modifed
+# user files. This 'find' operation can be especially resource intensive and it may
+# be desirable to persist the file list results so that other applications/tasks
+# may make use of the results. When scan_export_filelist is set enabled, the most
+# recent result set will be saved to '/usr/local/maldetect/tmp/find_results.last'
+# [ 0 = disabled, 1 = enabled ]
+scan_export_filelist="0"
+
+##
+# [ QUARANTINE OPTIONS ]
+##
+# The default quarantine action for malware hits
+# [0 = alert only, 1 = move to quarantine & alert]
+quarantine_hits="1"
+
+# Try to clean string based malware injections
+# [NOTE: quarantine_hits=1 required]
+# [0 = disabled, 1 = clean]
+quarantine_clean="0"
+
+# The default suspend action for users wih hits
+# Cpanel suspend or set shell /bin/false on non-Cpanel
+# [NOTE: quarantine_hits=1 required]
+# [0 = disabled, 1 = suspend account]
+quarantine_suspend_user="0"
+
+# The minimum userid value that can be suspended
+# [ default = 500 ]
+quarantine_suspend_user_minuid="500"
+
+##
+# [ MONITORING OPTIONS ]
+##
+# The default startup option for monitor mode, either 'users' or path to line
+# spaced file containing local paths to monitor. This option is used for the
+# init based startup script. This value is ignored when '/etc/sysconfig/maldet'
+# or '/etc/default/maldet' is present with a defined value for $MONITOR_MODE.
+# default_monitor_mode="users"
+# default_monitor_mode="/usr/local/maldetect/monitor_paths"
+
+# The base number of files that can be watched under a path,
+# this ends up being a relative value per-user in user mode.
+# [ maximum file watches = inotify_base_watches*users ]
+inotify_base_watches="16384"
+
+# The sleep time in seconds between monitor runs to scan files
+# that have been created/modified/moved.
+inotify_sleep="15"
+
+# The interval in seconds that inotify will reload configuration
+# data, including remote configuration imports and user signatures.
+inotify_reloadtime="3600"
+
+# The minimum userid that will be added to path monitoring when
+# the USERS option is specified.
+inotify_minuid="500"
+
+# This is the html/web root for users relative to homedir, when
+# this option is set, users will only have the webdir monitored
+# [ clear option to default monitor entire user homedir ]
+inotify_docroot="public_html"
+
+# Process CPU scheduling (nice) priority level for scan operations.
+# [ -19 = high prio , 19 = low prio, default = 19 ]
+inotify_cpunice="18"
+
+# Process IO scheduling (ionice) priority levels for scan operations.
+# (uses cbq best-effort scheduling class [-c2])
+# [ 0 = most favorable IO, 7 = least favorable IO ]
+inotify_ionice="6"
+
+# Set hard limit on CPU usage for inotify monitoring processes. This requires
+# the 'cpulimit' binary to be available on the server. The values are expressed
+# as relative percentage * N cores on system. An 8 CPU core system would accept
+# values from 0 - 800, a 12 cores system would accept 0 - 1200 etc...
+inotify_cpulimit="0"
+
+# Log every file scanned by inotify monitoring mode; this is not recommended
+# and will drown out your 'event_log' file, intended only for debugging purposes.
+inotify_verbose="0"
+
+##
+# [ STATISTICAL ANALYSIS ]
+# This is an EXPERIMENTAL feature and should be used with caution.
+# Currently, this feature can have a substantially negative impact
+# on scan performance, especially with large file sets.
+##
+# The string length test is used to identify threats based on the
+# length of the longest uninterrupted string within a file. This is
+# useful as obfuscated code is often stored using encoding methods
+# that produce very long strings without spaces (e.g: base64)
+# [ string length in characters, default = 150000 ]
+string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
+string_length="150000"		# [ max string length ]

assets/supervisor.conf

@@ -0,0 +1,27 @@
+[supervisord]
+logfile=/var/log/supervisor/supervisor.log      ; supervisord log file
+logfile_maxbytes=10MB                           ; maximum size of logfile before rotation
+logfile_backups=10                              ; number of backed up logfiles
+loglevel=error                                  ; info, debug, warn, trace
+pidfile=/var/run/supervisord.pid                ; pidfile location
+nodaemon=true                                   ; run supervisord as a daemon
+minfds=1024                                     ; number of startup file descriptors
+minprocs=200                                    ; number of process descriptors
+user=root                                       ; default user
+childlogdir=/var/log/supervisor/                ; where child log files will live
+
+[program:cron]
+command=/usr/sbin/cron -f
+stderr_logfile = /var/log/supervisor/cron-stderr.log
+stdout_logfile = /var/log/supervisor/cron-stdout.log
+autorestart=unexpected
+stdout_logfile_maxbytes=10MB
+stdout_logfile_backups=10
+
+[program:inotify]
+command=/usr/local/bin/launcher.sh
+stderr_logfile = /var/log/supervisor/inotify-stderr.log
+stdout_logfile = /var/log/supervisor/inotify-stdout.log
+autorestart=unexpected
+stdout_logfile_maxbytes=10MB
+stdout_logfile_backups=10

docker-compose.yml

@@ -0,0 +1,20 @@
+version: '2'
+
+services:
+
+  docker-malware-scan:
+    image: gjyoung1974/docker-malware-scan
+    container_name: docker-malware-scan
+    # uncomment and set the email address to receive email alerts when viruses are detected
+    #command:
+    # - /usr/local/install_alerts.sh email@example.net
+    volumes:
+      - ./data/queue:/data/av/queue
+      - ./data/ok:/data/av/ok
+      - ./data/nok:/data/av/nok
+    #  - ./data/quarantine:/data/av/quarantine
+    networks:
+      - avnetwork
+
+networks:
+  avnetwork: