linux-malware-detect
linux-malware-detect copied to clipboard
rfxn
Init script and log rotation for maldet monitoring
Here is my first attempt at an init script to start maldet monitoring at boot (original issue #15 ). The script expects your monitor paths to be defined in the file /usr/local/maldetect/monitor_paths. Customize it as you wish.. contributions welcome!
#!/bin/bash
#
# maldet Maldet inotify monitoring
#
# chkconfig: 345 70 30
# description: Maldet inotify monitoring
# processname: maldet
# Source function library.
. /etc/init.d/functions
RETVAL=0
prog="maldet"
LOCKFILE=/var/lock/subsys/$prog
start() {
echo -n "Starting $prog: "
/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $LOCKFILE
echo
return $RETVAL
}
stop() {
echo -n "Shutting down $prog: "
/usr/local/maldetect/maldet --kill-monitor && success || failure
RETVAL=$? [ $RETVAL -eq 0 ] && rm -f $LOCKFILE
echo
return $RETVAL
}
restart() {
stop
start
}
status() {
echo -n "Checking $prog monitoring status: "
if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
echo "Running"
else
echo "Not running"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
condrestart)
if [ -f $LOCKFILE ]; then
restart
fi
;;
*)
echo "Usage: $prog {start|stop|status|restart|condrestart}"
exit 1
;;
esac
exit $RETVAL
Update: I've added the option condrestart so we can only restart the inotify monitoring if its already running.
I've also written a proper log rotate config file. This uses the init script above so you can rotate the log files and optionally restart the monitoring so that maldet picks up the rotated log file.
/etc/logrotate.d/maldet
/usr/local/maldetect/logs/event_log
/usr/local/maldetect/logs/clamscan_log {
missingok
weekly
compress
notifempty
size 1M
rotate 4
create 0644 root root
}
/usr/local/maldetect/logs/inotify_log {
missingok
weekly
compress
create 0644 root root
notifempty
size 1M
rotate 4
postrotate
/etc/init.d/maldet condrestart > /dev/null 2>/dev/null || true
endscript
}
Update: fixed the restart to be conditional (only if maldet monitoring is currently running)
This one prevents multiple instances of the maldet service from running at the same time, plus some tweaks (PID etc). Feel free to include:
#!/bin/sh
#
# maldet Maldet inotify monitoring
#
# chkconfig: 345 70 30
# description: Maldet inotify monitoring
# processname: maldet
# config: /usr/local/maldetect/conf.maldet
# pidfile: /var/run/maldet.pid
### BEGIN INIT INFO
# Provides: maldet
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Maldet inotify monitoring
# Description: Maldet inotify monitoring
### END INIT INFO
# Author: Achim J. Latz <[email protected]>
# Source function library.
. /etc/init.d/functions
NAME=maldet
DAEMON=/usr/local/maldetect/maldet
TARGET="/usr/local/maldetect/monitor_paths"
#TARGET="users"
DAEMON_ARGS="--monitor $TARGET"
PIDFILE=/var/run/maldet.pid
SCRIPTNAME=/etc/init.d/maldet
LOCKDIR=/var/lock/subsys
LOCKFILE=${LOCKDIR}/maldet
start() {
if [ -d "${LOCKDIR}" -a -w "${LOCKDIR}" ]
then
local pid
__pids_var_run $NAME || rm -f "${LOCKFILE}"
if ( set -o noclobber; echo "$$" > "${LOCKFILE}") 2> /dev/null; then
trap 'rm -f "${LOCKFILE}"; exit $?' INT TERM EXIT
echo -n $"Starting $NAME: "
daemon --pidfile $PIDFILE $DAEMON $DAEMON_ARGS
retval=$?
if [ $retval -eq 0 ]; then
pid=`pgrep $NAME`
if [ -n "$pid" ]; then
echo $pid > "$PIDFILE"
fi
echo_success
echo
else
echo_failure
echo
fi
return $retval
rm -f "${LOCKFILE}"
trap - INT TERM EXIT
else
echo "Failed to acquire ${LOCKFILE}. Held by $(cat ${LOCKFILE})"
echo_failure
return 1
fi
fi
}
stop() {
echo -n $"Stopping $NAME: "
$DAEMON --kill-monitor && success || failure
retval=$?
sleep 20
killproc -p $PIDFILE $NAME
if [ $retval -ne 0 ];
then
killall -q $NAME
fi
if [ -e "${LOCKFILE}" ]
then
rm -f "${LOCKFILE}"
fi
echo
return $retval
}
restart() {
stop
start
}
status() {
echo -n "Checking $NAME monitoring status: "
if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
echo "Running"
else
echo "Not running"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
condrestart)
if [ -f $LOCKFILE ]; then
restart
fi
;;
*)
echo "Usage: $0 {start|stop|status|restart|condrestart}"
exit 2
;;
esac
exit $?
@Gazoo it seems that your logrotate configuration for maldet monitoring was not included in the commit above. Or am I missing something?
@dvershinin Yes it looks like it got missed although now with systemd the log rotate script should look something like:
/usr/local/maldetect/logs/event_log
/usr/local/maldetect/logs/clamscan_log {
missingok
weekly
compress
notifempty
size 1M
rotate 4
create 0644 root root
}
/usr/local/maldetect/logs/inotify_log {
missingok
weekly
compress
create 0644 root root
notifempty
size 1M
rotate 4
postrotate
/bin/systemctl condrestart maldet.service > /dev/null 2>/dev/null || true
endscript
}