Pages

Thursday, August 22, 2019

Fedora 30 : Set up the Linux Malware Detect.

If you have an SELinux warning detection then the details you can see how can be fixed:
[mythcat@desk ~]$ su
Password: 
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.
These modes are USERS|PATHS|FILES.
The options break down as follows:
  • USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
  • PATHS: A comma spaced list of paths to monitor;
  • FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:
[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or 
download from https://github.com/rvoicilas/inotify-tools/wiki/


[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
  inotify-tools-3.14-16.fc30.x86_64                                                                                          

Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log