diff --git a/CHANGELOG.RELEASE b/CHANGELOG.RELEASE index 9fbdd7e..4036f53 100644 --- a/CHANGELOG.RELEASE +++ b/CHANGELOG.RELEASE @@ -1,8 +1,10 @@ -v1.6.5 | Apr 24 2020: +v1.6.5 | ?? ?? 2020: [Fix] monitor mode white space detection; issue #354 [Change] event_log/clamscan_log now record year in timestamp; issue #352 [Change] -p|--purge will now trim the inotify_log; issue #350 [New] -D|--dump-report to dump reports to stdout; pr #362 +[Fix] monitor mode will now fail to start if 'ed' is not installed; issue #350 + inotify_log requires in-place inode pruning to prevent exponential growth v1.6.4 | Mar 18 2019: [New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error diff --git a/README b/README index e52de6d..70256e9 100644 --- a/README +++ b/README @@ -198,8 +198,8 @@ and all options are well commented for ease of configuration. By default LMD has the auto-quarantine of files disabled, this will mean that YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the '-q' -option to batch quarantine the results. To change this please set quar_hits=1 -in conf.maldet. +option to batch quarantine the results. To change this please set +quarantine_hits=1 in conf.maldet. .: 8 [ IGNORE OPTIONS ] @@ -303,7 +303,7 @@ option gives a detailed summary of usage options: -co, --config-option VAR1=VALUE,VAR2=VALUE,VAR3=VALUE Set or redefine the value of conf.maldet config options - e.g: maldet --config-option email_addr=you@domain.com,quar_hits=1 + e.g: maldet --config-option email_addr=you@domain.com,quarantine_hits=1 -p, --purge Clear logs, quarantine queue, session and temporary data. @@ -383,15 +383,15 @@ are set in the interest of performance vs accuracy which is a fair tradeoff. The scan options can be modified in the hookscan.sh file if so desired, the default scan options are as follows: ---config-option quar_hits=1,quar_clean=0,clamav_scan=0 --modsec -a "$file" +--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0 --modsec -a "$file" There is a tangible performance difference in disabling clamav scanning in this usage scenario. The native LMD scanner engine is much faster than the clamav scanner engine in single file scans by a wide margin. A single file scan using clamav takes roughly 3sec on average while the LMD scanner engine takes 0.5sec or less. -To enable upload scanning with mod_security2 you must set enable the public_scan option -in conf.maldet (public_scan=1) then add the following rules to your mod_security2 +To enable upload scanning with mod_security2 you must set enable the scan_user_access option +in conf.maldet (scan_user_access=1) then add the following rules to your mod_security2 configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers or at the top of the appropriate rules file for your setup. @@ -420,11 +420,11 @@ The default alerting options will apply and an e-mail will be sent when hits are can be changed in the hookscan.sh script by editing the --config-option values. To disable alerts append email_alert=0 to the --config-option values: ---config-option quar_hits=1,quar_clean=0,clamav_scan=0,email_alert=0 +--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0,email_alert=0 To change the e-mail address for alerts on upload hits, append email_addr=you@domain.com to the --config-option values: ---config-option quar_hits=1,quar_clean=0,clamav_scan=0,email_addr=you@domain.com +--config-option quarantine_hits=1,quarantine_clean=0,clamav_scan=0,email_addr=you@domain.com The nature of uploads is such that they are performed either under the user that the HTTP service is running as or under that of a system user in an suexec style setup (i.e: phpsuexec). @@ -435,8 +435,8 @@ Given that the maldetect installation path is owned by user root, we either need path world writable (777) or populate the pub path with user owned paths. It was undesirable to set any path world writable and as such a feature to populate path data was created. This feature is controlled with the --mkpubpaths flag and is executed from cron every 10 minutes, -it will only execute if the public_scan variable is enabled in conf.maldet. As such, it is -important to make sure the public_scan variable is set to enabled (1) in conf.maldet and it is +it will only execute if the scan_user_access variable is enabled in conf.maldet. As such, it is +important to make sure the scan_user_access variable is set to enabled (1) in conf.maldet and it is advised to run 'maldet --mkpubpaths' manually to prepopulate the user paths. There after, the cron will ensure new users have paths created no later than 10 minutes after creation. diff --git a/files/internals/internals.conf b/files/internals/internals.conf index 7466f4d..1de695e 100644 --- a/files/internals/internals.conf +++ b/files/internals/internals.conf @@ -119,7 +119,7 @@ inotify_trim=131072 hex_fifo_path="$varlibpath/internals/hexfifo" hex_fifo_script="$libpath/hexfifo.pl" hex_string_script="$libpath/hexstring.pl" -scan_user_access_minuid=30 +scan_user_access_minuid=100 find_opts="-regextype posix-egrep" email_template="$libpath/scan.etpl" email_subj="maldet alert from $(hostname)"