Last active
June 26, 2023 14:41
-
-
Save barryirwin/cc6a046cc19a6fb215900e6cad959b3b to your computer and use it in GitHub Desktop.
A quick hack wrapper script to allow for clamscan to run with some error checkign and send a report to a specified email address ( uses ssmtp rather than mail for leaf node servers)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Script scans system using clamAV | |
# (c) 2023 bvi at moria.org | |
# v0.1.1 - typo cleanup | |
#check required files are present | |
if [ ! -f /usr/bin/clamscan ]; then | |
echo ERROR | |
echo clamscan binary not found: /usr/bin/clamscan | |
echo Please check ClamAV is installed and paths are correct | |
exit 1 | |
fi | |
if [ ! -f /usr/sbin/ssmtp ]; then | |
echo ERROR | |
echo ssmtp not found: /usr/sbin/ssmtp | |
echo Unable to send email, please check smtp is correclty installed and configured | |
exit 1 | |
fi | |
logfile=/var/log/clamscan.log | |
# Who to send email to | |
target=recipient@email.domain | |
# How many days worth of logs to keep | |
maxlogdays=15 #notimplemented | |
## no further configuration below here | |
date=$(date '+%Y%M%d') | |
yesterday=$(date -d yesterday '+%Y%M%d') | |
host=$(hostname) | |
rfcdate=$(date -R) | |
# | |
# --infected -i Only print infected files | |
# --suppress-ok-results -o Skip printing OK files | |
# --stdout Write to stdout instead of stderr. Does not affect 'debug' messages. | |
# --log=FILE -l FILE Save scan report to FILE | |
# make sure that logs are named properly | |
if [ -f $logfile ]; then | |
mv $logfile $logfile.yesterday | |
fi | |
# delete any logs older than $maxlogdays | |
#find $logfile.* -ctime $maxlogdays -del {} | |
# run clam scan but suppress any file that is 'OK' ie oly list infected and errtos | |
#/usr/bin/clamscan -o --stdout -l $logfile.$date | |
/usr/bin/clamscan --stdout -o --quiet --exclude-dir=/proc\/* --exclude-dir=/run\/* --exclude-dir=/var/run\/ --exclude-dir=/dev\/ --exclude-dir=/sys\/ --exclude-dir=/usr -l $logfile -r / | |
#catch the returncode from clamav | |
result=$? | |
#check exit code based on documentation | |
# 0 = Ok | |
# 1 = Match found | |
# 2 = error | |
status="" | |
case $result in | |
0) | |
status="[OK]" # all good | |
;; | |
1) | |
status="[Malware FOUND]" #infection found | |
;; | |
2) | |
status="[Error - Manual Check required!]" #Error present | |
;; | |
*) | |
status="[Unknown Case]" #something very odd happended | |
;; | |
esac | |
## construct and send email | |
echo -n "Date: $rfcdate" > /tmp/clamscanemail.$$ | |
#date -R >> > /tmp/clamscanemail.$$ | |
echo "From: Clamav Scanner <postmaster@localhost>" >> /tmp/clamscanemail.$$ | |
echo "To: $target" >> /tmp/clamscanemail.$$ | |
echo "Subject: [$host] Clamav Scan $status" >> /tmp/clamscanemail.$$ | |
if [ $result -eq 1 ] # MALWARE found so hilight it. | |
then | |
echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/clamscanemail.$$ | |
grep "FOUND$" $logfile >> /tmp/clamscanemail.$$ | |
echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/clamscanemail.$$ | |
fi | |
tail -12 $logfile >> /tmp/clamscanemail.$$ | |
echo "\nFurther details:\n============================\n" >> /tmp/clamscanemail.$$ | |
cat $logfile | grep -v "Empty file" | grep -v "Symbolic link" | grep -v "FOUND$"| head -n 11 >> /tmp/clamscanemail.$$ | |
## send email | |
cat /tmp/clamscanemail.$$ | /usr/sbin/ssmtp $target | |
if [ $? -eq 0 ]; | |
then | |
rm /tmp/clamscanemail.$$ | |
mv $logfile $logfile.$date | |
exit | |
else | |
echo An error may have occured sending email. | |
echo Manual inspection of log files should take place | |
echo see: /tmp/clamscanemail.$$ and $logfile and/or $logfile.$date | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment