RTMDS is available now for testing. At the moment, installation will need to be done manually. To install, run these commands (if you dont know what these mean, I recommend you wait for an installer and not do this manually):
yum --enablerepo=asl-2.0-testing install kmod-dazuko
This should install the dazuko and redirfs modules. You will then need to add in these modules to your system. If you have kernel protection mode set, you will need to reboot to load the modules.
Add these lines to /etc/init.d/asl-mod:
Then you will need to reboot or load these modules. Once they are loaded, check to make sure you have this device:
It should look like this:
crw------- 1 root root 247, 0 Oct 1 11:57 /dev/dazuko
Finally, modify clamd to tie into the kernel to check files for bad things by adding this to clamd:
# Set access mask for Clamuko.
# Default: no
# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line.
# Default: disabled
And if you need to exclude anything, add in the full path to the exclusions like this:
And comment out this:
clamd has to run as root to be able to see all the files on the system. If this gives you pause thats understandable, however keep in mind that an ASL kernel is immune to buffer and heap overflows so an attack on clamd of that nature is not likely to work. We're also going to be putting out RBAC policies in the very near future for things like clamd, apache and other apps.
Also, you can tell clamd to watch the entire filesystem - but you will add additional, and possibly un-needed load to the system. From a security perspective, its definitely the right thing to do, but if your users can change files in /bin, for example, watch /bin for malware is a bit of a waste. If root can write to /bin, root can also disable clamd or exclude /bin. So the included directories above were put together based on an assumption of the directories that users can write to - and therefore likely places for malware. If we missed a standard directory, let us know.
Also, the kernel hook works on read and execute, not on write. So malware can be written to a location, it can not be read or executed. This is partially a limitation of dazuko, and also by design. dazuko doesnt hook writes, but we chose that because it lets your users files remain on the system - in a locked state if you will - until you can figure out what to do with it. This is sort of a quarantine in place, if you will.
This is test software, so please use them at your own risk. We are using them on our production boxes, but this is still testing software and is not part of ASL yet. If it breaks, we want to know, but its not supported yet.
Atomicorp - Security For Everyone
Co-Author of Troubleshooting Linux Firewalls.