SecurID^® Discussions

AndrewHunter1 · ‎2018-03-01

Hi,

I'm running RSA Authentication Manager 8.2 SP1 on some new Intel Appliances and enabled ClamAV scanning from the command line.

Has anyone out there managed to enable email (or any other automated method) notification that clamscan has run on an RSA Appliance and detected an infection?

I've configured 2 cron jobs, one for freshclam updates and the other for a daily clamscan.

I then tried to compile a script which would email me if an infection was found (SMTP is configured and working for report notification), however it appears I can't leverage the SMTP settings of the RSA application from the CLI. Sendmail/postx etc.aren't installed and I understand the implications of installing 3rd party software on a hardened security appliance.

I found 2 posts which don't fill me with hope:

Is it possible to send email from RSA 8.2 Virtual Appliance

000014856 - APP 3.0X - Is it possible to send email from the 3.0X Appliance?

Suggestions gratefully received, cheers

EdwardDavis · ‎2018-03-05

Run clam like this, and send results to syslog. Then have your SIEM tool report on [syslog event].

This is the best method that is simple and requires the least invasive changes to

the system (and yes we recommend not attempting to use the servers own mail system or install something else)

--------------------------------------------------------------------------------------------

If you have the RSA server sending syslog to it's own IP,

and

have syslog-ng.conf configured correctly to direct logs to an outgoing syslog server...

1) syslog-ng.conf example (2 changes a and b from default)

a) here the IP was 127.0.0.1, change it to 0.0.0.0 like so...

#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
};

b) pick a destination logserver, here my SIEM is 10.101.99.140

#
# Enable this and adopt IP to send log messages to a log server.
#
destination logserver {
udp("10.101.99.140" port(514));

2) Then you can use a SIEM tool to report on clamav results.

-----------------------------------------------------------------------------------------------------------------------------------------

/usr/bin/clamscan -i -r $SCAN_DIR $EXCLUDE --log=$LOG_FILE --stdout | logger -i -t clamav -p auth.alert

So, for example:

sudo clamscan -i -r / --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/opt/rsa/am/rsapgdata --follow-dir-symlinks=0 --follow-file-symlinks=0 --
log=/var/log/clamav.log --stdout | logger -i -t clamav -p auth.alert

When this runs it will send the scan and summary to syslog

example: this is from my syslog viewer

2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]:
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: ----------- SCAN SUMMARY -----------
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Known viruses: 6299803
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Engine version: 0.99.2
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Scanned directories: 11625
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Scanned files: 66807
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Infected files: 1
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Data scanned: 7247.49 MB
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Data read: 14959.15 MB (ratio 0.48:1)
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Time: 2786.957 sec (46 m 26 s)

Of course it found my one EICAR test file.

2018-03-05 14:46:35 Auth.Alert 10.101.99.150 Mar 5 16:07:45 edavis-vm150 clamav[5736]: /root/eicar-test.com: Eicar-Test-Signature FOUND

clamscan -i = print only infected files and the final summary to syslog

(without -i it will syslog every file scanned)

View solution in original post

HusseinElBaz · ‎2018-03-05

Hello Andrew,

You would have to manually install additional, unsupported RPMs to install the sendmail client.

You can use Perl or Python to help you to do the needful, but we do not have a current feature for that.

Best Regards,

Hussein El-Baz

EdwardDavis · ‎2018-03-05

Run clam like this, and send results to syslog. Then have your SIEM tool report on [syslog event].

This is the best method that is simple and requires the least invasive changes to

the system (and yes we recommend not attempting to use the servers own mail system or install something else)

--------------------------------------------------------------------------------------------

If you have the RSA server sending syslog to it's own IP,

and

have syslog-ng.conf configured correctly to direct logs to an outgoing syslog server...

1) syslog-ng.conf example (2 changes a and b from default)

a) here the IP was 127.0.0.1, change it to 0.0.0.0 like so...

#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
};

b) pick a destination logserver, here my SIEM is 10.101.99.140

#
# Enable this and adopt IP to send log messages to a log server.
#
destination logserver {
udp("10.101.99.140" port(514));

2) Then you can use a SIEM tool to report on clamav results.

-----------------------------------------------------------------------------------------------------------------------------------------

/usr/bin/clamscan -i -r $SCAN_DIR $EXCLUDE --log=$LOG_FILE --stdout | logger -i -t clamav -p auth.alert

So, for example:

sudo clamscan -i -r / --exclude-dir=/proc --exclude-dir=/sys --exclude-dir=/opt/rsa/am/rsapgdata --follow-dir-symlinks=0 --follow-file-symlinks=0 --
log=/var/log/clamav.log --stdout | logger -i -t clamav -p auth.alert

When this runs it will send the scan and summary to syslog

example: this is from my syslog viewer

2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]:
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: ----------- SCAN SUMMARY -----------
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Known viruses: 6299803
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Engine version: 0.99.2
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Scanned directories: 11625
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Scanned files: 66807
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Infected files: 1
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Data scanned: 7247.49 MB
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Data read: 14959.15 MB (ratio 0.48:1)
2018-03-05 14:59:14 Auth.Alert 10.101.99.150 Mar 5 14:59:24 edavis-vm150 clamav[5736]: Time: 2786.957 sec (46 m 26 s)

Of course it found my one EICAR test file.

2018-03-05 14:46:35 Auth.Alert 10.101.99.150 Mar 5 16:07:45 edavis-vm150 clamav[5736]: /root/eicar-test.com: Eicar-Test-Signature FOUND

clamscan -i = print only infected files and the final summary to syslog

(without -i it will syslog every file scanned)

AndrewHunter1 · ‎2018-03-08

Cheers Edward that's really useful, very much appreciated

SecurID^® Discussions

ClamAV Automation and Notification

Integrations

SecurID® Discussions

ClamAV Automation and Notification

Integrations

SecurID^® Discussions