fanotify support for CXSWatch

[yuriccp]

Hello,

With recently launch of ClamAV 0.99 with support for fanotify, I started some search about it.

The fanotify (http://man7.org/linux/man-pages/man7/fanotify.7.html) is another monitoring filesystem events API like the inotify but with some advantages:

• It can recursively monitor the entire mount tree without having to mark each file/directory.
• It can make access permission decisions, and the possibility to read or modify files before access by other applications, blocking suspicious from being read/executed from other process before the scan finishes.
• It can take the PID of currently process that are opening/reading/writing a file, so you can easy send some signal to it.

So on using it there's no more need to map the entire tree like is currently done when the CXSWatch is starting and we won't o wait hours until the CXSWatch starts to scan and it can also implement some sort of kill signal to process that try to read/open the suspicious/infected files.

But it's different from inotify the fanotify have some restrictions:

• It don't monitor create, delete, and move events, only access events like open/exec/write are monitored.
• It don't take any metadata from the filesystem object, only the FD (file descriptor), mask and PID of the process thats made the access event.
• It supported only in post 2.6.37 kernels.

But most of this disadvantages are not a really problematic. Once the file metadata can be easily obtained from FD using a simple readlink call and the create/delete/move events are not really important for a malware scanner like CXS, once that any file that comes from out of the mount (like uploads, copies and out-of-the-mount moves) will have to open/close the file to put the new contents on it.

Resuming, my proposal is to implement the fanotify in CXSWatch in addition the the currently inotify support as a strong and faster alternative to any post 2.6.37 linuxes (like RHEL/Centos/Oracle/Cloudlinux 7, most of ubuntus and debian versions).

==
Sorry for my bad english.

[ForumAdmin]

We've recently looked in depth at fanotify. While the premise is very good, the implementation is a little limited. The flexibility and options available with inotify are simply not there in fanotify making it less than ideal for the type of scanning we do within prescribed directories. So for now, unless fanotify is developed further we are unlikely to start using it in the forseable future.