We help IT Professionals succeed at work.
Get Started
Need Shell script to parse thru suitable filesystems/files/folders for AV scanning
https://www.experts-exchange.com/questions/28702372/Help-troubleshoot-a-Shell-script.html
Refer to above EE post that I've raised:
I'm required to use a command-line AV scanner for hundreds of Solaris 10 x86 servers
but faced a few issues / limitations :
I'm trying to merge 2 options of scanning so as to get the best of both worlds ie
1. not missing any files/folders which may potentially get infected
(on one Solaris server, we may have /app1 folder but on another server, may
have /app2 as the servers belong to our tenants. Also, if a folder/filesystem
were to be created in future, the script must include it in the scan)
2. if I use a script with "avscan `find /* -print -type f ...`", it will cover all files
but there's a major issue with this AV scanner if a list of files are onpassed
to it for scanning, this AV scan will read the huge signature pattern file
(about 70MB), then scan a file, output a banner page to logfile & kept
repeating it for each file & this is super-inefficient: it takes more than 30
hours to scan a server with only 70000 files.
if we just do "avscan /folder_name", even though the folder contains 9000
files, the scanner only read the pattern file once & output the banner to
logfile only once (instead of 9000 times if we onpass the list of files in the
folder to it)
3. A few folders should not be scanned as they contains Fifo & socket files
& could cause the scanner to run into endless loop. The folders I've
identified in our tenants VMs are mostly in the following folders:
^/cdrom
^/boot
^/platf
^/proc
^/sys
^/dev
^/net
So I'll need a script that will do the following:
a) parse thru / (perhaps `ls -lad /* |grep dr` ?) & do a grep -v of the above
7 folders to exclude them from the list : let's call it list1
b) then identify which folders/filesystems contain socket & Fifo files, possibly do
something like:
`find /each_folder_in_list1 -type p` >> Pipeslist
`find /each_folder_in_list1 -type s` >> Socketlist
c) for folders that are not among the 7 listed above AND not found in both Pipeslist & Socketlist,
scan the folders ie "avscan -s /list_of_folders_not_among
d) scan last the folders listed in Pipelist & Socketlist but exclude Fifo & Socket files in them, something like:
avscan /list_of_folders_in_Pipeli
if you can finetune the script/code futher as follows, it will be good:
eg: if /usr has /usr/1, /usr/11, /usr/1/1/1, /usr1/1/2, /usr/2, /usr/2/2
& a problem socket is found under /usr/1/1/mysock, then the
scanner should scan as many files/folders in /usr other than those
found to contain the offending Fifo & socket files. For efficiency,
we'll need a few scan commands, eg:
Parse thru the list of folders under /usr, filtering out those folders
found to contain the sockets & Fifo & output to list5 &
eg:
avscan -s /usr/1
avscan -s /usr/11
avscan -s /usr/1/1/2
avscan -s /usr/2/2
& only for the subfolder containing the offending file (ie socket)
avscan `find /usr/1/1/* |grep -v mysock`
I'm on Solaris 10 x86
Refer to above EE post that I've raised:
I'm required to use a command-line AV scanner for hundreds of Solaris 10 x86 servers
but faced a few issues / limitations :
I'm trying to merge 2 options of scanning so as to get the best of both worlds ie
1. not missing any files/folders which may potentially get infected
(on one Solaris server, we may have /app1 folder but on another server, may
have /app2 as the servers belong to our tenants. Also, if a folder/filesystem
were to be created in future, the script must include it in the scan)
2. if I use a script with "avscan `find /* -print -type f ...`", it will cover all files
but there's a major issue with this AV scanner if a list of files are onpassed
to it for scanning, this AV scan will read the huge signature pattern file
(about 70MB), then scan a file, output a banner page to logfile & kept
repeating it for each file & this is super-inefficient: it takes more than 30
hours to scan a server with only 70000 files.
if we just do "avscan /folder_name", even though the folder contains 9000
files, the scanner only read the pattern file once & output the banner to
logfile only once (instead of 9000 times if we onpass the list of files in the
folder to it)
3. A few folders should not be scanned as they contains Fifo & socket files
& could cause the scanner to run into endless loop. The folders I've
identified in our tenants VMs are mostly in the following folders:
^/cdrom
^/boot
^/platf
^/proc
^/sys
^/dev
^/net
So I'll need a script that will do the following:
a) parse thru / (perhaps `ls -lad /* |grep dr` ?) & do a grep -v of the above
7 folders to exclude them from the list : let's call it list1
b) then identify which folders/filesystems contain socket & Fifo files, possibly do
something like:
`find /each_folder_in_list1 -type p` >> Pipeslist
`find /each_folder_in_list1 -type s` >> Socketlist
c) for folders that are not among the 7 listed above AND not found in both Pipeslist & Socketlist,
scan the folders ie "avscan -s /list_of_folders_not_among
d) scan last the folders listed in Pipelist & Socketlist but exclude Fifo & Socket files in them, something like:
avscan /list_of_folders_in_Pipeli
if you can finetune the script/code futher as follows, it will be good:
eg: if /usr has /usr/1, /usr/11, /usr/1/1/1, /usr1/1/2, /usr/2, /usr/2/2
& a problem socket is found under /usr/1/1/mysock, then the
scanner should scan as many files/folders in /usr other than those
found to contain the offending Fifo & socket files. For efficiency,
we'll need a few scan commands, eg:
Parse thru the list of folders under /usr, filtering out those folders
found to contain the sockets & Fifo & output to list5 &
eg:
avscan -s /usr/1
avscan -s /usr/11
avscan -s /usr/1/1/2
avscan -s /usr/2/2
& only for the subfolder containing the offending file (ie socket)
avscan `find /usr/1/1/* |grep -v mysock`
I'm on Solaris 10 x86
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE