We help IT Professionals succeed at work.
Get Started

Need Shell script to parse thru suitable filesystems/files/folders for AV scanning

393 Views
Last Modified: 2015-09-13
https://www.experts-exchange.com/questions/28702372/Help-troubleshoot-a-Shell-script.html
Refer to above EE post that I've raised:


I'm required to use a command-line AV scanner for hundreds of Solaris 10 x86 servers
but faced a few issues / limitations :

I'm trying to merge 2 options of scanning so as to get the best of both worlds ie
1. not missing any files/folders which may potentially get infected
    (on one Solaris server, we may have  /app1 folder but on another server, may
     have /app2 as the servers belong to our tenants.  Also, if a folder/filesystem
     were to be created in future, the script must include it in the scan)

2. if I use a script with   "avscan `find /* -print -type f ...`", it will cover all files
    but there's a major issue with this AV scanner if a list of files are onpassed
    to it for scanning, this AV scan will read the huge signature pattern file
    (about 70MB), then scan a file, output a banner page to logfile & kept
    repeating it for each file & this is super-inefficient: it takes more than 30
    hours to scan a server with only 70000 files.
    if we just do "avscan /folder_name", even though the folder contains 9000
    files, the scanner only read the pattern file once & output the banner to
    logfile only once (instead of 9000 times if we onpass the list of files in the
    folder to it)

3. A few folders should not be scanned as they contains Fifo & socket files
    & could cause the scanner to run into endless loop.  The folders I've
    identified in our tenants VMs are mostly in the following folders:
    ^/cdrom
    ^/boot
    ^/platf
    ^/proc
    ^/sys
    ^/dev
    ^/net


So I'll need a script that will do the following:

a) parse thru /   (perhaps `ls -lad /* |grep dr` ?)  & do a grep -v of the above
     7 folders to exclude them from the list : let's call it list1

b) then identify which folders/filesystems contain socket & Fifo files, possibly do
     something like:
      `find /each_folder_in_list1 -type p` >> Pipeslist
      `find /each_folder_in_list1 -type s` >> Socketlist

c) for folders that are not among the 7 listed above AND not found in both Pipeslist & Socketlist,
    scan the folders  ie     "avscan -s /list_of_folders_not_among_the_7_and_not_in_Pipelist_&_Socketlist

d) scan last the folders listed in Pipelist & Socketlist but exclude Fifo & Socket files in them, something like:
     avscan /list_of_folders_in_Pipelist_&_Socketlist |grep -v list_of_fifo_or_Socket_files.
     if you can finetune the script/code futher as follows, it will be good:
       eg: if /usr    has /usr/1, /usr/11, /usr/1/1/1, /usr1/1/2, /usr/2, /usr/2/2
              & a problem socket is found under /usr/1/1/mysock, then the
              scanner should scan as many files/folders in /usr other than those
              found to contain the offending Fifo & socket files.  For efficiency,
              we'll need a few scan commands, eg:
              Parse thru the list of folders under /usr, filtering out those folders
              found to contain the sockets & Fifo  & output to list5 & 
                eg:
                                 avscan -s /usr/1
                                 avscan -s /usr/11
                                 avscan -s /usr/1/1/2
                                 avscan -s /usr/2/2
                           & only for the subfolder containing the offending file (ie socket)
                                 avscan `find /usr/1/1/* |grep -v mysock`


I'm on Solaris 10 x86
Comment
Watch Question
CERTIFIED EXPERT
Commented:
This problem has been solved!
Unlock 3 Answers and 30 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE