https://www.experts-exchange.com/questions/28702372/Help-troubleshoot-a-Shell-script.html
Refer to above EE post that I've raised:
I'm required to use a command-line AV scanner for hundreds of Solaris 10 x86 servers
but faced a few issues / limitations :
I'm trying to merge 2 options of scanning so as to get the best of both worlds ie
1. not missing any files/folders which may potentially get infected
(on one Solaris server, we may have /app1 folder but on another server, may
have /app2 as the servers belong to our tenants. Also, if a folder/filesystem
were to be created in future, the script must include it in the scan)
2. if I use a script with "avscan `find /* -print -type f ...`", it will cover all files
but there's a major issue with this AV scanner if a list of files are onpassed
to it for scanning, this AV scan will read the huge signature pattern file
(about 70MB), then scan a file, output a banner page to logfile & kept
repeating it for each file & this is super-inefficient: it takes more than 30
hours to scan a server with only 70000 files.
if we just do "avscan /folder_name", even though the folder contains 9000
files, the scanner only read the pattern file once & output the banner to
logfile only once (instead of 9000 times if we onpass the list of files in the
folder to it)
3. A few folders should not be scanned as they contains Fifo & socket files
& could cause the scanner to run into endless loop. The folders I've
identified in our tenants VMs are mostly in the following folders:
^/cdrom
^/boot
^/platf
^/proc
^/sys
^/dev
^/net
So I'll need a script that will do the following:
a) parse thru / (perhaps `ls -lad /* |grep dr` ?) & do a grep -v of the above
7 folders to exclude them from the list : let's call it list1
b) then identify which folders/filesystems contain socket & Fifo files, possibly do
something like:
`find /each_folder_in_list1 -type p` >> Pipeslist
`find /each_folder_in_list1 -type s` >> Socketlist
c) for folders that are not among the 7 listed above AND not found in both Pipeslist & Socketlist,
scan the folders ie "avscan -s /list_of_folders_not_among
_the_7_and
_not_in_Pi
pelist_&_S
ocketlist
d) scan last the folders listed in Pipelist & Socketlist but exclude Fifo & Socket files in them, something like:
avscan /list_of_folders_in_Pipeli
st_&_Socke
tlist |grep -v list_of_fifo_or_Socket_fil
es.
if you can finetune the script/code futher as follows, it will be good:
eg: if /usr has /usr/1, /usr/11, /usr/1/1/1, /usr1/1/2, /usr/2, /usr/2/2
& a problem socket is found under /usr/1/1/mysock, then the
scanner should scan as many files/folders in /usr other than those
found to contain the offending Fifo & socket files. For efficiency,
we'll need a few scan commands, eg:
Parse thru the list of folders under /usr, filtering out those folders
found to contain the sockets & Fifo & output to list5 &
eg:
avscan -s /usr/1
avscan -s /usr/11
avscan -s /usr/1/1/2
avscan -s /usr/2/2
& only for the subfolder containing the offending file (ie socket)
avscan `find /usr/1/1/* |grep -v mysock`
I'm on Solaris 10 x86
if we just do "avscan -s /folder_name", even though the folder contains 9000