Linux Malware Detect

🐧 Linux Command Line

Compile and Install LMD

dnf install -y inotify-tools ed
cd /usr/local/src/
wget https://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd maldetect-<version>
./install.sh

Configure LMD

/usr/local/maldetect/conf.maldet

email_alert="1"
email_addr="admin@rectitude.dev"
email_ignore_clean="0"
autoupdate_signatures="1"
cron_prune_days="35"
quarantine_hits="1"
quarantine_clean="1"
scan_clamscan="0"
inotify_docroot="/home/wwwroot"

Log Files

# event log, include hit
tail -f /usr/local/maldetect/logs/event_log
# inotify log
tail -f /usr/local/maldetect/logs/inotify_log

Test Malware Detection

cd /home/wwwroot/
# https://www.eicar.org/download-anti-malware-testfile/
wget https://www.eicar.org/download/eicar-com-2/?wpdmdl=8842&refresh=67848acef11891736739534

Useful Commands

# scan a directory
/usr/local/maldetect/maldet -a /home/wwwroot/
# monitor a directory
/usr/local/maldetect/maldet --monitor /home/wwwroot/
# update signatures
maldet -u
# update version
maldet -d
# view quarantined files
ll /usr/local/maldetect/quarantine/
# clean quarantined files
rm -rf /usr/local/maldetect/quarantine/*

Ansible Playbook

maldetect.yml

- name: Install Linux Malware Detect
  hosts: all
  remote_user: root
  vars:
    email_addr: "admin@rectitude.dev"
    inotify_docroot: "/home/wwwroot"

  tasks:
    - name: Ensure source directory exists
      file:
        path: "/usr/local/src"
        state: directory
        owner: root
        group: root
        mode: "0755"

    - name: Download Maldetect
      get_url:
        url: "https://www.rfxn.com/downloads/maldetect-current.tar.gz"
        dest: "/usr/local/src/maldetect-current.tar.gz"

    - name: Extract Maldetect
      unarchive:
        src: "/usr/local/src/maldetect-current.tar.gz"
        dest: "/usr/local/src"
        remote_src: true

    - name: Find extracted folder
      find:
        paths: "/usr/local/src"
        patterns: "maldetect-*"
        file_type: directory
        use_regex: true
      register: found_maldetect

    - name: Set folder fact
      set_fact:
        maldetect_dir: "{{ found_maldetect.files[0].path }}"

    - name: Install Maldetect
      command: "./install.sh"
      args:
        chdir: "{{ maldetect_dir }}"
      register: install_output
      changed_when: install_output.rc != 0

    - name: Configure Maldet
      vars:
        settings:
          - {key: "email_alert", value: "1"}
          - {key: "email_addr", value: "{{ email_addr }}"}
          - {key: "email_ignore_clean", value: "0"}
          - {key: "autoupdate_signatures", value: "1"}
          - {key: "cron_prune_days", value: "35"}
          - {key: "quarantine_hits", value: "1"}
          - {key: "quarantine_clean", value: "1"}
          - {key: "scan_clamscan", value: "0"}
          - {key: "inotify_docroot", value: "{{ inotify_docroot }}"}
      lineinfile:
        path: /usr/local/maldetect/conf.maldet
        regexp: "^{{ item.key }}="
        line: "{{ item.key }}={{ item.value }}"
        create: true
        mode: "0644"
      loop: "{{ settings }}"