Manual scanning and e-mail alert

OJ

Using latest Linux Security on RHEL6 with command line only -interface. Manual scan is done by

 

fsav /my/path/here

 

and the results would be nice to be emailed at given address. It this possible? And of course we do not need "All OK" -information, but the email if something suspicious is found.

MJ-perComp

Hi,

 

you are ona linux box. you can script anything you like.

create a report, check the returncode and mail the report...

 

BR

 

OJ

yes, fsav takes parameter --virus-action1=report, so that was my first idea to send that further. But:

 

            report = synonym to none

 

So how to get the status or more importantly the real alerts out of there to be processed to be sent be email?

MJ-perComp

action= report is is not to create a report, but to force the scanned only to report and block the file instead of  disinfectiong it.

 

Just pipe the output to a file and decide (based on the returncode) what to do with the report....

 

BR

OJ

Ok, our Script Kid Department did a great job and wrote fsav_scan.sh for this and all the future needs too. It also includes automatic report generation and removal after 30 days, and email alert is sent if needed.

MJ-perComp

Hi,

great!

 

Would you mind to offer the solution to the community?

 

Best Regards

OJ

fsav_scan.sh:

 

#!/bin/bash -x
#
# This tool is used for reporting possible scanning alerts
# from F-Secure AV Scanner. Reports are generated to the report directory.
# Reports that are older than 30 days are removed automatically.
#
# Changelog:
#
# * Author, 12.1.2012
#   - Initial revision.

##############
### Config ###
##############

HOSTNAME="$(/bin/hostname --fqdn)"
DATETIME="$(/bin/date +%d-%m-%Y-%H:%M)"

REPORT_DIR="/opt/fsav_report/reports"
REPORT_FILE="fsav_report-$DATETIME"
REPORT_OUTPUT="$REPORT_DIR/$REPORT_FILE"
REPORT_TARGET="your@address.here.com"
REPORT_SUBJECT="FSAV Scanner Alert From $HOSTNAME"

FSAV_BIN="/usr/bin/fsav"
FSAV_TARGET="/path/to/be/scanned//"
SCAN_CMD="$FSAV_BIN $FSAV_TARGET"

#############
# Functions #
#############

# Check the return code and send an alert if the error code
# was something else than a zero.
function check_error() {
    RETURN_CODE="$1"
    ARG=""
    if [ -n "$2" ]; then
        ARG="$2"
    fi
    if [ $RETURN_CODE -ne 0 ]; then
        send_alert "$ARG"
    exit $RETURN_CODE
    else
        return 0
    fi
}

# Send an alert to $REPORT_TARGET.
function send_alert() {
    CUSTOM_ERROR="$1"
    MAIL_BIN="/bin/mail"
    if [ -z "$CUSTOM_ERROR" ]; then
        $MAIL_BIN -s "$REPORT_SUBJECT" $REPORT_TARGET < $REPORT_OUTPUT
    else
    echo "$CUSTOM_ERROR" | $MAIL_BIN -s "$REPORT_SUBJECT" $REPORT_TARGET
    fi
}

# Delete reports older than 30 days.
function cleanup_reports() {
    if [ -n "$REPORT_DIR" ]; then
    find $REPORT_DIR -type f -mtime +30 -exec rm -vf {} \;
    fi
}

########
# Main #
########

# Check that the directory exists. If it doesn't, create it.
# If the directory exists, clean it up before proceeding.
if [ ! -d "$REPORT_DIR" ]; then
    mkdir -p $REPORT_DIR
    check_error $? "Error creating report directory."
else
    cleanup_reports
fi

# Run the scan. If the return code indicates an error, send
# the output to $REPORT_TARGET via e-mail.
$SCAN_CMD >& $REPORT_OUTPUT
check_error $?