[Change] added scan_ignore_root oprion to exclude root owned files from find results

[Change] corrected persistence of custom signature files across signature updates and version upgrades
[Change] various corrections to conf.maldet, reworded some descriptions and modified default hexdepth to 64kb and hexfifodepth to 512kb
[Change] performed additional functionality testing of current 1.5 code to ensure LMD works as expected and encountered no issues

Author: rfxn

CHANGELOG

@@ -1,5 +1,5 @@
 v1.5 | ? ? 2013:
-[TODO] pre-release test on varied distros (e.g: RHEL4,5,6, Debian 6,7, Ubuntu 11,12,13 ...)
+[TODO] pre-release tests on RHEL4,5,6, Debian 6,7, Ubuntu 11,12,13, FBSD 8,9 etc...
 [TODO] modify remote dependent URL's to use HTTPS, set wget to ignore cert errors?
 [TODO] update README file
 [TODO] scan statistics submissions
@@ -24,15 +24,16 @@ v1.5 | ? ? 2013:
        from a which search of $PATH
 [TODO] add configuration option that toggles version updates off/on [default on]
 [TODO] add configuration option that toggles signature updates off/on [default on]
-[TODO] option to exclude root owned files from find results
 [TODO] pull email alert body content out of maldet executable and create email alert global template
+[TODO] verify md5sum on version update
 [TODO] ensure hexfifo is checking runtime hexstrings and/or custom hexstrings
 [TODO] more thorough testing of custom cleaner rules
-[TODO] option to have scan_find_max_filesize set dynamically based on the largest file size in the md5 signature set
+[TODO] option to have scan_max_filesize set dynamically based on the largest file size in the md5 signature set
 
 [New] added -i|--include-regex CLI option for run-time path/file inclusion based on posix-egrep regular expressions
 [New] added -x|--exclude-regex CLI option for run-time path/file exclusion based on posix-egrep regular expressions
-[New] added scan_nice conf.maldet option to control CPU Nice value of all scan operations (find, clamscan, md5sum etc..)
+[New] added scan_ignore_root conf.maldet option to exclude root owned files from find results
+[New] added scan_cpunice conf.maldet option to control CPU Nice value of all scan operations (find, clamscan, md5sum etc..)
 [New] added support for custom signature files for md5 and hex signatures which will be preserved across signature updates
       and installation upgades; files are located at:
       sigs/custom.md5.dat

CHANGELOG.VARIABLES

@@ -2,9 +2,9 @@ quar_hits          =>  quarantine_hits
 quar_clean         =>  quarantine_clean
 quar_susp          =>  quarantine_suspend_user
 quar_susp_minuid   =>  quarantine_suspend_user_minuid
-maxdepth           =>  scan_find_max_depth
-minfilesize        =>  scan_find_min_filesize
-maxfilesize        =>  scan_find_max_filesize
+maxdepth           =>  scan_max_depth
+minfilesize        =>  scan_min_filesize
+maxfilesize        =>  scan_max_filesize
 hexdepth           =>  scan_hexdepth
 hex_fifo_scan      =>  scan_hexfifo
 hex_fifo_depth     =>  scan_hexfifo_depth

files/conf.maldet

@@ -27,95 +27,92 @@ email_addr="you@domain.com"
 email_ignore_clean=0
 
 ##
-# [ QUARANTINE OPTIONS ]
-##
-# The default quarantine action for malware hits
-# [0 = alert only, 1 = move to quarantine & alert]
-quarantine_hits=0
-
-# Try to clean string based malware injections
-# [NOTE: quarantine_hits=1 required]
-# [0 = disabled, 1 = clean]
-quarantine_clean=1
-
-# The default suspend action for users wih hits
-# Cpanel suspend or set shell /bin/false on non-Cpanel
-# [NOTE: quarantine_hits=1 required]
-# [0 = disabled, 1 = suspend account]
-quarantine_suspend_user=0
-
-# The minimum userid value that can be suspended
-# [ default = 500 ]
-quarantine_suspend_user_minuid=500
-
-##
-# [ ADVANCED SCAN OPTIONS ]
+# [ SCAN OPTIONS ]
 ##
 
 # The maximum directory depth that the scanner will search
 # [ changing this may have an impact on scan performance ]
-scan_find_max_depth=15
+scan_max_depth=15
 
-# The minimum in bytes for a file to be included in a scan
+# The minimum file size in bytes for a file to be included in
+# LMD scans. A value of less than 24b is highly discouraged.
 # [ changing this may have an impact on scan performance ]
-scan_find_min_filesize=32
+scan_min_filesize=24
 
-# The maximum file size for a file to be included in scan
-# search results; use man find for accepted values
+# The maximum file size for a file to be included in scan LMD
+# scans. Accepted value formats are b, k, M.
 # [ changing this may have an impact on scan performance ]
-scan_find_max_filesize="768k"
+scan_max_filesize="768k"
+
+# As a design and common use case, LMD typically only scans
+# user space paths and as such it makes sense to ignore files
+# that are root owned. It is recommended to leave this enabled.
+# [ 0 = disabled, 1 = enabled; enabled by default ]
+scan_ignore_root="1"
 
 # The maximum byte depth that the scanner will search into
-# a files contents; default rules expect a 1024*60 depth
+# a files contents; default rules expect a 65536 depth size.
 # [ changing this may have an impact on scan performance ]
-scan_hexdepth=61440
-
-# Use named pipe (FIFO) for passing file contents hex data
-# instead of stdin default; improved performance and greater
-# scanning depth
-# [ 0 = disabled, 1 = enabled; enabled by default ] 
+scan_hexdepth=65536
+
+# Use named pipe (FIFO) for passing file contents hex data instead
+# of stdin default; improved performance and greater scanning depth.
+# This is highly recommended and works on most systems. The hexfifo
+# will be disabled automatically if for any reason it can not be
+# successfully utilized.
+# [ 0 = disabled, 1 = enabled; enabled by default ]
 scan_hexfifo=1
 
-# The maximum byte depth that the scanner will search into
-# a files contents; default rules expect a 1024*60 depth
+# The maximum byte depth that the scanner will search into a files
+# contents when using named pipe (FIFO). Improved performance allows
+# for greater scan depth over default scan_hexdepth value.
 # [ changing this may have an impact on scan performance ]
 scan_hexfifo_depth=524288
 
-# If installed, use ClamAV clamscan binary as default scan
-# engine which providers a higher degree of performance.
-# This option only uses ClamAV as the scanner engine, LMD
-# signatures are still the basis for detecting threats.
-# [ 0 = disabled, 1 = enabled; enabled by default ] 
+# If installed, use ClamAV clamscan binary as default scan engine which
+# provides improved scan performance on large file sets. The clamscan
+# engine is used in conjunction with native ClamAV signatures updated
+# through freshclam along with LMD signatures providing additional
+# detection capabilities.
+# [ 0 = disabled, 1 = enabled; enabled by default ]
 scan_clamscan=1
 
 # Include the scanning of known temporary world-writable
 # paths for -a|--al and -r|--recent scan types.
 scan_tmpdir_paths="/tmp /var/tmp /dev/shm"
 
-# Allow non-root users to perform malware scans. This must be
-# enabled when using mod_security2 upload scanning or if you
-# want to allow users to perform scans. When enabled, this will
-# populate the /usr/local/maldetect/pub/ path with user owned
-# quarantine, session and temporary paths to faciliate scans.
-# These paths are populated through cron every 10min with the
-# /etc/cron.d/maldet_pub cronjob.
-# [ 0 = disabled, 1 = enabled, disabled by defaukt ] 
+# Allows non-root users to perform scans. This must be enabled when
+# using mod_security2 upload scanning or if you want to allow users
+# to perform scans. When enabled, this will populate 'pub/' with user
+# owned quarantine, session and temporary paths to faciliate scans.
+# [ 0 = disabled, 1 = enabled, disabled by default ]
 scan_user_access=0
 
 # Process CPU scheduling (nice) priority level for scan operations.
 # [ -19 = high prio , 19 = low prio, default = 19 ]
 scan_cpunice="19"
 
 ##
-# [ STATISTICAL ANALYSIS ]
+# [ QUARANTINE OPTIONS ]
 ##
-# The string length test is used to identify threats based on the
-# length of the longest uninterrupted string within a file. This is
-# useful as obfuscated code is often stored using encoding methods
-# that produce very long strings without spaces (e.g: base64)
-# [ string length in characters, default = 150000 ]
-string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
-string_length="150000"		# [ max string length ]
+# The default quarantine action for malware hits
+# [0 = alert only, 1 = move to quarantine & alert]
+quarantine_hits=0
+
+# Try to clean string based malware injections
+# [NOTE: quarantine_hits=1 required]
+# [0 = disabled, 1 = clean]
+quarantine_clean=1
+
+# The default suspend action for users wih hits
+# Cpanel suspend or set shell /bin/false on non-Cpanel
+# [NOTE: quarantine_hits=1 required]
+# [0 = disabled, 1 = suspend account]
+quarantine_suspend_user=0
+
+# The minimum userid value that can be suspended
+# [ default = 500 ]
+quarantine_suspend_user_minuid=500
 
 ##
 # [ MONITORING OPTIONS ]
@@ -140,3 +137,17 @@ inotify_docroot=public_html
 # Process CPU scheduling (nice) priority level for monitoring process.
 # [ -19 = high prio , 19 = low prio, default = 15 ]
 inotify_cpunice=15
+
+##
+# [ STATISTICAL ANALYSIS ]
+# This is a beta feature and as such should be used with caution.
+# Currently, this feature can have a substantially negative impact
+# on scan performance, especially with large file sets.
+##
+# The string length test is used to identify threats based on the
+# length of the longest uninterrupted string within a file. This is
+# useful as obfuscated code is often stored using encoding methods
+# that produce very long strings without spaces (e.g: base64)
+# [ string length in characters, default = 150000 ]
+string_length_scan="0"		# [ 0 = disabled, 1 = enabled ]
+string_length="150000"		# [ max string length ]

files/maldet

@@ -627,7 +627,6 @@ scan() {
  if [ -z "$setmodsec" ]; then
 	 eout "{scan} signatures loaded: $tot_sigs ($md5_sigs MD5 / $hex_sigs HEX / $cust_sigs USER)" 1
  fi
-
  if [ -f "$ignore_file_ext" ]; then
 	if [ ! "$(cat $ignore_file_ext)" == "" ]; then
 		for i in `cat $ignore_file_ext`; do
@@ -639,19 +638,22 @@ scan() {
 		done
 	fi
  fi
+ if [ "$scan_ignore_root" == "1" ]; then
+	ignore_root="! -uid 0"
+ fi
  if [ "$scan_tmpdir_paths" ] && [ -z "$setmodsec" ]; then
 	spath_tmpdirs="$scan_tmpdir_paths"
  fi
  if [ "$days" == "all" ]; then
   if [ -z "$setmodsec" ]; then
 	  eout "{scan} building file list for $spath, this might take awhile..." 1
   fi
-  $nice -n $scan_cpunice $find $spath $spath_tmpdirs -maxdepth $scan_find_max_depth $find_opts -type f -size +${scan_find_min_filesize}c -size -$scan_find_max_filesize $include_regex -not -regex "$exclude_regex" $ignore_fext | grep -vf $ignore_paths > $find_results
+  $nice -n $scan_cpunice $find $spath $spath_tmpdirs -maxdepth $scan_max_depth $find_opts -type f -size +${scan_min_filesize}c -size -$scan_max_filesize $include_regex -not -regex "$exclude_regex" $ignore_fext $ignore_root | grep -vf $ignore_paths > $find_results
  else
   if [ -z "$setmodsec" ]; then
 	  eout "{scan} building file list for $spath of new/modified files from last $days days, this might take awhile..." 1
   fi
-  $nice -n $scan_cpunice $find $spath $spath_tmpdirs -maxdepth $scan_find_max_depth $find_opts -type f -ctime -$days -size +${scan_find_min_filesize}c -size -$scan_find_max_filesize $include_regex -not -regex "$exclude_regex" $ignore_fext | grep -vf $ignore_paths > $find_results
+  $nice -n $scan_cpunice $find $spath $spath_tmpdirs -maxdepth $scan_max_depth $find_opts -type f -ctime -$days -size +${scan_min_filesize}c -size -$scan_max_filesize $include_regex -not -regex "$exclude_regex" $ignore_fext $ignore_root | grep -vf $ignore_paths > $find_results
  fi
  if [ ! -f "$find_results" ] || [ -z "$(cat $find_results)" ]; then
   if [ -z "$setmodsec" ]; then
@@ -1528,10 +1530,10 @@ else
 fi
 
 if [ ! -f "$sig_md5_file" ] || [ ! -f "$sig_hex_file" ]; then
-	sig_version=2013041200000
+	sig_version=2012010100000
 	eout "{sigup} signature files missing or corrupted, forcing update..." 1
 elif [ "$lines_md5" -lt "1000" ] || [ "$lines_hex" -lt "1000" ]; then
-	sig_version=2013041200000
+	sig_version=2012010100000
 	eout "{sigup} signature files corrupted, forcing update..." 1
 fi
 
@@ -1610,12 +1612,12 @@ if [ "$nver" != "$sig_version" ]; then
 
 		hex_sigs=`$wc -l $sig_hex_file | awk '{print$1}'`
 		md5_sigs=`$wc -l $sig_md5_file | awk '{print$1}'`
-		if [ ! -f "$custhex_sigs" ]; then
+		if [ ! -f "$sig_cust_md5_file" ]; then
 			custhex_sigs=0
 		else
 			custhex_sigs=`$wc -l $sig_cust_hex_file | awk '{print$1}'`
 		fi
-		if [ ! -f "$custmd5_sigs" ]; then
+		if [ ! -f "$sig_cust_hex_file" ]; then
 			custmd5_sigs=0
 		else
 			custmd5_sigs=`$wc -l $sig_cust_md5_file | awk '{print$1}'`