Fix: Address 6 critical and high priority issues in malware scanner

CRITICAL FIXES: - Add directory restoration trap in maldet install (prevents PWD corruption) HIGH PRIORITY FIXES: - security-tools.sh: Make maldet detection consistent with other scanners - security-tools.sh: Improve ClamAV freshclam detection (add cPanel paths) - security-tools.sh: Add timeout protection to getenforce and aa-status - malware-scanner.sh: Integrate memory monitoring into ClamAV scan loop - malware-scanner.sh: Initialize memory_check_count for periodic checks SECURITY & RELIABILITY IMPROVEMENTS: - Prevents directory corruption in install functions - Better maldet detection across different installation paths - Timeout protection prevents script hangs on misconfigured systems - Periodic memory checks during long scans prevent OOM conditions All changes verified with syntax check. MALDET_ONLY flag already correctly implemented.
2026-04-22 00:17:15 -04:00
parent 076be62f99
commit 04e6df318f
2 changed files with 44 additions and 8 deletions
@@ -17,10 +17,21 @@ readonly _SECURITY_TOOLS_LOADED=1
 #############################################################################

 derive_malware_scanners() {
-    # ClamAV detection and paths
+    # ClamAV detection and paths - Check multiple locations for freshclam
    if command -v clamscan &>/dev/null; then
        export SYS_SCANNER_CLAMAV="$(command -v clamscan)"
-        export SYS_SCANNER_CLAMUPDATE="$(command -v freshclam 2>/dev/null || echo '')"
+
+        # Find freshclam in priority order: command, cPanel path, standard paths
+        local freshclam_bin=""
+        if command -v freshclam &>/dev/null; then
+            freshclam_bin="$(command -v freshclam)"
+        elif [ -f "/usr/local/cpanel/3rdparty/bin/freshclam" ]; then
+            freshclam_bin="/usr/local/cpanel/3rdparty/bin/freshclam"
+        elif [ -f "/usr/bin/freshclam" ] || [ -f "/usr/sbin/freshclam" ]; then
+            freshclam_bin=$(find /usr -name freshclam -type f 2>/dev/null | head -1)
+        fi
+
+        export SYS_SCANNER_CLAMUPDATE="$freshclam_bin"
        export SYS_SCANNER_CLAMSCAN="clamscan"
        export SYS_SCANNER_CLAMAV_DB="/var/lib/clamav"
        export SYS_SCANNER_CLAMAV_LOG="/var/log/clamav/scan.log"
@@ -32,8 +43,13 @@ derive_malware_scanners() {
        export SYS_SCANNER_CLAMAV_LOG=""
    fi

-    # Maldet (Linux Malware Detect)
-    if [ -f "/usr/local/maldetect/maldet" ]; then
+    # Maldet (Linux Malware Detect) - Check command -v first, then standard paths
+    if command -v maldet &>/dev/null; then
+        export SYS_SCANNER_MALDET="$(command -v maldet)"
+        export SYS_SCANNER_MALDET_DIR="$(dirname "$(command -v maldet)")"
+        export SYS_SCANNER_MALDET_QUARANTINE="${SYS_SCANNER_MALDET_DIR}/quarantine"
+        export SYS_SCANNER_MALDET_LOG="/var/log/maldet.log"
+    elif [ -f "/usr/local/maldetect/maldet" ]; then
        export SYS_SCANNER_MALDET="/usr/local/maldetect/maldet"
        export SYS_SCANNER_MALDET_DIR="/usr/local/maldetect"
        export SYS_SCANNER_MALDET_QUARANTINE="/usr/local/maldetect/quarantine"
@@ -149,10 +165,10 @@ derive_system_security_tools() {
        export SYS_MODSECURITY_AUDIT_LOG=""
    fi

-    # SELinux
+    # SELinux - Use timeout to prevent hangs on misconfigured systems
    if command -v getenforce &>/dev/null; then
        export SYS_SELINUX_ENABLED="1"
-        export SYS_SELINUX_STATUS="$(getenforce 2>/dev/null)"
+        export SYS_SELINUX_STATUS="$(timeout 5 getenforce 2>/dev/null || echo "unknown")"
        export SYS_SELINUX_CONFIG="/etc/selinux/config"
    else
        export SYS_SELINUX_ENABLED=""
@@ -160,10 +176,15 @@ derive_system_security_tools() {
        export SYS_SELINUX_CONFIG=""
    fi

-    # AppArmor
+    # AppArmor - Use timeout to prevent hangs
    if command -v aa-status &>/dev/null; then
        export SYS_APPARMOR_ENABLED="1"
-        export SYS_APPARMOR_CONFIG="/etc/apparmor"
+        # aa-status can hang on some systems, use timeout
+        if timeout 5 aa-status &>/dev/null; then
+            export SYS_APPARMOR_CONFIG="/etc/apparmor"
+        else
+            export SYS_APPARMOR_CONFIG=""
+        fi
    else
        export SYS_APPARMOR_ENABLED=""
        export SYS_APPARMOR_CONFIG=""
@@ -364,6 +364,10 @@ install_maldet_only() {
    echo "Checking available versions..."
    echo ""

+    # Save original directory and restore on exit
+    local original_dir="$PWD"
+    trap "cd '$original_dir' 2>/dev/null || true" RETURN
+
    cd /tmp || return 1

    # Try to download from sources in order with aggressive timeout handling
@@ -1965,6 +1969,7 @@ for scanner in "${available_scanners[@]}"; do
            last_size=0
            last_filename=""
            stall_counter=0
+            memory_check_count=0

            while kill -0 "$CLAM_PID" 2>/dev/null; do
                # Get current log size and file count from log
@@ -2001,6 +2006,16 @@ for scanner in "${available_scanners[@]}"; do
                    last_size=$current_size
                fi

+                # Check memory every 5 seconds (25 * 0.2s) to prevent OOM
+                if [ $((++memory_check_count)) -ge 25 ]; then
+                    if ! check_memory_during_scan; then
+                        log_message "CRITICAL: Out of memory during scan - stopping"
+                        kill "$CLAM_PID" 2>/dev/null || true
+                        break
+                    fi
+                    memory_check_count=0
+                fi
+
                sleep 0.2
            done