From 04e6df318f0754b314f62e31edab6be5c4262558 Mon Sep 17 00:00:00 2001 From: Developer Date: Wed, 22 Apr 2026 00:17:15 -0400 Subject: [PATCH] Fix: Address 6 critical and high priority issues in malware scanner CRITICAL FIXES: - Add directory restoration trap in maldet install (prevents PWD corruption) HIGH PRIORITY FIXES: - security-tools.sh: Make maldet detection consistent with other scanners - security-tools.sh: Improve ClamAV freshclam detection (add cPanel paths) - security-tools.sh: Add timeout protection to getenforce and aa-status - malware-scanner.sh: Integrate memory monitoring into ClamAV scan loop - malware-scanner.sh: Initialize memory_check_count for periodic checks SECURITY & RELIABILITY IMPROVEMENTS: - Prevents directory corruption in install functions - Better maldet detection across different installation paths - Timeout protection prevents script hangs on misconfigured systems - Periodic memory checks during long scans prevent OOM conditions All changes verified with syntax check. MALDET_ONLY flag already correctly implemented. --- lib/security-tools.sh | 37 ++++++++++++++++++++++------- modules/security/malware-scanner.sh | 15 ++++++++++++ 2 files changed, 44 insertions(+), 8 deletions(-) diff --git a/lib/security-tools.sh b/lib/security-tools.sh index b9ea69e..fc502cb 100644 --- a/lib/security-tools.sh +++ b/lib/security-tools.sh @@ -17,10 +17,21 @@ readonly _SECURITY_TOOLS_LOADED=1 ############################################################################# derive_malware_scanners() { - # ClamAV detection and paths + # ClamAV detection and paths - Check multiple locations for freshclam if command -v clamscan &>/dev/null; then export SYS_SCANNER_CLAMAV="$(command -v clamscan)" - export SYS_SCANNER_CLAMUPDATE="$(command -v freshclam 2>/dev/null || echo '')" + + # Find freshclam in priority order: command, cPanel path, standard paths + local freshclam_bin="" + if command -v freshclam &>/dev/null; then + freshclam_bin="$(command -v freshclam)" + elif [ -f "/usr/local/cpanel/3rdparty/bin/freshclam" ]; then + freshclam_bin="/usr/local/cpanel/3rdparty/bin/freshclam" + elif [ -f "/usr/bin/freshclam" ] || [ -f "/usr/sbin/freshclam" ]; then + freshclam_bin=$(find /usr -name freshclam -type f 2>/dev/null | head -1) + fi + + export SYS_SCANNER_CLAMUPDATE="$freshclam_bin" export SYS_SCANNER_CLAMSCAN="clamscan" export SYS_SCANNER_CLAMAV_DB="/var/lib/clamav" export SYS_SCANNER_CLAMAV_LOG="/var/log/clamav/scan.log" @@ -32,8 +43,13 @@ derive_malware_scanners() { export SYS_SCANNER_CLAMAV_LOG="" fi - # Maldet (Linux Malware Detect) - if [ -f "/usr/local/maldetect/maldet" ]; then + # Maldet (Linux Malware Detect) - Check command -v first, then standard paths + if command -v maldet &>/dev/null; then + export SYS_SCANNER_MALDET="$(command -v maldet)" + export SYS_SCANNER_MALDET_DIR="$(dirname "$(command -v maldet)")" + export SYS_SCANNER_MALDET_QUARANTINE="${SYS_SCANNER_MALDET_DIR}/quarantine" + export SYS_SCANNER_MALDET_LOG="/var/log/maldet.log" + elif [ -f "/usr/local/maldetect/maldet" ]; then export SYS_SCANNER_MALDET="/usr/local/maldetect/maldet" export SYS_SCANNER_MALDET_DIR="/usr/local/maldetect" export SYS_SCANNER_MALDET_QUARANTINE="/usr/local/maldetect/quarantine" @@ -149,10 +165,10 @@ derive_system_security_tools() { export SYS_MODSECURITY_AUDIT_LOG="" fi - # SELinux + # SELinux - Use timeout to prevent hangs on misconfigured systems if command -v getenforce &>/dev/null; then export SYS_SELINUX_ENABLED="1" - export SYS_SELINUX_STATUS="$(getenforce 2>/dev/null)" + export SYS_SELINUX_STATUS="$(timeout 5 getenforce 2>/dev/null || echo "unknown")" export SYS_SELINUX_CONFIG="/etc/selinux/config" else export SYS_SELINUX_ENABLED="" @@ -160,10 +176,15 @@ derive_system_security_tools() { export SYS_SELINUX_CONFIG="" fi - # AppArmor + # AppArmor - Use timeout to prevent hangs if command -v aa-status &>/dev/null; then export SYS_APPARMOR_ENABLED="1" - export SYS_APPARMOR_CONFIG="/etc/apparmor" + # aa-status can hang on some systems, use timeout + if timeout 5 aa-status &>/dev/null; then + export SYS_APPARMOR_CONFIG="/etc/apparmor" + else + export SYS_APPARMOR_CONFIG="" + fi else export SYS_APPARMOR_ENABLED="" export SYS_APPARMOR_CONFIG="" diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index 12726a8..e76eb4f 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -364,6 +364,10 @@ install_maldet_only() { echo "Checking available versions..." echo "" + # Save original directory and restore on exit + local original_dir="$PWD" + trap "cd '$original_dir' 2>/dev/null || true" RETURN + cd /tmp || return 1 # Try to download from sources in order with aggressive timeout handling @@ -1965,6 +1969,7 @@ for scanner in "${available_scanners[@]}"; do last_size=0 last_filename="" stall_counter=0 + memory_check_count=0 while kill -0 "$CLAM_PID" 2>/dev/null; do # Get current log size and file count from log @@ -2001,6 +2006,16 @@ for scanner in "${available_scanners[@]}"; do last_size=$current_size fi + # Check memory every 5 seconds (25 * 0.2s) to prevent OOM + if [ $((++memory_check_count)) -ge 25 ]; then + if ! check_memory_during_scan; then + log_message "CRITICAL: Out of memory during scan - stopping" + kill "$CLAM_PID" 2>/dev/null || true + break + fi + memory_check_count=0 + fi + sleep 0.2 done