diff options
Diffstat (limited to 'config/havp')
-rw-r--r-- | config/havp/havp.inc | 66 | ||||
-rw-r--r-- | config/havp/havp.xml | 31 |
2 files changed, 74 insertions, 23 deletions
diff --git a/config/havp/havp.inc b/config/havp/havp.inc index 5b420d21..36c053c9 100644 --- a/config/havp/havp.inc +++ b/config/havp/havp.inc @@ -77,7 +77,13 @@ define('HVDEF_MAXSCANSIZE', '5000000'); # [bytes] ! do not enter 0 o define('HVDEF_MAXARCSCANSIZE', '5000000'); # [bytes] ! do not enter 0 or big size ! define('HVDEF_PID_FILE', '/var/run/havp.pid'); define('HVDEF_WORK_DIR', '/usr/local/etc/havp'); -define('HVDEF_LOG_DIR', '/var/log/havp'); + +$pfSversion = str_replace("\s", "", file_get_contents("/etc/version")); +if(preg_match("/^2.0/",$pfSversion)) + define('HVDEF_LOG_DIR', '/var/log/havp'); +else + define('HVDEF_LOG_DIR', '/var/log'); + define('HVDEF_TEMP_DIR', '/var/tmp'); define('HVDEF_HAVPTEMP_DIR', HVDEF_TEMP_DIR.'/havp'); define('HVDEF_RAMTEMP_DIR', HVDEF_TEMP_DIR.'/havpRAM'); @@ -97,7 +103,12 @@ define('HVDEF_HAVP_MAXSRV', '100'); # Clam #define('HVDEF_CLAM_RUNDIR', '/var/run/clamav'); define('HVDEF_CLAM_RUNDIR', '/var/run'); -define('HVDEF_AVLOG_DIR', '/var/log/clamav'); +define('HVDEF_CLAM_DBDIR', '/var/db/clamav'); +if(preg_match("/^2./",$pfSversion)) + define('HVDEF_AVLOG_DIR', '/var/log/clamav'); +else + define('HVDEF_AVLOG_DIR', '/var/log'); + define('HVDEF_CLAM_SOCKET', HVDEF_CLAM_RUNDIR.'/clamd.sock'); define('HVDEF_CLAM_PID', HVDEF_CLAM_RUNDIR.'/clamd.pid'); define('HVDEF_CLAM_LOG', HVDEF_AVLOG_DIR . '/clamd.log'); @@ -160,6 +171,7 @@ define('F_SCANIMG', 'scanimg'); define('F_SCANARC', 'scanarc'); define('F_SCANSTREAM', 'scanstream'); define('F_SCANARCMAXSIZE', 'scanarcmaxsize'); +define('F_SCANBROKENEXE', 'scanbrokenexe'); # antivirus options define('F_HAVPUPDATE', 'havpavupdate'); define('F_DBREGION', 'dbregion'); @@ -344,8 +356,8 @@ function havp_resync() havp_reconfigure_freshclam(); havp_reconfigure_cron(); - # configure system filter - if (pfsense_version_() == '1') filter_configure(); + # configure system filter for 2.xx + if (pfsense_version_() !== '1') filter_configure(); } # ------------------------------------------------------------------------------ @@ -369,7 +381,12 @@ function havp_check_system() $grp = exec('pw group show ' . HVDEF_GROUP); if (strpos($grp, HVDEF_GROUP) !== 0) { exec('pw group add ' . HVDEF_GROUP); - log_error("Antivirus: Username '" . HVDEF_GROUP . "' was added."); + log_error("Antivirus: Group '" . HVDEF_GROUP . "' was added."); + } + $usr = exec('pw usershow -n ' . HVDEF_USER); + if (strpos($usr, HVDEF_USER) !== 0) { + exec('pw useradd ' . HVDEF_USER . ' -g ' . HVDEF_GROUP . ' -h - -s "/sbin/nologin" -d "/nonexistent" -c "havp daemon"'); + log_error("Antivirus: User '" . HVDEF_USER . "' was added."); } # workdir permissions @@ -380,6 +397,11 @@ function havp_check_system() mwexec("mkdir -p " . HVDEF_HAVPTEMP_DIR); havp_set_file_access(HVDEF_HAVPTEMP_DIR, HVDEF_USER, ''); + # clamav dbdir + if (!file_exists(HVDEF_CLAM_DBDIR)) + mwexec("mkdir -p " . HVDEF_CLAM_DBDIR); + havp_set_file_access(HVDEF_CLAM_DBDIR, HVDEF_AVUSER, ''); + # RAM tempdir if (!file_exists(HVDEF_RAMTEMP_DIR)) mwexec("mkdir -p " . HVDEF_RAMTEMP_DIR); @@ -409,6 +431,8 @@ function havp_check_system() if (!file_exists(HVDEF_CLAM_LOG)) file_put_contents(HVDEF_CLAM_LOG, ''); if (!file_exists(HVDEF_FRESHCLAM_LOG)) file_put_contents(HVDEF_FRESHCLAM_LOG, ''); # log dir permissions + if (!file_exists(HVDEF_AVLOG_DIR)) + mwexec("mkdir -p " . HVDEF_AVLOG_DIR); havp_set_file_access(HVDEF_AVLOG_DIR, HVDEF_USER, '0777'); # =-= ClamAV =-= @@ -539,6 +563,7 @@ function havp_convert_pfxml_xml() $havp_config[F_SCANIMG] = ( $pfconf[F_SCANIMG] === 'on' ? 'true' : 'false' ); $havp_config[F_SCANARC] = ( $pfconf[F_SCANARC] === 'on' ? 'true' : 'false' ); $havp_config[F_SCANSTREAM] = ( $pfconf[F_SCANSTREAM] === 'on' ? 'true' : 'false' ); + $havp_config[F_SCANBROKENEXE] = ( $pfconf[F_SCANBROKENEXE] === 'on' ? 'true' : 'false' ); $havp_config[F_SCANARCMAXSIZE] = ( is_numeric($pfconf[F_SCANARCMAXSIZE]) ? $pfconf[F_SCANARCMAXSIZE] : HVDEF_MAXARCSCANSIZE ); # log $havp_config[F_SYSLOG] = ( $pfconf[F_SYSLOG] === 'on' ? 'true' : 'false' ); @@ -751,9 +776,13 @@ function havp_config_clam() $conf[] = "DetectPUA no"; # possible unwanted applications $conf[] = "AlgorithmicDetection yes"; $conf[] = "# executable"; + if ($havp_config[F_SCANBROKENEXE] === 'true') + {$conf[] = "DetectBrokenExecutables yes";} + else + {$conf[] = "DetectBrokenExecutables no";} + # $conf[] = "ScanPE yes"; $conf[] = "ScanELF yes"; - $conf[] = "DetectBrokenExecutables yes"; $conf[] = "# documents"; $conf[] = "ScanOLE2 yes"; $conf[] = "ScanPDF yes"; @@ -830,7 +859,7 @@ function havp_config_freshclam() $conf[] = "PidFile /var/run/clamav/freshclam.pid"; $conf[] = "\n# db"; - $conf[] = "DatabaseOwner clamav"; + $conf[] = "DatabaseOwner havp"; $conf[] = "AllowSupplementaryGroups yes"; $conf[] = "DNSDatabaseInfo current.cvd.clamav.net"; @@ -857,7 +886,7 @@ function havp_config_freshclam() case 'sa': $conf[] = "DatabaseMirror clamav.dial-up.net"; break; # south africa case 'tw': $conf[] = "DatabaseMirror clamav.cs.pu.edu.tw"; break; # taiwan case 'uk': $conf[] = "DatabaseMirror clamav.oucs.ox.ac.uk"; break; # united kingdom - case 'us': $conf[] = "DatabaseMirror clamav.catt.com "; break; # united states + case 'us': $conf[] = "DatabaseMirror db.us.clamav.net "; break; # united states default: break; } } @@ -1140,6 +1169,11 @@ function havp_generate_rules($type = 'filter') global $config, $havp_config; $rules = array(); + # no rules if havp disabled + if ($havp_config[F_ENABLE] !== 'true') { + return ''; + } + $proxymode = $havp_config[F_PROXYMODE]; # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # =-= HAVP always listen 127.0.0.1:port =-= @@ -1288,14 +1322,17 @@ function havp_startup_script() { global $havp_config; $pid = HVDEF_PID_FILE; - $havpchk = "ps auxw | grep \"[h]avp -c\"|awk '{print $2}'"; + $havpchk = "ps auxw | grep \"[h]avp -c\"|awk '{print $2}'"; $clamdchk = "ps auxw | grep \"[c]lamd -c\"|awk '{print $2}'"; # rc script $rc = array(); $rc['file'] = basename(HVDEF_HAVP_STARTUP_SCRIPT); - $s[] = "# start"; + $s[] = "\t# init"; + $s[] = "\techo 'Starting ..' > " . HVDEF_HAVP_STATUS_FILE; + + $s[] = "\t# start"; $s[] = "\tif [ -z \"`{$havpchk}`\" ];then"; if (HV_USE_CLAMD === 'true') { $clampid_dir = HVDEF_CLAM_RUNDIR; @@ -1319,8 +1356,15 @@ function havp_startup_script() } $s[] = "\t\t/usr/local/sbin/havp -c " . HVDEF_HAVP_CONFIG . " 2>/dev/null"; $s[] = "\t\twait"; + $s[] = "\tfi"; + + $s[] = "\t# Status"; + $s[] = "\tif [ -z \"`{$havpchk}`\" ];then"; + $s[] = "\t\techo 'Stopped' > " . HVDEF_HAVP_STATUS_FILE; + $s[] = "\telse"; $s[] = "\t\techo 'Started' > " . HVDEF_HAVP_STATUS_FILE; $s[] = "\tfi"; + $s[] = ""; $rc['start'] = implode("\n", $s); unset($s); @@ -1543,7 +1587,7 @@ function havp_fscan_html() <hr> <span onClick="document.getElementById('scanfilepath').value = '/var/squid';" style="cursor: pointer;"> <img src='./themes/{$g['theme']}/images/icons/icon_pass.gif' title='Click here'> - <font size='-1'><u> Squid cache path (scan you squid cache now).</u></font> + <font size='-1'><u> Squid cache path (scan your squid cache now).</u></font> </img> </span> <br> diff --git a/config/havp/havp.xml b/config/havp/havp.xml index c7841956..6d991a81 100644 --- a/config/havp/havp.xml +++ b/config/havp/havp.xml @@ -70,8 +70,8 @@ Select interface mode: <br> <b> standard </b> - client(s) bind to the 'proxy port' on selected interface(s); <br> <b> parent for squid </b> - configure HAVP as parent for Squid proxy;<br> - <b> transparent </b> - all 'http' requests on interface(s) will be translated to the HAVP proxy server without any client(s) additional configuration necessary (worked as 'parent for squid' with 'transparent' Squid proxy); <br> - <b> internal </b> - HAVP listen internal interface (127.0.0.1) on 'proxy port', use you own traffic forwarding rules.<br> + <b> transparent </b> - all HTTP requests on interface(s) will be directed to the HAVP proxy server without any client configuration necessary (works as parent for squid with transparent Squid proxy); <br> + <b> internal </b> - HAVP will listen on the loopback (127.0.0.1) on configured 'proxy port.' Use you own traffic forwarding rules.<br> </description> <type>select</type> <default_value>standard</default_value> @@ -85,7 +85,7 @@ <field> <fielddescr>Proxy interface(s)</fielddescr> <fieldname>proxyinterface</fieldname> - <description>The interface(s) for client connections to the proxy. Use 'Ctrl' + L.Click for multiple selection.</description> + <description>The interface(s) for client connections to the proxy. Use 'Ctrl' + L. Click for multiple selection.</description> <type>interfaces_selection</type> <required/> <multiple/> @@ -125,7 +125,7 @@ <fielddescr>Enable Forwarded IP</fielddescr> <fieldname>enableforwardedip</fieldname> <description> - If HAVP is used as parent proxy by some other proxy, this allows to write the real users IP to log, instead of proxy IP. + If HAVP is used as a parent proxy for some other proxy, this allows writing the real user's IP to log, instead of the proxy IP. </description> <type>checkbox</type> </field> @@ -150,7 +150,7 @@ <field> <fielddescr>Max download size, Bytes</fielddescr> <fieldname>maxdownloadsize</fieldname> - <description>Enter value (in Bytes) or leave empty. Downloads larger, than 'Max download size' will be blocked. Only if not Whitelisted!</description> + <description>Enter value (in Bytes) or leave empty. Downloads larger than 'Max download size' will be blocked if not whitelisted.</description> <type>input</type> <size>10</size> <default_value></default_value> @@ -169,8 +169,8 @@ <fielddescr>Whitelist</fielddescr> <fieldname>whitelist</fieldname> <description> - Enter each destination url on a new line that will be accessable to the users without scanning. - Use '*' symbol for mask. Example: *.pfsense.com/*, *sourceforge.net/*clamav-*, */*.xml, */*.inc + Enter each destination URL on a new line that will be accessable to the users without scanning. + Use '*' symbol for mask. Example: *.github.com/*, *sourceforge.net/*clamav-*, */*.xml, */*.inc </description> <type>textarea</type> <cols>60</cols> @@ -196,10 +196,10 @@ <fielddescr>Enable RAM Disk</fielddescr> <fieldname>enableramdisk</fieldname> <description> - This option allow use RAM Disk for HAVP temp files for more quick traffic scan. - Ram Disc size depend from 'ScanMax file size and avialable memory. - This option can be ignored in VMVare or on 'low system memory'. - ( RAM Disk size calculated as [1/4 avialable system memory] > [Scan max file size] * 100 ) + This option allow use RAM disk for HAVP temp files for more quick traffic scan. + RAM disk size depends on 'ScanMax' file size and available memory. + This option can be ignored on systems with low memory. + ( RAM disk size calculated as [1/4 available system memory] > [Scan max file size] * 100 ) </description> <type>checkbox</type> </field> @@ -209,7 +209,7 @@ <description> Select this value for limit maximum file size or leave '---(5M)'. Files larger than this limit won't be scanned. - Small values increace scan speed and maximum new connections per second and allow RAM Disk use. + Small values increace scan speed and maximum new connections per second and allow RAM disk use. <br> NOTE: Setting limit is a security risk, because some archives like ZIP need all the data to be scanned properly! Use this only if you @@ -267,6 +267,13 @@ <type>checkbox</type> </field> <field> + <fielddescr>Scan Broken Executables</fielddescr> + <fieldname>scanbrokenexe</fieldname> + <description>Check this to enable the Heuristic Broken Executable scan.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> <fielddescr>Log</fielddescr> <fieldname>log</fieldname> <description>Check this for enable log.</description> |