HI,
I've been trying to get clamonacc to monitor the overlay2 file system
where Docker container file systems are mounted on my Linux (Ubuntu
24.04) VM, so that I can detect any malware which makes its way into a
container (e.g., via downloaded). I am trying to do this by running
clamonacc on the Linux host, since running clamonacc in each container
would be too resource (memory) hungry, so I do not want to do it per
container.
What works: If I modify clamd.conf so that OnAccessMountPath points to
/home/<my_username> (which is a directory on my host VM) and run
sudo clamonacc --move=<directory_for_infected_files>
it works as I expect, in that it immediately logs as malware and moves a
eincar.txt test malware file that I place in any of /home/<my_username>
and it subdirectories.
What doesn't work: However, if I point OnAccessMountPath
to /var/lib/docker/overlay2, which contains the merged overlay file
system of a running Docker container in a subdirectory located on my
host VM at
/var/lib/docker/overlay2/<sha>/merged
it doesn't detect any eincar.txt I copy anywhere into the container (I
can see the eincar.txt when I shell into the container).
Can anyone please tell me why this is? I'm a little surprised this
doesn't work since by comparison I can set up an inotify watcher (using
the inotifywatch command line command) on the Linux VM host to
watch /var/lib/docker/overlay2/ and this inotify watcher will happily
detect and report events if I create/modify/delete any file in the
running container.
Why does clamonacc not work across this Docker mount whereas inotify
does and how do I fix it? Is there some config value that I have missed
in clamd.conf?
Any help would be very much appreciated.
Thomas
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
