Issue
This article addresses a solution to:
- Imunify360 does not trigger my custom script when a notification event is triggered;
- How can I write a custom script for the notification engine?
- The custom script does not send an e-mail.
Environment
- Imunify360
- ImunifyAV
Solution
By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.
You need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:
# chown root:_imunify hook_script.sh && \
chmod g+x hook_script.sh
We have a sample script that works pretty well in most of the scenarios. It supports sending an e-mail once upon an event. This script can be used as a generic code and you can add your custom changes and implement your own integrations.
NB! Please note that for the script to work, the jq package is required.
How to use the script:
cd /etc/imunify360 && \ curl https://docs.imunify360.com/hook_script.sh -O && \ chown root:_imunify hook_script.sh && \ chmod g+x hook_script.sh
Change the following two lines of the script to enable sending an e-mail:
MAIL_ENABLE=yes # default no, change to "yes" for enabling
MAIL_TO="your-email@domain" # for multiple email addresses, use commas
Then, hook up the script to a desired event:
# imunify360-agent notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND": {"SCRIPT": {"scripts": ["/etc/imunify360/hook_script.sh"], "enabled": true}}}}'
Test if upon malware detection the notification event is being matched:
# cd /home/imunifytest/public_html && \ curl https://secure.eicar.org/eicar.com.txt -O && \ chown imunifytest: eicar.com.txt
# imunify360-agent malware on-demand start \
--path /home/imunifytest/public_html/eicar.com.txt
Look at MTA logs, for example:
# tail -f /var/log/maillog | grep _imunify
2022-03-28 19:11:38 SMTP connection identification H=localhost A=127.0.0.1 P=38558 U=_imunify ID=987 S=_imunify B=identify_local_connection
The following is the list of events with sidenotes:
- USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
- USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
- USER_SCAN_STARTED – occurs immediately after the user scanning has started;
- CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
- CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
- CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
- REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
- SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).
All the events above will work on malware scanning, except the SCRIPT_BLOCKED which is related to Proactive Defense and is triggered upon an event of script blocking (it's an advanced mechanism that protects against 0 days besides the malware scan).
Comments
0 comments
Please sign in to leave a comment.