How to test a custom script on Imunify360 notification engine?

Issue

This article addresses a solution to:

• Imunify360 does not trigger my custom script when a notification event is triggered;
• How can I write a custom script to be used with the notification engine;
• The custom script does not send an e-mail.

Environment

• Imunify360
• ImunifyAV

Solution

By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.

You need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:

# chown root:_imunify hook_script.sh && \
    chmod g+x hook_script.sh

We have a sample script that works pretty well in most of the scenarios. It supports sending an e-mail once upon an event. This script can be used as a generic code and you can add your custom changes and implement your own integrations.

Please note that fro the script to work the jq package is required.

How to use the script:

cd /etc/imunify360 && \
      curl https://docs.imunify360.com/hook_script.sh -O && \
      chown root:_imunify hook_script.sh && \
      chmod g+x hook_script.sh

Change the following two lines of the script to enable sending an e-mail:

MAIL_ENABLE=yes              # default no, change to "yes" for enabling

MAIL_TO="your-email@domain"  # for multiple email addresses, use commas

Then, hook up the script to a desired event:

# imunify360-agent notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND":
        {"SCRIPT": {"scripts": ["/etc/imunify360/hook_script.sh"], "enabled":
        true}}}}'

Test if upon malware detection the notification event is being matched:

# cd /home/imunifytest/public_html && \
    curl https://secure.eicar.org/eicar.com.txt -O && \
    chown imunifytest: eicar.com.txt

# imunify360-agent malware on-demand start \
        --path /home/imunifytest/public_html/eicar.com.txt

Look at MTA logs, example:

# tail -f /var/log/maillog | grep _imunify

2022-03-28 19:11:38 SMTP connection identification H=localhost A=127.0.0.1 P=38558 U=_imunify ID=987 S=_imunify B=identify_local_connection

The following is the list of events with sidenotes: 

• USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
• USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
• USER_SCAN_STARTED – occurs immediately after the user scanning has started;
• CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
• CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
• CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
• REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
• SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).

All the events above will work on malware scanning, except the SCRIPT_BLOCKED that is related to Proactive Defense and it's triggered upon an event of script blocking, it's an advanced mechanism that protects against 0days besides the malware scan.