Issue
This article addresses a solution to:
- Imunify360 does not trigger my custom script when a notification event is triggered;
- How can I write a custom script to be used with the notification engine;
- The custom script does not send an e-mail.
Environment
- Imunify360
- ImunifyAV
Solution
By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.
You need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:
# chown root:_imunify hook_script.sh && \
chmod g+x hook_script.sh
We have a sample script that works pretty well in most of the scenarios. It supports sending an e-mail once upon an event. This script can be used as a generic code and you can add your custom changes and implement your own integrations.
How to use the script:
cd /etc/imunify360 && \ curl https://docs.imunify360.com/hook_script.sh -O && \ chown root:_imunify hook_script.sh && \ chmod g+x hook_script.sh
Change the following two lines of the script to enable sending an e-mail:
MAIL_ENABLE=yes # default no, change to "yes" for enabling
MAIL_TO="your-email@domain" # for multiple email addresses, use commas
Then, hook up the script to a desired event:
# imunify360-agent notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND": {"SCRIPT": {"scripts": ["/etc/imunify360/hook_script.sh"], "enabled": true}}}}'
Test if upon malware detection the notification event is being matched:
# cd /home/imunifytest/public_html && \ curl https://secure.eicar.org/eicar.com.txt -O && \ chown imunifytest: eicar.com.txt
# imunify360-agent malware on-demand start \
--path /home/imunifytest/public_html/eicar.com.txt
Look at MTA logs, example:
# tail -f /var/log/maillog | grep _imunify
2022-03-28 19:11:38 SMTP connection identification H=localhost A=127.0.0.1 P=38558 U=_imunify ID=987 S=_imunify B=identify_local_connection
The following is the list of events with sidenotes:
- USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
- USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
- USER_SCAN_STARTED – occurs immediately after the user scanning has started;
- CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
- CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
- CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
- REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
- SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).
All the events above will work on malware scanning, except the SCRIPT_BLOCKED that is related to Proactive Defense and it's triggered upon an event of script blocking, it's an advanced mechanism that protects against 0days besides the malware scan.
Comments
0 comments
Please sign in to leave a comment.