16
4.2.2.1. Operation principle
On-access scanner ‘libnod32pac.so’ (NOD32 Preload library based le Access Controller) is a shared objects library
that is used as a preload library of LIBC and can become functional during the system start-up. It is thus applicable for
le system servers using LIBC calls, for instance ftp server, Samba server etc.
Scanning of each le system object is performed upon customizable le access event of the user and/or operating
system. The following le access types are supported by the current version:
ON_OPEN events
This le access type is controlled once rst bit of the integer parameter ’event_mask’ in the main NOD32 conguration
le (section [pac]) is 1. In this case all ’open’ or ’open64’ calls of the LIBC are intercepted.
ON_CLOSE events
This le access type is controlled once second bit of the integer parameter ’event_mask’ in the main NOD32
conguration le (section [pac]) is 1. In this case all ’close’, ’dup’ and ’dup2’ calls of the LIBC are intercepted.
By using this mechanism all opened and closed descriptors tied to ‚kldcong‘ and ‚kldload‘) to handle dependencies
and proper loading result of this scanning the access to the les is denied or allowed.
4.2.2.2. Installation and conguration
The ‘libnod32pac.so’ installation is done using standard installation mechanism of the preload libraries. One has just
to dene the environment variable ’LD_PRELOAD’ with absolute path pointing to the ‘libnod32pac.so’ library. Please
refer also to the manual page ld.so(8) to get further information.
IMPORTANT: It is important to note that the ’LD_PRELOAD’ environment variable has to be dened just for the
network server daemon process (ftp, samba, etc.) we would like to have under control. Generally it is not recommended
to preload LIBC calls in all operating system processes as for controlling the selected le system area it is not necessary
and it can dramatically slow down the performance of the system or even cause the system hang-up. In this sense
all mechanisms using ‚/etc/ld.so.preload‘ conguration le are not correct as well as mechanisms using ‚export LD_
PRELOAD‘ statement. Both would override all relevant LIBC calls in the whole system that will lead to the system
hang-up during its initialization.
Thus in order to intercept just relevant le access calls related with just objects within selected le system area, one
has to override an executable statement of an appropriate network le system server with the following line
LD_PRELOAD=/usr/lib/libnod32pac.so COMMAND COMMAND-ARGUMENTS
where ’COMMAND COMMAND-ARGUMENTS’ is the original executable statement.
Note also that for the proper run of on-access scanner it is necessary to dene le system objects (i.e. directories
and les) that are required to be under control of the preload library. This can be achieved via ’ctl_incl’ and ’ctl_excl’
conguration options dened within [pac] section of the conguration le.
4.2.2.3. Tips
In order to provide on-access scanner functionality immediately after network le systemserver start-up, it is good
to dene environment variable ’LD_PRELOAD’ directly within an appropriate network le server initialization script.
EXAMPLE: Let’s assume we would like to have on-access scanner catching all le system access events immediately
after starting the samba server. Thus within the initialization script concerned with samba daemon (/etc/init.d/smb),
we replace the statement
daemon /usr/sbin/smbd $SMBDOPTIONS
NOD32 for Linux/BSD File Server
To Next Page
Loading...
Need help?
General
