First of all, make sure the DAZ module is selected, compiled and active in your RSBAC kernel.

# grep DAZ /proc/rsbac-info/active
Switching: available for DAZ FF RC ACL CAP JAIL RES PAX
Module: DAZ on

A device is also needed for communication between the userland scanner and the Dazuko implementation of RSBAC. You will have to create it, if you do not have it.

Note: The following is only required using the Linux kernel 2.4. On 2.6 and above, the device is automatically created by udev.

Note that depending on your Linux distribution, you might be able to simply create the dazuko device the standard way, as it will be backed up and restored automatically. Make sure that your /dev/dazuko will be anyway created or recreated at boot time.

Check Dazuko’s device major number (default in RSBAC is 250, you can change it during the kernel configuration):

# grep dazuko /proc/devices
250 dazuko <= Major number is 250

Create the device (with major number 250):

# mknod -m 0600 /dev/dazuko c 250 0

Note that the configuration might be different if you use another Antivirus scanner with Dazuko support.

Please edit /etc/clamd.conf (or where your clamd.conf is stored) and make sure you have these options :

ClamukoScanOnAccess
ClamukoScanOnOpen
ClamukoScanOnClose
ClamukoScanOnExec
# All files in IncludePath will be scanned on-access
ClamukoIncludePath /
# But all files in ExcludePath will not be scanned :)
ClamukoExcludePath /var/amavis/quarantine
# Maximum file size to scan
ClamukoMaxFileSize 20M

Also make sure that “clamd” runs as root! Remove any “User” configuration directive from the configuration file, or set “User root”

Tell RSBAC that clamd is our on-access scanner:

# attr_set_file_dir  FD $(which clamd) daz_scanner 1

Tell RSBAC that the user root has the Dazuko role of Administrator (2):

# attr_set_user root daz_role 2

And that the security officer has the Dazuko role of .. Security Officer :) (1):

# attr_set_user secoff daz_role 1

You can now start clamd using your initscripts (make sure those will start it as root user) or by hand:

# /etc/init.d/clamav start

Alternative

# clamd

Check your clamav logs:

# tail /var/log/clamav/clamd.log
Mon Jul 18 11:29:20 2005 -> Clamuko: Correctly registered with Dazuko.
Mon Jul 18 11:29:20 2005 -> Clamuko: Scan-on-open mode activated.
Mon Jul 18 11:29:20 2005 -> Clamuko: Scan-on-close mode activated.
Mon Jul 18 11:29:20 2005 -> Clamuko: Scan-on-exec mode activated.

Ok everything works! You can download a test virus file from here: http://www.eicar.org/anti_virus_test_file.htm

And play with it, RSBAC+Dazuko+ClamAV will deny every access (provided that you are not running in Softmode). RSBAC logs will also report the interception by the DAZ module. You can watch the number of cached results going up as DAZ_SCANNED entries in the FD section of /proc/rsbac-info/stats.

In case ClamAV shows no Clamuko messages, make sure that your version of ClamAV does not disable Dazuko support. In doubt, compile a new version by hand.

In case you get a connection error: " ERROR: Clamuko: Can’t register with Dazuko”, make sure that your device /dev/dazuko is created and has the correct permissions, major and minor numbers.

Enjoy the fastest on-access scanner on Linux!