Installation manual
12
6.2.2 Installation and configuration
The libesets_pac.so library module is installed using a standard installation mechanism of the preloaded libraries. You need to
define the environment variable ‘LD_PRELOAD’ with the absolute path to the libesets_pac.so library. For more information, please
refer to the ld.so(8) man page.
Note: It is important that the ‘LD_PRELOAD‘ environment variable is defined only for the network server daemon processes (ftp,
Samba, etc.) that will be under control of the On-access scanner. Generally, preloading LIBC calls for all operating system
processes is not recommended, as this can dramatically slow the performance of the system or even cause the system to hang. In
this sense, the ‘/etc/ld.so.preload’ file should not be used, nor should the ‘LD_PRELOAD‘ environment variable be exported
globally. Both would override all relevant LIBC calls, which could lead to system hang ups during initialization.
To ensure that only relevant file access calls within a given file system are intercepted, executable statements can be overridden
using the following line:
LD_PRELOAD=@LIBDIR@/libesets_pac.so COMMAND COMMAND-ARGUMENTS
where ‘COMMAND COMMAND-ARGUMENTS’ is the original executable statement.
Review and edit the [global] and [pac] sections of the ESETS configuration file (esets.cfg). In order for the On-access scanner to
function correctly, you must define the file system objects (i.e. directories and files) that are required to be under control of the
preload library. This can be achieved by defining the parameters of the ‘ctl_incl’ and ‘ctl_excl’ options in the [pac] section of the
ESETS configuration file. After making changes to the esets.cfg file, you can force the newly created configuration to be re-read by
reloading the ESETS daemon.
6.2.3 Tips
In order to activate the On-access scanner immediately after file system start up, the ‘LD_PRELOAD’ environment variable must
be defined within the appropriate network file server initialization script.
Example: Let’s assume we want to have the On-access scanner to monitor all file system access events immediately after starting
the Samba server. Within the Samba daemon initialization script (/etc/init.d/smb), we would replace the statement
daemon /usr/sbin/smbd $SMBDOPTIONS
with the following line:
LD_PRELOAD=@LIBDIR@/libesets_pac.so daemon /usr/sbin/smbd $SMBDOPTIONS
In this way, selected file system objects controlled by Samba will be scanned at system start-up.
6.3 On-access scanner powered by Dazuko
The technique used by ESETS On-access scanner can be also powered by the Dazuko (da-tzu-ko) kernel module and is based on
the interception of kernel calls. The Dazuko project is open source, which means that its source code is freely distributed. This
allows users to compile the kernel module for their own custom kernels. Note that the Dazuko kernel module is not a part of any
ESETS product and must be compiled and installed into the kernel prior to using the On-access command esets_dac. The Dazuko
technique makes On-access scanning independent from the file system type used. It is also suitable for scanning of file system
objects via Network File System (NFS), Nettalk and Samba.
Important: Before we provide detailed information related to On-access scanner configuration and use, it should be noted that
the scanner has been primarily developed and tested to protect externally mounted file systems. If there are multiple file systems
that are not externally mounted, you will need to exclude them from file access control in order to prevent system hang ups. An
example of a typical directory to exclude is the ‘/dev’ directory and any directories used by ESETS.
6.3.1 Operation principle
The On-access scanner esets_dac (ESETS Dazuko-powered file Access Controller) is a resident program which provides
continuous monitoring and control over the file system. Every file system object is scanned based on customizable file access
event types. The following event types are supported by the current version:
Open events
To activate this file access type, set the value of the ‘event_mask’ parameter to open in the [dac] section of the esets.cfg file. This
will enable the ON_OPEN bit of the Dazuko access mask.
Create (close) events
To activate this file access type, set the value of the ‘event_mask’ parameter to close in the [dac] section of the esets.cfg file. This
will enable the ON_OPEN bit of the Dazuko access mask. This will enable the ON_CLOSE and ON_CLOSE_MODIFIED bits of the
Dazuko access mask.