Scan EC2 Instance Using Clamav In AWS

Most of us think that Linux servers are very secure and it’s highly protected.But it’s not the case.Sometimes the packages we install and the application we setup and their dependencies may have security and vulnerability issues.

We have to check the systems regularly for any security threats and vulnerability issues.The security and vulnerability issues can either be in a file , or the packages we install and can be injected through the websites.

To overcome such scenario , We have to setup a proper vulnerability scanner so that we can take actions on them immediately if found any.

In this article , We will see how to setup an open source antivirus engine which helps us to identify trojan , malwares , malicious threats and viruses.

Process Involved:

• Install Clamav on all the EC2 instances.
• Setup SSM-agent.
• Create an IAM Role , Attach it to EC2 Instances.
• Create a maintenance Windows in AWS Systems manager
• Configure Tasks

Setup Clamav On EC2 Instances:

First we need to install clamav packages in all the systems.Since the clamav package comes with the systems repository we can install it directly.

To install clamav in the Ubuntu systems , use the below command,

apt-get install clamav

Once the clamav is installed , freshclam comes with the package by default.

freshclam is a command which is used to update the clamav scanner virus definitions.

For the first time You might face an issues when running freshclam,

root@IA-767-RahulK:~# freshclam 
ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

To fix this , We just have to kill the freshclam process using the below command,

pkill freshclam

Now if you run freshclam , You should see the following output.

root@IA-767-RahulK:~# freshclam
Tue Jan 21 23:04:28 2020 -> ClamAV update process started at Tue Jan 21 23:04:28 2020
Tue Jan 21 23:04:28 2020 -> daily.cvd database is up to date (version: 25702, sigs: 2153296, f-level: 63, builder: raynman)
Tue Jan 21 23:04:28 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Tue Jan 21 23:04:28 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

Now we are ready to scan the servers.

You can just run the clamscan command which will scan all the files and folder in the server and provide us the output.

clamscan

This might take longer If you have more files and folders in the server.

If you want to send the scanning process to a file , use the below command.

clamscan > scannedreport.docx

If you want to scan the particular folder, use the below command.

clamscan -r /Downloads > downloadscannedreport.docx

Once the scan is completed, You should see the output as shown below:

rahulk@IA-767-RahulK:~$ clamscan -r Music
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-12.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-04.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-16.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-15.xml: OK
Music/Wordpress-Pages-Backup/fit-devops.WordPress.2020-01-14.xml: OK

----------- SCAN SUMMARY -----------
Known viruses: 6708220
Engine version: 0.102.1
Scanned directories: 2
Scanned files: 5
Infected files: 0
Data scanned: 12.11 MB
Data read: 7.34 MB (ratio 1.65:1)
Time: 17.376 sec (0 m 17 s)

To automate this , we can make the clamscan to run everyday midnight and send the output to S3 bucket.

But In this tutorial, We are going to see how you can use AWS Systems manager to automate the scanning process and send the output to S3 bucket.

In order to bring the EC2 instances into Systems manager, We have to install SSM agent in all the machines.

Installing SSM Agent:

ssm agent is the software which can be installed on all the servers for the systems manager to update , configure and run commands remotely.

For Instances such as Amazon Linux , Ubuntu 16.x & Ubuntu 18.x SSM agent will be available by default.

SSM agent will be installed based on the Operating systems.You can install either using debian installer packages or using snap packages.

To install using snap:

You can check if ssm-agent is already installed using snap using the below command:

snap list amazon-ssm-agent

snap install amazon-ssm-agent --classic

sudo snap start amazon-ssm-agent

sudo snap services amazon-ssm-agent

To install install using debian installer package:

Download the .deb package and install using the below command,

wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb

dpkg -i amazon-ssm-agent.deb

systemctl status amazon-ssm-agent

Once you have ssm-agent installed on the EC2 instances , Lets go ahead and create necessary IAM role and attach it with the EC2 Instances.

Configuring IAM Role:

Open the IAM Console,

https://console.aws.amazon.com/iam/

In the left navigation panes , Choose Roles and then click Create role.

On select the type of identity page , Choose EC2 service , click Next:Permissions

On Attach permissions policy page , Choose SSMFullaccess role and then add a tag.

and then give a name to the role and click Create role.

We have created a role for the EC2 instance to communicate with SSM Manager.

Attach IAM Role To EC2 Instance:

Once the role is created, We have attach the IAM role with the respective EC2 Instance.

Go to EC2 console,

https://console.aws.amazon.com/ec2/v2/home

Refer these articles to create EC2 instance using Console and Terraform.

CREATE EC2 INSTANCE USING CONSOLE

CREATE EC2 INSTANCE USING TERRAFORM

Choose the instance , Under Actions , Click Instance settings,

Choose Attach / replace IAM role.

Select the role which you have created and click apply.

Now we have an IAM role attached to the EC2 Instance.

Now the Systems Manager has the ability to run tasks in the ec2 instances and automate the process using the maintenance window.

Systems Manager (SSM):

Lets go to Systems Manager console,

https://ap-southeast-1.console.aws.amazon.com/systems-manager/home

Under Instances and Nodes in the left navigation pane , You should see Managed Instances.

Managed Instances is nothing but a server / EC2 instance that is configured to be managed by Systems Manager.

And you should see the instances which you have configured with systems manager agent (SSM Agent).

Lets test this by manually running a Run command.

Choose Run command in the left pane ,

Choose Run a command , You will see the lists of pre-defined documents based on the tasks and the operating systems.

You should see AWS-RunShellScript , This is the document we are going to use to execute commands in the remote servers. Select that.

You can keep the document version as default.

Under command paramaters , We should pass the linux commands here. In our case its clamscan commands.

Pass the command as shown below , You can change the folders as per your requirement.

And the path for saving the output should present in the ec2 instance.

clamscan -r /home/rahulk/ > /root/rahulkreport.docs

Working directory and Execution Timeout set let is be as it is.

Under Targets , select Choose instances manually and select your instance.

Under Other paramaters, If your folders have huge data , It will obviously takes lot of time to scan each files and folders.

Max allowed execution time : 2,592,000 seconds.

Set the timeout as per your requirement.

Under output options , If you want the clamscan output to store in the S3 bucket , You can Enable writing to S3 bucket , then choose the bucket form the list.

And click Run.

Now the clamscan has scanned the folders I wanted to scan and stored the reports in the folder.

But We should automate this process That is the reason we have come to Systems Manager.

SSM Maintenance Window:

First we need to create a Maintenance Window,

Under Actions and change in the left pane , choose Maintenance windows.

Click Create Maintenance Window

Give a name for the maintenance window,

You can select the schedule as per your needs, For example If I want to run the scanner everyday at 01:00 AM.

Configure Cron schedule builder,

For example , If you’re running scans on multiple servers , Based on the server count we have to provide the time for the whole process to be completed.which is nothing by Duration.

And Stop initiating task , Lets say your maintenance window is 5 hours and you will ask SSM not to run any tasks before 1 of maintenance window.

Then add tag and click Create Maintenance window.

Click the maintenance window, Choose targets , click register targets ,

Give a name for the target and choose the instance manually , select the number of instance as you need.

Click register target.

Now the target is registered in Maintenance windows.

Lets create a task for the Targets.

Click Tasks , Under Register tasks , select register run command tasks.

Give a name to the task , select AWS-RunShellScript document

Under targets, Select the registered targets ,

Under Rate control , mention the number of target instance to which you want to run commands at a time and also If the error count is 10 the task will be stopped.

Use the service-linked role for systems manager.

Under Parameters , provide the clamscan command.

Maimize the execution timeout as per the count of the target instances and click Register Run command tasks.

If you want to send the output to S3 bucket. We need to attach an S3Fullaccess/S3putobject role to the role which we have created and attached with the EC2 Instances.

Now that We have successfully configured a setup to automatically scan the EC2 instances using clamscan virus scanner based on the maintenance window and store the output in S3 bucket.

Hope this article helped you to mitigate the issues related to malwares and vulnerabilities using clamscan with the help of Systems Manager.

Please do check out my other publications.