[packages/maldet] Initial

Tue May 26 11:30:36 CEST 2026

commit 49ed943f1b70dc061688f9e1152b748c064dbcdb
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue May 26 11:30:10 2026 +0200

    Initial

 maldet-pld-paths.patch | 215 +++++++++++++++++++++++++++++++++++++++++++++++++
 maldet.spec            | 178 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 393 insertions(+)
---

diff --git a/maldet.spec b/maldet.spec
new file mode 100644
index 0000000..c3f7226
--- /dev/null
+++ b/maldet.spec
@@ -0,0 +1,178 @@
+Summary:	Linux Malware Detect - malware scanner for Linux
+Summary(pl.UTF-8):	Linux Malware Detect - skaner szkodliwego oprogramowania dla Linuksa
+Name:		maldet
+Version:	2.0.1
+Release:	0.1
+License:	GPL v2
+Group:		Applications/System
+Source0:	https://github.com/rfxn/linux-malware-detect/archive/v%{version}/linux-malware-detect-%{version}.tar.gz
+# Source0-md5:	c66f279c15450d6300f2093b39ffba0d
+# Relocate the self-contained /usr/local/maldetect tree to an FHS layout
+# (code, config and state split) and disable in-place code self-update.
+Patch0:		%{name}-pld-paths.patch
+URL:		https://github.com/rfxn/linux-malware-detect
+Requires:	bash
+Requires:	coreutils
+Requires:	crondaemon
+Requires:	curl
+Requires:	findutils
+Requires:	gawk
+Requires:	grep
+Requires:	gzip
+Requires:	inotify-tools
+Requires:	sed
+Requires:	tar
+Requires:	util-linux
+Requires(post,preun,postun):	systemd-units >= 38
+BuildRequires:	rpmbuild(macros) >= 1.736
+Suggests:	clamav
+Suggests:	cpulimit
+Suggests:	yara
+Provides:	linux-malware-detect = %{version}-%{release}
+BuildArch:	noarch
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%define		_appdir		%{_datadir}/%{name}
+%define		_confdir	%{_sysconfdir}/%{name}
+%define		_statedir	/var/lib/%{name}
+
+%description
+Linux Malware Detect (LMD) is a malware scanner for Linux designed
+around the threats faced in shared hosted environments. It uses threat
+data from network edge intrusion detection systems to extract malware
+that is actively being used in attacks and generates signatures for
+detection.
+
+Detection methods include MD5 file hashes, HEX pattern matches,
+statistical analysis and YARA rules. Features include inotify real-time
+file system monitoring, ClamAV engine integration, quarantine, restore
+and clean operations, and multi-channel alerting (e-mail, Slack,
+Telegram, Discord).
+
+%description -l pl.UTF-8
+Linux Malware Detect (LMD) to skaner szkodliwego oprogramowania dla
+systemu Linux, zaprojektowany z myślą o zagrożeniach spotykanych w
+środowiskach współdzielonego hostingu. Wykorzystuje dane o zagrożeniach
+pochodzące z brzegowych systemów wykrywania włamań, aby wyodrębniać
+szkodliwe oprogramowanie aktywnie używane w atakach i generować dla
+niego sygnatury.
+
+Do wykrywania służą skróty MD5 plików, wzorce HEX, analiza statystyczna
+oraz reguły YARA. Program obsługuje monitorowanie systemu plików w
+czasie rzeczywistym przez inotify, integrację z silnikiem ClamAV,
+kwarantannę, przywracanie i czyszczenie zainfekowanych plików, a także
+powiadomienia (e-mail, Slack, Telegram, Discord).
+
+%prep
+%setup -q -n linux-malware-detect-%{version}
+%patch -P0 -p1
+
+# explicit interpreter path (PLD policy); upstream ships #!/usr/bin/env bash
+find . -type f -print0 | xargs -0 grep -lZ '^#!/usr/bin/env bash' | \
+	xargs -0 -r %{__sed} -i -e '1s,^#!/usr/bin/env bash$,#!/bin/bash,'
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT%{_appdir}/internals \
+	$RPM_BUILD_ROOT%{_sbindir} \
+	$RPM_BUILD_ROOT%{_confdir}/cron \
+	$RPM_BUILD_ROOT%{_sysconfdir}/{cron.daily,cron.weekly,cron.d,logrotate.d,sysconfig} \
+	$RPM_BUILD_ROOT%{systemdunitdir} \
+	$RPM_BUILD_ROOT%{_mandir}/man1 \
+	$RPM_BUILD_ROOT%{_statedir}/{sigs,quarantine,sess,tmp,clean,pub} \
+	$RPM_BUILD_ROOT%{_var}/log/%{name}
+
+# code (read-only) -> %{_appdir}
+cp -a files/internals/* $RPM_BUILD_ROOT%{_appdir}/internals/
+install -p files/VERSION.hash $RPM_BUILD_ROOT%{_appdir}/internals/VERSION.hash
+install -p files/maldet $RPM_BUILD_ROOT%{_appdir}/maldet
+install -p files/hookscan.sh $RPM_BUILD_ROOT%{_appdir}/hookscan.sh
+cp -a files/modsec.sh $RPM_BUILD_ROOT%{_appdir}/modsec.sh
+
+ln -sf ../share/%{name}/maldet $RPM_BUILD_ROOT%{_sbindir}/maldet
+ln -sf ../share/%{name}/maldet $RPM_BUILD_ROOT%{_sbindir}/lmd
+
+# configuration -> %{_confdir}
+install -p files/conf.maldet $RPM_BUILD_ROOT%{_confdir}/conf.maldet
+install -p files/conf.maldet.hookscan.default $RPM_BUILD_ROOT%{_confdir}/conf.maldet.hookscan.default
+install -p files/ignore_paths files/ignore_sigs files/ignore_inotify files/ignore_file_ext \
+	$RPM_BUILD_ROOT%{_confdir}/
+install -p files/monitor_paths $RPM_BUILD_ROOT%{_confdir}/monitor_paths
+> $RPM_BUILD_ROOT%{_confdir}/monitor_paths.extra
+install -p files/cron/conf.maldet.cron files/cron/custom.cron $RPM_BUILD_ROOT%{_confdir}/cron/
+
+# default cleaner rules (executed from cldir at clean time) -> %{_statedir}/clean
+cp -p files/clean/* $RPM_BUILD_ROOT%{_statedir}/clean/
+
+# cron jobs
+install -p cron.daily $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/%{name}
+install -p cron.watchdog $RPM_BUILD_ROOT%{_sysconfdir}/cron.weekly/%{name}-watchdog
+install -p cron.d.pub $RPM_BUILD_ROOT%{_sysconfdir}/cron.d/%{name}_pub
+install -p cron.d.sigup $RPM_BUILD_ROOT%{_sysconfdir}/cron.d/%{name}-sigup
+
+# logrotate, systemd unit, sysconfig
+install -p files/logrotate.maldet $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/%{name}
+install -p files/service/maldet.service $RPM_BUILD_ROOT%{systemdunitdir}/%{name}.service
+install -p files/service/maldet.sysconfig $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/%{name}
+
+# man page
+install -p files/maldet.1 $RPM_BUILD_ROOT%{_mandir}/man1/maldet.1
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+%systemd_reload
+
+%files
+%defattr(644,root,root,755)
+%doc CHANGELOG CHANGELOG.RELEASE README.md COPYING.GPL
+
+%attr(755,root,root) %{_sbindir}/maldet
+%attr(755,root,root) %{_sbindir}/lmd
+
+%dir %{_appdir}
+%attr(755,root,root) %{_appdir}/maldet
+%attr(755,root,root) %{_appdir}/hookscan.sh
+%{_appdir}/modsec.sh
+%{_appdir}/internals
+
+%dir %{_confdir}
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_confdir}/conf.maldet
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/conf.maldet.hookscan.default
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/ignore_paths
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/ignore_sigs
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/ignore_inotify
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/ignore_file_ext
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/monitor_paths
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/monitor_paths.extra
+%dir %{_confdir}/cron
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/cron/conf.maldet.cron
+%config(noreplace) %verify(not md5 mtime size) %{_confdir}/cron/custom.cron
+
+%attr(754,root,root) /etc/cron.daily/%{name}
+%attr(754,root,root) %{_sysconfdir}/cron.weekly/%{name}-watchdog
+%config(noreplace) %verify(not md5 mtime size) /etc/cron.d/%{name}_pub
+%config(noreplace) %verify(not md5 mtime size) /etc/cron.d/%{name}-sigup
+%config(noreplace) %verify(not md5 mtime size) /etc/logrotate.d/%{name}
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}
+
+%{systemdunitdir}/%{name}.service
+
+%dir %attr(750,root,root) %{_statedir}
+%dir %attr(750,root,root) %{_statedir}/sigs
+%dir %attr(750,root,root) %{_statedir}/quarantine
+%dir %attr(750,root,root) %{_statedir}/sess
+%dir %attr(750,root,root) %{_statedir}/tmp
+%dir %attr(750,root,root) %{_statedir}/clean
+%dir %attr(750,root,root) %{_statedir}/pub
+%attr(750,root,root) %{_statedir}/clean/*
+%dir %attr(750,root,root) %{_var}/log/%{name}
+
+%{_mandir}/man1/maldet.1*
diff --git a/maldet-pld-paths.patch b/maldet-pld-paths.patch
new file mode 100644
index 0000000..0719c0a
--- /dev/null
+++ b/maldet-pld-paths.patch
@@ -0,0 +1,215 @@
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/cron.d.pub linux-malware-detect-2.0.1/cron.d.pub
+--- linux-malware-detect-2.0.1.orig/cron.d.pub	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/cron.d.pub	2026-05-26 09:12:06.410226001 +0000
+@@ -1 +1 @@
+-*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1
++*/5 * * * * root /usr/sbin/maldet --mkpubpaths >> /dev/null 2>&1
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/cron.d.sigup linux-malware-detect-2.0.1/cron.d.sigup
+--- linux-malware-detect-2.0.1.orig/cron.d.sigup	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/cron.d.sigup	2026-05-26 09:12:06.410284764 +0000
+@@ -1,4 +1,4 @@
+ # LMD independent signature update
+ # Interval controlled by sigup_interval in conf.maldet
+ # Managed by maldet install.sh — do not edit manually
+-0 */6 * * * root /usr/local/maldetect/maldet --cron-sigup >> /dev/null 2>&1
++0 */6 * * * root /usr/sbin/maldet --cron-sigup >> /dev/null 2>&1
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/cron.daily linux-malware-detect-2.0.1/cron.daily
+--- linux-malware-detect-2.0.1.orig/cron.daily	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/cron.daily	2026-05-26 09:12:06.409977067 +0000
+@@ -8,12 +8,12 @@
+ ##
+ #
+ export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
+-inspath='/usr/local/maldetect'
++inspath='/usr/share/maldet'
+ intcnf="$inspath/internals/internals.conf"
+ 
+ # prevent overlapping cron runs — use flock command form so the lock fd is
+ # CLOEXEC and never inherited by backgrounded maldet -b scans
+-LOCKFILE="$inspath/tmp/.cron.lock"
++LOCKFILE="/var/lib/maldet/tmp/.cron.lock"
+ if command -v flock >/dev/null 2>&1 && [ -z "$_CRON_FLOCK" ]; then
+ 	export _CRON_FLOCK=1
+ 	flock -n "$LOCKFILE" "$0" "$@"
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/cron.watchdog linux-malware-detect-2.0.1/cron.watchdog
+--- linux-malware-detect-2.0.1.orig/cron.watchdog	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/cron.watchdog	2026-05-26 09:12:06.410169271 +0000
+@@ -9,18 +9,18 @@
+ # Intentionally simple and decoupled from main LMD codebase to survive bad upgrades (LOAD-BEARING INVARIANT)
+ 
+ export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
+-inspath='/usr/local/maldetect'
++inspath='/usr/share/maldet'
+ 
+ # Verify install exists
+ [ -f "$inspath/internals/internals.conf" ] || exit 0
+ 
+ # Load just enough state to check staleness — do NOT source internals.conf
+ # or functions so a broken codebase cannot prevent this script from running.
+-sig_version_file="$inspath/sigs/maldet.sigs.ver"
++sig_version_file="/var/lib/maldet/sigs/maldet.sigs.ver"
+ # Intentionally uses $inspath/logs/ (not /var/log/maldet/) — this script must
+ # remain self-contained and survive broken installs. After FHS migration,
+ # $inspath/logs is a symlink to /var/log/maldet/, so this path still works.
+-event_log="$inspath/logs/event_log"
++event_log="/var/log/maldet/event_log"
+ watchdog_stale_days="${LMD_WATCHDOG_STALE_DAYS:-7}"
+ [[ "$watchdog_stale_days" =~ ^[0-9]+$ ]] || watchdog_stale_days=7
+ 
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/conf.maldet linux-malware-detect-2.0.1/files/conf.maldet
+--- linux-malware-detect-2.0.1.orig/files/conf.maldet	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/conf.maldet	2026-05-26 09:12:06.409670696 +0000
+@@ -130,7 +130,7 @@
+ # this be enabled to ensure the latest version, features and bug fixes
+ # are always available.
+ # [0 = disabled, 1 = enabled]
+-autoupdate_version="1"
++autoupdate_version="0"
+ 
+ # This controls validating the LMD executable SHA-256 hash with known
+ # good upstream hash value (falls back to MD5 if sha256sum unavailable).
+@@ -139,7 +139,7 @@
+ # intend to make customizations to the LMD executable, you should
+ # disable this feature.
+ # [0 = disabled, 1 = enabled]
+-autoupdate_version_hashed="1"
++autoupdate_version_hashed="0"
+ 
+ # The retention period, in days, which quarantine, temporary files and stale
+ # session information should be retained. Data older than this value is deleted
+@@ -445,7 +445,7 @@
+ # Line-separated file. Paths listed here are ADDED to whatever the
+ # primary mode (users/path) produces — they do not replace it.
+ # Empty or missing file = no extra paths (no-op).
+-monitor_paths_extra="/usr/local/maldetect/monitor_paths.extra"
++monitor_paths_extra="/etc/maldet/monitor_paths.extra"
+ 
+ # Apply scan_ignore_root/scan_ignore_user/scan_ignore_group ownership
+ # filters during monitor mode file evaluation. When disabled (0, default),
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/hookscan.sh linux-malware-detect-2.0.1/files/hookscan.sh
+--- linux-malware-detect-2.0.1.orig/files/hookscan.sh	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/hookscan.sh	2026-05-26 09:12:06.409248730 +0000
+@@ -246,7 +246,7 @@
+ 	fi
+ fi
+ 
+-inspath="${inspath:-/usr/local/maldetect}"
++inspath="${inspath:-/usr/share/maldet}"
+ intcnf="$inspath/internals/internals.conf"
+ if [ -f "$intcnf" ]; then
+ 	# shellcheck disable=SC1090
+@@ -255,7 +255,7 @@
+ 
+ # Config parser (inline allowlist)
+ 
+-hookcnf="$inspath/conf.maldet.hookscan"
++hookcnf="$confpath/conf.maldet.hookscan"
+ if [ -f "$hookcnf" ]; then
+ 	while IFS= read -r _line; do
+ 		# Skip comments and blank lines
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/ignore_paths linux-malware-detect-2.0.1/files/ignore_paths
+--- linux-malware-detect-2.0.1.orig/files/ignore_paths	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/ignore_paths	2026-05-26 09:12:06.410380965 +0000
+@@ -1,2 +1,3 @@
+-/usr/local/maldetect
+-/usr/local/sbin/maldet
++/usr/share/maldet
++/var/lib/maldet
++/usr/sbin/maldet
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/internals/ignore_inotify.defaults linux-malware-detect-2.0.1/files/internals/ignore_inotify.defaults
+--- linux-malware-detect-2.0.1.orig/files/internals/ignore_inotify.defaults	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/internals/ignore_inotify.defaults	2026-05-26 09:12:06.409823276 +0000
+@@ -44,8 +44,8 @@
+ scantemp.
+ 
+ # LMD install paths (legacy + FHS) — covers scan temp workspaces transitively
+-/usr/local/maldetect/
+-/usr/local/sbin/maldet
++/usr/share/maldet/
++/usr/sbin/maldet
+ /var/lib/maldet/
+ 
+ # Device pseudo-fs (non-regular files)
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/internals/internals.conf linux-malware-detect-2.0.1/files/internals/internals.conf
+--- linux-malware-detect-2.0.1.orig/files/internals/internals.conf	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/internals/internals.conf	2026-05-26 09:12:06.408376699 +0000
+@@ -20,10 +20,10 @@
+ intfunc="$libpath/lmd.lib.sh"
+ 
+ logdir="/var/log/maldet"
+-confpath="$inspath"
++confpath="/etc/maldet"
+ cnffile="conf.maldet"
+ cnf="$confpath/$cnffile"
+-varlibpath="$inspath"
++varlibpath="/var/lib/maldet"
+ maldet_log="$logdir/event_log"
+ maldet_log_truncate="1"
+ 
+@@ -80,7 +80,7 @@
+ sessdir="$varlibpath/sess"
+ sigdir="$varlibpath/sigs"
+ cldir="$varlibpath/clean"
+-tmpdir="$inspath/tmp"
++tmpdir="$varlibpath/tmp"
+ userbasedir="$varlibpath/pub"
+ hits_history="$sessdir/hits.hist"
+ quar_history="$sessdir/quarantine.hist"
+@@ -111,7 +111,7 @@
+ sig_csig_file="$sigdir/csig.dat"
+ sig_user_csig_file="$sigdir/custom.csig.dat"
+ 
+-lmd_version_file="$inspath/VERSION"
++lmd_version_file="$varlibpath/VERSION"
+ lmd_referer="LMD:$lmd_version:$hostid"
+ lmd_hash_file="$inspath/internals/VERSION.hash"
+ lmd_hash_url="https://$base_domain/downloads/maldet.current.hash"
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/internals/lmd_monitor.sh linux-malware-detect-2.0.1/files/internals/lmd_monitor.sh
+--- linux-malware-detect-2.0.1.orig/files/internals/lmd_monitor.sh	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/internals/lmd_monitor.sh	2026-05-26 09:12:06.409013528 +0000
+@@ -226,9 +226,9 @@
+ 	# Runs every tick. Cheap operations only — no forks when possible.
+ 	# Config reload timer
+ 	_mon_elapsed=$((_mon_elapsed + inotify_sleep))
+-	if [ "$_mon_elapsed" -ge "$inotify_reloadtime" ] || [ -f "$inspath/reload_monitor" ]; then
+-		if [ -f "$inspath/reload_monitor" ]; then
+-			command rm -f "$inspath/reload_monitor"
++	if [ "$_mon_elapsed" -ge "$inotify_reloadtime" ] || [ -f "$tmpdir/reload_monitor" ]; then
++		if [ -f "$tmpdir/reload_monitor" ]; then
++			command rm -f "$tmpdir/reload_monitor"
+ 		fi
+ 		# shellcheck disable=SC1090,SC1091
+ 		source "$intcnf"
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/maldet linux-malware-detect-2.0.1/files/maldet
+--- linux-malware-detect-2.0.1.orig/files/maldet	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/maldet	2026-05-26 09:12:06.408865197 +0000
+@@ -19,7 +19,7 @@
+ 	if [ -f "$_selfdir/internals/internals.conf" ]; then
+ 		inspath="$_selfdir"
+ 	else
+-		inspath='/usr/local/maldetect'
++		inspath='/usr/share/maldet'
+ 	fi
+ 	unset _self _selfdir
+ fi
+@@ -639,7 +639,7 @@
+ 					eout "{mon} not currently supported under FreeBSD" 1
+ 				elif [ "$_mon_mode" == "reload" ] || [ "$_mon_mode" == "RELOAD" ]; then
+ 					eout "{mon} queued monitor for configuration reload" 1
+-					command touch "$inspath/reload_monitor"
++					command touch "$tmpdir/reload_monitor"
+ 				else
+ 					svc=m
+ 					if [ "$set_background" = "1" ]; then
+diff -urN --no-dereference linux-malware-detect-2.0.1.orig/files/service/maldet.service linux-malware-detect-2.0.1/files/service/maldet.service
+--- linux-malware-detect-2.0.1.orig/files/service/maldet.service	2026-04-26 06:00:12.000000000 +0000
++++ linux-malware-detect-2.0.1/files/service/maldet.service	2026-05-26 09:12:06.410346242 +0000
+@@ -13,7 +13,7 @@
+ EnvironmentFile=-/etc/default/maldet
+ # If MONITOR_MODE is unset, maldet falls back to default_monitor_mode in
+ # conf.maldet. If that is also empty, the process exits 0 (no restart).
+-ExecStart=/usr/local/maldetect/maldet --monitor ${MONITOR_MODE}
++ExecStart=/usr/sbin/maldet --monitor ${MONITOR_MODE}
+ # No ExecStop — systemd sends SIGTERM to the supervisor directly;
+ # the supervisor trap handler performs clean shutdown.
+ # maldet -k also delegates to systemctl stop when the service is active.
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/maldet.git/commitdiff/49ed943f1b70dc061688f9e1152b748c064dbcdb

