On Wed, 2006-06-28 at 16:38 -0500, Marc Schwartz (via MN) wrote:
On Wed, 2006-06-28 at 22:23 +0100, Paul Howarth wrote:
> On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
<snip>
> >
> > There are no .forward files on my system at all, unless that is a temp
> > file, which does not make sense location-wise.
> >
> > A Google search came up empty for that file, so I can only presume that
> > there are certain configuration scenarios where the pipelining of
> > e-mails would require that file.
> >
> > Since I am using clamassassin, I also searched through that script and
> > noted nothing relevant here.
> >
> > Not sure what else to make of it.
>
> That might be dontaudit-able. Is /var/lib/clamav any user's home
> directory?
The /var/lib/clamav tree appears to be owned by 'clamav', both user and
group:
$ ls -l /var/lib
total 264
...
drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav
...
ls -l /var/lib/clamav
total 8832
-rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075
-rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e
-rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd
-rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd
$ cat /etc/passwd | grep clamav
clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin
$ cat /etc/group | grep clamav
clamav:x:101:
The search in /var/lib/clamav is probably a result of something running
as that user, perhaps procmail. Does the clamav user get any mail?
Paul.