Run ConfigServer eXploit Scanner CXS inside CloudLinux LVE

Operating System & Version
CloudLinux 7.7
cPanel & WHM Version
86.0.18

actihost

Registered
Apr 9, 2020
2
0
1
Ecuador
cPanel Access Level
Root Administrator
Hello, I notice that with the default installation of ConfigServer eXploit Scanner CXS my server starts to running slow during the cron scans, I tried to add a lve_suwrapper in /etc/cron.d/cxs-cron but it seems that the scans are not working anymore:

@daily lve_suwrapper 101 root /usr/sbin/cxs --report /var/log/cxsreports/scandaily.log --quiet --nosummary --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmMCh$
@weekly lve_suwrapper 101 root /usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --quiet --nosummary --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM$

Maybe im doing something wrong? Thanks
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Manual is here...
WHM » Home » Plugins » ConfigServer eXploit Scanner » Documentation

--options OLfmMCh$
The dollar sign ($) is not a valid option, delete it.
That is not making it slow.

Always make sure your commands run from the terminal as root before moving them to a cron job.
To see what's going on loose the --quiet and the --nosummary
To test in a reasonable amount of time limit the scan to one user; add --user username
so...
Code:
[email protected] [/]#/usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM --user username
If you see dollar signs ($) in the output, ..............f........$.........#..............$.........
It means that clamscan is not running or not found at the default locations.
If your quarantine directory is not found that will also be in the report.
In my tests this scan took 143 seconds to scan an account with a WordPress install with about 8000 files.

If the last command is working now try...
Code:
[email protected] [/]#/usr/sbin/cxs --report /var/log/cxsreports/scanweekly.log --www --mail root --virusscan --ignore /etc/cxs/cxs.ignore --options OLfmM --user username --ctime 25
Note the --ctime 25
In my tests this took 10 seconds
With the resources just gained you might want to try losing the --www so that the whole user account directory is scanned.
In my tests this took 20 seconds

In WHM » Home » Plugins » ConfigServer eXploit Scanner » Documentation
From the RECOMMENDATIONS section...
4. Create a daily and weekly cron job to scan all user accounts e.g. create /etc/cron.d/cxs-cron and add:
Code:
@daily root /usr/sbin/cxs --report /var/log/cxsreports/scan.log --www --mail root --virusscan --quarantine /home/quarantine --qoptions Mv --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRrP --ctime 25 --all
Code:
@weekly root /usr/sbin/cxs --report /var/log/cxsreports/scan.log --www --mail root --virusscan --quarantine /home/quarantine --qoptions Mv --ignore /etc/cxs/cxs.ignore --options OLfmMChexdDZRrP --all
To speed up the @weekly you could add --ctime=169 so that only new files are scanned.

Using the --ctime option the matched file will only be reported the first time it is found.
It won't be scanned again unless it changes.
 

actihost

Registered
Apr 9, 2020
2
0
1
Ecuador
cPanel Access Level
Root Administrator
Hello! @fuzzylogic , thanks for your reply!

I see that adding "$" is wrong but the weird thing is that ConfigServer support team itself installed and configured all the thing as part as their ConfigServer Server Services.

The problem is that every week or two, at the same hour my server starts to run at high load and all the php process in the cpanel accounts like Wordpress installations starts to run at the same time, the only thing that I believe that maybe can trigger this is the weekly CXS scan misconfiguration. Also if that scans runs daily, would it be safe to avoid the weekly?

Thats why I want to put that processes in a CloudLinux LVE wrapper so I can get more control over it.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
Thank you @fuzzylogic for the information on this.

@actihost I'd suggest contacting ConfigServer for further information on their plugin this isn't something that is provided or supported by cPanel.