Announcement

Collapse
No announcement yet.

Help with imunifyAV for resellers in cpanel!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with imunifyAV for resellers in cpanel!

    Hello

    I have ImunifyAV (free version) installed in all my cpanel servers.
    Few days ago, i added to the resellers in whm the feature to scan their own sites thru the whm interface. It works perfect, but... the reseller can see and scan ALL sites hosted in the server, even sites that not own. (I mean, the reseller get some kind of root privileges to scan all sites in server instead to check the sites of the resller list)

    I added as feature imunifyAV in each cpanel end user. Imunify appears now.. but the user can´t do anything.. no scan, etc.. none action can be possible from cpanel user interface.

    I sent a ticket to Cloudlinux support about this (as they have ImunifyAV in the list of products to send tickets).. but they answered me as the sotfrware is free they not includes any support. ;(

    Anyone can help me on this?

    Thanks
    Fabian

  • #2
    Hello Fabian,

    I am sorry that you weren't able to find the information needed, it is possible that the issue is non-standard, though. Let my address your question and if there will be further inquiries, please ask.

    1. Whenever Native feature control for cPanel is activated, a user with reseller’s role and View Reports plus Cleanup package permissions should be able to list the malware found and apply Cleanup action in the corresponding user’s directory only. Although, with the reseller role, the observed behaviour was confirmed. It is recommended to remove access to Imunify for resellers.

    The root (or other users with root privileges) will be able to see the scan history of every user, while regular users, should not see all users’ scan results. Although Imunify service indeed is working under the root account, regular users are limited to scan paths only those that they have access to. As for the reseller user it is not expected to be able to list of all the domains hosted, and as of now the corresponding task to alter such a behaviour is considered a feature request.

    Short side note, it is sometimes possible to list the previous user’s scan results if an account was renamed or ID was.

    In general, cPanel's Native feature management allows you to predefine the package and set it for the user. The main benefit of using Native feature management is the possibility to control users with the cPanel packages. The Package allows switching between these three modes:
    1. Not available,
    2. View Reports-only
    3. Reports and Cleanup.
    With the last option switched on, a user should be able to see the list of detections and also Cleanup files. As such, for the usage of the Native feature management scenario, could you please check that the package defines permissions as View plus Cleanup and that the feature set for the reseller’s package includes Imunify plugin?

    If both are in place the disappearance issue is not expected, although if the Imunify plugin feature was removed from the package, such a package will not allow the user to use the Imunify plugin’s UI and the user side UI might be hidden completely, include the feature to the plan and use:
    Code:
    /usr/share/av-userside-plugin.sh
    to enable the UI.


    2. Furthermore, there with both feature management systems there are per user permissions that can help to limit or grant access in a more granular way, and in this regard, the “feature av” parameter which is used for the Malware Cleanup possibility can be used as described in the article:
    https://docs.imunifyav.com/cli/#feature-management

    So with this global and override options in mind it is possible to allow the user, say “reseller” to run the scanner despite the global setting as per:

    Code:
    imunify-antivirus feature-management enable --feature av --users reseller
    While to allow users to use scan globally:

    Code:
    imunify-antivirus config update '{"PERMISSIONS": {"allow_malware_scan": true}}'
    Global configurations can be shown with:

    Code:
    imunify-antivirus config show defaults
    The global preferences will not change per user permission. Although, those can be shown with:

    Code:
    imunify-antivirus feature-management show -v --json
    and reassigned if needed:

    Code:
    imunify-antivirus feature-management show -v –json | jq '.items' | jq '.[]' | jq '.name' | xargs imunify-antivirus feature-management enable --feature av –users;
    The reseller still will be able to see all account, even if those do not belong to the account. Please, let us know if this can satisfy your needs.

    Worth mentioning that user overriding preferences, there are options to give more granular control, e.g. deny all users access to ignore list, deny starting scans, and allow one user to override server-wide configuration set by an admin:
    https://docs.imunifyav.com/config_file_description
    For example, regarding user_ignore_list parameter, a user can add detected files to ignore lists, provided the privilege is granted in the permissions section of the configuration file:
    Code:
    /etc/sysconfig/imunify360/imunify360.config
    Last edited by mchernyavsky; 09-08-2022, 06:23 AM.

    Comment

    Working...
    X