From 3267bef9d20fa501e21990de5fcecfcb34699ff6 Mon Sep 17 00:00:00 2001
From: AnsibleRoles <>
Date: Tue, 6 Jul 2021 01:10:25 +0000
Subject: [PATCH 01/34] Initial commit
---
.gitignore | 433 +++++++++++++++++++++++++++++++++++++++++++++++++++++
LICENSE | 163 ++++++++++++++++++++
README.md | 2 +
3 files changed, 598 insertions(+)
create mode 100644 .gitignore
create mode 100644 LICENSE
create mode 100644 README.md
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6a02d93
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,433 @@
+# ---> Ansible
+*.retry
+
+# ---> Linux
+*~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+# ---> Windows
+# Windows thumbnail cache files
+Thumbs.db
+ehthumbs.db
+ehthumbs_vista.db
+
+# Dump file
+*.stackdump
+
+# Folder config file
+[Dd]esktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# Windows shortcuts
+*.lnk
+
+# ---> macOS
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# ---> Vim
+# Swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-rt-v][a-z]
+[._]ss[a-gi-z]
+[._]sw[a-p]
+
+# Session
+Session.vim
+
+# Temporary
+.netrwhist
+*~
+# Auto-generated tag files
+tags
+# Persistent undo
+[._]*.un~
+
+# ---> VisualStudio
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# JetBrains Rider
+.idea/
+*.sln.iml
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# ---> VisualStudioCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..1344add
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,163 @@
+GNU LESSER GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+
+Everyone is permitted to copy and distribute verbatim copies of this license
+document, but changing it is not allowed.
+
+This version of the GNU Lesser General Public License incorporates the terms
+and conditions of version 3 of the GNU General Public License, supplemented
+by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+
+
+As used herein, "this License" refers to version 3 of the GNU Lesser General
+Public License, and the "GNU GPL" refers to version 3 of the GNU General Public
+License.
+
+
+
+"The Library" refers to a covered work governed by this License, other than
+an Application or a Combined Work as defined below.
+
+
+
+An "Application" is any work that makes use of an interface provided by the
+Library, but which is not otherwise based on the Library. Defining a subclass
+of a class defined by the Library is deemed a mode of using an interface provided
+by the Library.
+
+
+
+A "Combined Work" is a work produced by combining or linking an Application
+with the Library. The particular version of the Library with which the Combined
+Work was made is also called the "Linked Version".
+
+
+
+The "Minimal Corresponding Source" for a Combined Work means the Corresponding
+Source for the Combined Work, excluding any source code for portions of the
+Combined Work that, considered in isolation, are based on the Application,
+and not on the Linked Version.
+
+
+
+The "Corresponding Application Code" for a Combined Work means the object
+code and/or source code for the Application, including any data and utility
+programs needed for reproducing the Combined Work from the Application, but
+excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+You may convey a covered work under sections 3 and 4 of this License without
+being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+If you modify a copy of the Library, and, in your modifications, a facility
+refers to a function or data to be supplied by an Application that uses the
+facility (other than as an argument passed when the facility is invoked),
+then you may convey a copy of the modified version:
+
+a) under this License, provided that you make a good faith effort to ensure
+that, in the event an Application does not supply the function or data, the
+facility still operates, and performs whatever part of its purpose remains
+meaningful, or
+
+b) under the GNU GPL, with none of the additional permissions of this License
+applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+The object code form of an Application may incorporate material from a header
+file that is part of the Library. You may convey such object code under terms
+of your choice, provided that, if the incorporated material is not limited
+to numerical parameters, data structure layouts and accessors, or small macros,
+inline functions and templates (ten or fewer lines in length), you do both
+of the following:
+
+a) Give prominent notice with each copy of the object code that the Library
+is used in it and that the Library and its use are covered by this License.
+
+b) Accompany the object code with a copy of the GNU GPL and this license document.
+
+ 4. Combined Works.
+
+You may convey a Combined Work under terms of your choice that, taken together,
+effectively do not restrict modification of the portions of the Library contained
+in the Combined Work and reverse engineering for debugging such modifications,
+if you also do each of the following:
+
+a) Give prominent notice with each copy of the Combined Work that the Library
+is used in it and that the Library and its use are covered by this License.
+
+b) Accompany the Combined Work with a copy of the GNU GPL and this license
+document.
+
+c) For a Combined Work that displays copyright notices during execution, include
+the copyright notice for the Library among these notices, as well as a reference
+directing the user to the copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+0) Convey the Minimal Corresponding Source under the terms of this License,
+and the Corresponding Application Code in a form suitable for, and under terms
+that permit, the user to recombine or relink the Application with a modified
+version of the Linked Version to produce a modified Combined Work, in the
+manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
+
+1) Use a suitable shared library mechanism for linking with the Library. A
+suitable mechanism is one that (a) uses at run time a copy of the Library
+already present on the user's computer system, and (b) will operate properly
+with a modified version of the Library that is interface-compatible with the
+Linked Version.
+
+e) Provide Installation Information, but only if you would otherwise be required
+to provide such information under section 6 of the GNU GPL, and only to the
+extent that such information is necessary to install and execute a modified
+version of the Combined Work produced by recombining or relinking the Application
+with a modified version of the Linked Version. (If you use option 4d0, the
+Installation Information must accompany the Minimal Corresponding Source and
+Corresponding Application Code. If you use option 4d1, you must provide the
+Installation Information in the manner specified by section 6 of the GNU GPL
+for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+You may place library facilities that are a work based on the Library side
+by side in a single library together with other library facilities that are
+not Applications and are not covered by this License, and convey such a combined
+library under terms of your choice, if you do both of the following:
+
+a) Accompany the combined library with a copy of the same work based on the
+Library, uncombined with any other library facilities, conveyed under the
+terms of this License.
+
+b) Give prominent notice with the combined library that part of it is a work
+based on the Library, and explaining where to find the accompanying uncombined
+form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+The Free Software Foundation may publish revised and/or new versions of the
+GNU Lesser General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to address
+new problems or concerns.
+
+Each version is given a distinguishing version number. If the Library as you
+received it specifies that a certain numbered version of the GNU Lesser General
+Public License "or any later version" applies to it, you have the option of
+following the terms and conditions either of that published version or of
+any later version published by the Free Software Foundation. If the Library
+as you received it does not specify a version number of the GNU Lesser General
+Public License, you may choose any version of the GNU Lesser General Public
+License ever published by the Free Software Foundation.
+
+If the Library as you received it specifies that a proxy can decide whether
+future versions of the GNU Lesser General Public License shall apply, that
+proxy's public statement of acceptance of any version is permanent authorization
+for you to choose that version for the Library.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c78cafa
--- /dev/null
+++ b/README.md
@@ -0,0 +1,2 @@
+# ensure_clamav
+
From 4751219758553f8523f2520209421bd2d2f0ba81 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 01:38:24 +0000
Subject: [PATCH 02/34] Initial version with only updating for Fedora 34
---
.gitignore | 45 ++----
README.md | 38 ++++-
defaults/main.yml | 2 +
handlers/main.yml | 6 +
meta/main.yml | 53 +++++++
tasks/main.yml | 91 +++++++++++
templates/Fedora/34/etc/freshclam.conf | 204 +++++++++++++++++++++++++
tests/inventory | 2 +
tests/test.yml | 5 +
vars/Fedora-34-default.yml | 24 +++
vars/default.yml | 2 +
vars/main.yml | 2 +
12 files changed, 441 insertions(+), 33 deletions(-)
create mode 100644 defaults/main.yml
create mode 100644 handlers/main.yml
create mode 100644 meta/main.yml
create mode 100644 tasks/main.yml
create mode 100644 templates/Fedora/34/etc/freshclam.conf
create mode 100644 tests/inventory
create mode 100644 tests/test.yml
create mode 100644 vars/Fedora-34-default.yml
create mode 100644 vars/default.yml
create mode 100644 vars/main.yml
diff --git a/.gitignore b/.gitignore
index 6a02d93..c7056e6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,21 +1,6 @@
# ---> Ansible
*.retry
-# ---> Linux
-*~
-
-# temporary files which can be created if a process still has a handle open of a deleted file
-.fuse_hidden*
-
-# KDE directory preferences
-.directory
-
-# Linux trash folder which might appear on any partition or disk
-.Trash-*
-
-# .nfs files are created when an open file is removed but is still being accessed
-.nfs*
-
# ---> Windows
# Windows thumbnail cache files
Thumbs.db
@@ -69,24 +54,20 @@ Network Trash Folder
Temporary Items
.apdisk
-# ---> Vim
-# Swap
-[._]*.s[a-v][a-z]
-[._]*.sw[a-p]
-[._]s[a-rt-v][a-z]
-[._]ss[a-gi-z]
-[._]sw[a-p]
-
-# Session
-Session.vim
-
-# Temporary
-.netrwhist
+# ---> Linux
*~
-# Auto-generated tag files
-tags
-# Persistent undo
-[._]*.un~
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
# ---> VisualStudio
## Ignore Visual Studio temporary files, build results, and
diff --git a/README.md b/README.md
index c78cafa..3ccecb1 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,38 @@
-# ensure_clamav
+Role Name
+=========
+Ensures clamav is running
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+
+License
+-------
+
+LGPL-3.0-or-later
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..616a3ab
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for ensure_clamav
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..82af745
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# handlers file for ensure_clamav
+- name: 'ensure_clamav.package_facts'
+ ansible.builtin.package_facts:
+- name: 'ensure_clamav.service_facts'
+ ansible.builtin.service_facts:
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..3701fd0
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,53 @@
+galaxy_info:
+ author: Jason Rothstein
+ description: Ensures clamav is installed, running, and functional
+ company: your company (optional)
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
+ # - BSD-3-Clause (default)
+ # - MIT
+ # - GPL-2.0-or-later
+ # - GPL-3.0-only
+ # - Apache-2.0
+ # - CC-BY-4.0
+ license: LGPL-3.0-or-later
+
+ min_ansible_version: 2.9
+
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
+ # min_ansible_container_version:
+
+ #
+ # Provide a list of supported platforms, and for each platform a list of versions.
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+ # To view available platforms and versions (or releases), visit:
+ # https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms:
+ # - name: Fedora
+ # versions:
+ # - all
+ # - 25
+ # - name: SomePlatform
+ # versions:
+ # - all
+ # - 1.0
+ # - 7
+ # - 99.99
+
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
+ # remove the '[]' above, if you add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+
+dependencies: []
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+ # if you add dependencies to this list.
+
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..8615f73
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,91 @@
+---
+# tasks file for ensure_clamav
+- name: 'include variables'
+ when:
+ - ansible_system == 'Linux'
+ include_vars:
+ file: '{{ lookup("first_found", findme ) }}'
+ name: 'ensure_clamav'
+ vars:
+ findme:
+ files:
+ - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
+ - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml'
+ - '{{ ansible_distribution }}-default.yml'
+ - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml'
+ - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml'
+ - '{{ ansible_os_family }}-default.yml'
+ - 'default.yml'
+ paths:
+ - '../vars/'
+ errors: 'ignore'
+- name: 'package discovery'
+ when:
+ - ansible_system == 'Linux'
+ - packages is not defined
+ ansible.builtin.package_facts:
+- name: 'service discovery'
+ when:
+ - ansible_system == 'Linux'
+ - services is not defined
+ ansible.builtin.service_facts:
+- name: 'ensure packages'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.package_list is defined
+ - ensure_clamav.package_list is iterable
+ - packages[item.name] is not defined
+ ansible.builtin.package:
+ name: '{{ item.name }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_clamav.package_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+- name: 'ensure services'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.service_list is defined
+ - ensure_clamav.service_list is iterable
+ ansible.builtin.service:
+ enabled: '{{ item.enabled }}'
+ name: '{{ item.name }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_clamav.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+- name: 'flush handlers'
+ meta: 'flush_handlers'
+- name: 'ensure configurations'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.template_list is defined
+ - ensure_clamav.template_list is iterable
+ ansible.builtin.template:
+ backup: 'no'
+ dest: '{{ item.dest }}'
+ group: '{{ item.group | default(omit) }}'
+ mode: '{{ item.mode | default(omit) }}'
+ owner: '{{ item.owner | default(omit) }}'
+ selevel: '{{ iteml.selevel | default(omit) }}'
+ serole: '{{ item.serole | default(omit) }}'
+ setype: '{{ item.setype | default(omit) }}'
+ seuser: '{{ item.seuser | default(omit) }}'
+ src: '{{ item.src }}'
+ loop: '{{ ensure_clamav.template_list }}'
+ loop_control:
+ label: '{{ item.dest }} will be ensured'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+- name: 'flush handlers'
+ meta: 'flush_handlers'
+
diff --git a/templates/Fedora/34/etc/freshclam.conf b/templates/Fedora/34/etc/freshclam.conf
new file mode 100644
index 0000000..fde5974
--- /dev/null
+++ b/templates/Fedora/34/etc/freshclam.conf
@@ -0,0 +1,204 @@
+##
+## Example config file for freshclam
+## Please read the freshclam.conf(5) manual before editing this file.
+##
+
+
+# Comment or remove the line below.
+#Example
+
+# Path to the database directory.
+# WARNING: It must match clamd.conf's directive!
+# Default: hardcoded (depends on installation options)
+#DatabaseDirectory /var/lib/clamav
+
+# Path to the log file (make sure it has proper permissions)
+# Default: disabled
+#UpdateLogFile /var/log/freshclam.log
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
+# log rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+#LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+#LogTime yes
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Use system logger (can work together with UpdateLogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows you to save the process identifier of the daemon
+# This file will be owned by root, as long as freshclam was started by root.
+# It is recommended that the directory where this file is stored is
+# also owned by root to keep other users from tampering with it.
+# Default: disabled
+#PidFile /var/run/freshclam.pid
+
+# By default when started freshclam drops privileges and switches to the
+# "clamav" user. This directive allows you to change the database owner.
+# Default: clamav (may depend on installation options)
+#DatabaseOwner clamupdate
+
+# Use DNS to verify virus database version. FreshClam uses DNS TXT records
+# to verify database and software versions. With this directive you can change
+# the database verification domain.
+# WARNING: Do not touch it unless you're configuring freshclam to use your
+# own database verification domain.
+# Default: current.cvd.clamav.net
+#DNSDatabaseInfo current.cvd.clamav.net
+
+# database.clamav.net is now the primary domain name to be used world-wide.
+# Now that CloudFlare is being used as our Content Delivery Network (CDN),
+# this one domain name works world-wide to direct freshclam to the closest
+# geographic endpoint.
+# If the old db.XY.clamav.net domains are set, freshclam will automatically
+# use database.clamav.net instead.
+DatabaseMirror database.clamav.net
+
+# How many attempts to make before giving up.
+# Default: 3 (per mirror)
+#MaxAttempts 5
+
+# With this option you can control scripted updates. It's highly recommended
+# to keep it enabled.
+# Default: yes
+#ScriptedUpdates yes
+
+# By default freshclam will keep the local databases (.cld) uncompressed to
+# make their handling faster. With this option you can enable the compression;
+# the change will take effect with the next database update.
+# Default: no
+#CompressLocalDatabase no
+
+# With this option you can provide custom sources for database files.
+# This option can be used multiple times. Support for:
+# http(s)://, ftp(s)://, or file://
+# Default: no custom URLs
+#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
+#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
+#DatabaseCustomURL https://myserver.example.com:4567/whitelist.wdb
+#DatabaseCustomURL ftp://myserver.example.com/example.ldb
+#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
+#DatabaseCustomURL file:///mnt/nfs/local.hdb
+
+# This option allows you to easily point freshclam to private mirrors.
+# If PrivateMirror is set, freshclam does not attempt to use DNS
+# to determine whether its databases are out-of-date, instead it will
+# use the If-Modified-Since request or directly check the headers of the
+# remote database files. For each database, freshclam first attempts
+# to download the CLD file. If that fails, it tries to download the
+# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
+# and ScriptedUpdates. It can be used multiple times to provide
+# fall-back mirrors.
+# Default: disabled
+#PrivateMirror mirror1.example.com
+#PrivateMirror mirror2.example.com
+
+# Number of database checks per day.
+# Default: 12 (every two hours)
+#Checks 24
+
+# Proxy settings
+# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
+# of proxy is used.
+# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
+# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
+# socks4:// SOCKS4 Proxy.
+# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
+# socks5:// SOCKS5 Proxy.
+# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
+# Default: disabled
+#HTTPProxyServer https://proxy.example.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# If your servers are behind a firewall/proxy which applies User-Agent
+# filtering you can use this option to force the use of a different
+# User-Agent header.
+# As of ClamAV 0.103.3, this setting may not be used when updating from the
+# clamav.net CDN and can only be used when updating from a private mirror.
+# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
+#HTTPUserAgent SomeUserAgentIdString
+
+# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
+# multi-homed systems.
+# Default: Use OS'es default outgoing IP address.
+#LocalIPAddress aaa.bbb.ccc.ddd
+
+# Send the RELOAD command to clamd.
+# Default: no
+#NotifyClamd /path/to/clamd.conf
+
+# Run command after successful database update.
+# Use EXIT_1 to return 1 after successful database update.
+# Default: disabled
+#OnUpdateExecute command
+
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Timeout in seconds when connecting to database server.
+# Default: 30
+#ConnectTimeout 60
+
+# Maximum time in seconds for each download operation. 0 means no timeout.
+# Default: 0
+#ReceiveTimeout 1800
+
+# With this option enabled, freshclam will attempt to load new databases into
+# memory to make sure they are properly handled by libclamav before replacing
+# the old ones.
+# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
+# are actively running ClamD or ClamScan during the update, then you may need
+# to set `TestDatabases no`.
+# Default: yes
+#TestDatabases no
+
+# This option enables downloading of bytecode.cvd, which includes additional
+# detection mechanisms and improvements to the ClamAV engine.
+# Default: yes
+#Bytecode no
+
+# Include an optional signature databases (opt-in).
+# This option can be used multiple times.
+#ExtraDatabase dbname1
+#ExtraDatabase dbname2
+
+# Exclude a standard signature database (opt-out).
+# This option can be used multiple times.
+#ExcludeDatabase dbname1
+#ExcludeDatabase dbname2
diff --git a/tests/inventory b/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/tests/test.yml b/tests/test.yml
new file mode 100644
index 0000000..f5c9d6a
--- /dev/null
+++ b/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - ensure_clamav
\ No newline at end of file
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
new file mode 100644
index 0000000..f7e03bd
--- /dev/null
+++ b/vars/Fedora-34-default.yml
@@ -0,0 +1,24 @@
+---
+# vars file for ensure_clamav
+package_list:
+ - name: 'clamav'
+ state: 'present'
+ - name: 'clamav-data'
+ state: 'present'
+ - name: 'clamav-filesystem'
+ state: 'present'
+ - name: 'clamav-lib'
+ state: 'present'
+ - name: 'clamav-update'
+ state: 'present'
+service_list:
+ - name: 'clamav-freshclam.service'
+ state: 'started'
+ enabled: 'yes'
+template_list:
+ - dest: '/etc/freshclam.conf'
+ group: 'root'
+ mode: '0600'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
+
diff --git a/vars/default.yml b/vars/default.yml
new file mode 100644
index 0000000..5862be5
--- /dev/null
+++ b/vars/default.yml
@@ -0,0 +1,2 @@
+---
+# vars file for ensure_clamav
\ No newline at end of file
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..b51b1f8
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for ensure_clamav
From 29043741f754d18cf389f3a69f84dba6775676c6 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 02:30:41 +0000
Subject: [PATCH 03/34] Enable clamd with OnAccess scanning
---
templates/Fedora/34/etc/clamd.d/scan.conf | 796 ++++++++++++++++++++++
vars/Fedora-34-default.yml | 13 +
2 files changed, 809 insertions(+)
create mode 100644 templates/Fedora/34/etc/clamd.d/scan.conf
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
new file mode 100644
index 0000000..1d61a20
--- /dev/null
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -0,0 +1,796 @@
+##
+## Example config file for the Clam AV daemon
+## Please read the clamd.conf(5) manual before editing this file.
+##
+
+
+# Comment or remove the line below.
+#Example
+
+# Uncomment this option to enable logging.
+# LogFile must be writable for the user running daemon.
+# A full path is required.
+# Default: disabled
+#LogFile /var/log/clamd.scan
+
+# By default the log file is locked for writing - the lock protects against
+# running clamd multiple times (if want to run another clamd, please
+# copy the configuration file, change the LogFile variable, and run
+# the daemon with --config-file option).
+# This option disables log file locking.
+# Default: no
+#LogFileUnlock yes
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
+# rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+#LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+#LogTime yes
+
+# Also log clean files. Useful in debugging but drastically increases the
+# log size.
+# Default: no
+#LogClean yes
+
+# Use system logger (can work together with LogFile).
+# Default: no
+LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# Enable Prelude output.
+# Default: no
+#PreludeEnable yes
+#
+# Set the name of the analyzer used by prelude-admin.
+# Default: ClamAV
+#PreludeAnalyzerName ClamAV
+
+# Log additional information about the infected file, such as its
+# size and hash, together with the virus name.
+#ExtendedDetectionInfo yes
+
+# This option allows you to save a process identifier of the listening
+# daemon (main thread).
+# This file will be owned by root, as long as clamd was started by root.
+# It is recommended that the directory where this file is stored is
+# also owned by root to keep other users from tampering with it.
+# Default: disabled
+#PidFile /run/clamd.scan/clamd.pid
+
+# Optional path to the global temporary directory.
+# Default: system specific (usually /tmp or /var/tmp).
+#TemporaryDirectory /var/tmp
+
+# Path to the database directory.
+# Default: hardcoded (depends on installation options)
+#DatabaseDirectory /var/lib/clamav
+
+# Only load the official signatures published by the ClamAV project.
+# Default: no
+#OfficialDatabaseOnly no
+
+# The daemon can work in local mode, network mode or both.
+# Due to security reasons we recommend the local mode.
+
+# Path to a local socket file the daemon will listen on.
+# Default: disabled (must be specified by a user)
+#LocalSocket /run/clamd.scan/clamd.sock
+LocalSocket /run/clamd.scan/clamd.sock
+
+# Sets the group ownership on the unix socket.
+# Default: disabled (the primary group of the user running clamd)
+#LocalSocketGroup virusgroup
+
+# Sets the permissions on the unix socket to the specified mode.
+# Default: disabled (socket is world accessible)
+#LocalSocketMode 660
+
+# Remove stale socket after unclean shutdown.
+# Default: yes
+#FixStaleSocket yes
+
+# TCP port address.
+# Default: no
+#TCPSocket 3310
+
+# TCP address.
+# By default we bind to INADDR_ANY, probably not wise.
+# Enable the following to provide some degree of protection
+# from the outside world. This option can be specified multiple
+# times if you want to listen on multiple IPs. IPv6 is now supported.
+# Default: no
+#TCPAddr 127.0.0.1
+
+# Maximum length the queue of pending connections may grow to.
+# Default: 200
+#MaxConnectionQueueLength 30
+
+# Clamd uses FTP-like protocol to receive data from remote clients.
+# If you are using clamav-milter to balance load between remote clamd daemons
+# on firewall servers you may need to tune the options below.
+
+# Close the connection when the data size limit is exceeded.
+# The value should match your MTA's limit for a maximum attachment size.
+# Default: 25M
+#StreamMaxLength 10M
+
+# Limit port range.
+# Default: 1024
+#StreamMinPort 30000
+# Default: 2048
+#StreamMaxPort 32000
+
+# Maximum number of threads running at the same time.
+# Default: 10
+#MaxThreads 20
+
+# Waiting for data from a client socket will timeout after this time (seconds).
+# Default: 120
+#ReadTimeout 300
+
+# This option specifies the time (in seconds) after which clamd should
+# timeout if a client doesn't provide any initial command after connecting.
+# Default: 30
+#CommandReadTimeout 30
+
+# This option specifies how long to wait (in milliseconds) if the send buffer
+# is full.
+# Keep this value low to prevent clamd hanging.
+#
+# Default: 500
+#SendBufTimeout 200
+
+# Maximum number of queued items (including those being processed by
+# MaxThreads threads).
+# It is recommended to have this value at least twice MaxThreads if possible.
+# WARNING: you shouldn't increase this too much to avoid running out of file
+# descriptors, the following condition should hold:
+# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
+# max is 1024).
+#
+# Default: 100
+#MaxQueue 200
+
+# Waiting for a new job will timeout after this time (seconds).
+# Default: 30
+#IdleTimeout 60
+
+# Don't scan files and directories matching regex
+# This directive can be used multiple times
+# Default: scan all
+#ExcludePath ^/proc/
+#ExcludePath ^/sys/
+
+# Maximum depth directories are scanned at.
+# Default: 15
+#MaxDirectoryRecursion 20
+
+# Follow directory symlinks.
+# Default: no
+#FollowDirectorySymlinks yes
+
+# Follow regular file symlinks.
+# Default: no
+#FollowFileSymlinks yes
+
+# Scan files and directories on other filesystems.
+# Default: yes
+#CrossFilesystems yes
+
+# Perform a database check.
+# Default: 600 (10 min)
+#SelfCheck 600
+
+# Enable non-blocking (multi-threaded/concurrent) database reloads.
+# This feature will temporarily load a second scanning engine while scanning
+# continues using the first engine. Once loaded, the new engine takes over.
+# The old engine is removed as soon as all scans using the old engine have
+# completed.
+# This feature requires more RAM, so this option is provided in case users are
+# willing to block scans during reload in exchange for lower RAM requirements.
+# Default: yes
+#ConcurrentDatabaseReload no
+
+# Execute a command when virus is found. In the command string %v will
+# be replaced with the virus name.
+# Default: no
+#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
+
+# Run as another user (clamd must be started by root for this option to work)
+# Default: don't drop privileges
+User clamscan
+
+# Stop daemon when libclamav reports out of memory condition.
+#ExitOnOOM yes
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Do not remove temporary files (for debug purposes).
+# Default: no
+#LeaveTemporaryFiles yes
+
+# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
+# any ALLMATCHSCAN command as invalid.
+# Default: yes
+#AllowAllMatchScan no
+
+# Detect Possibly Unwanted Applications.
+# Default: no
+#DetectPUA yes
+
+# Exclude a specific PUA category. This directive can be used multiple times.
+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
+# the complete list of PUA categories.
+# Default: Load all categories (if DetectPUA is activated)
+#ExcludePUA NetTool
+#ExcludePUA PWTool
+
+# Only include a specific PUA category. This directive can be used multiple
+# times.
+# Default: Load all categories (if DetectPUA is activated)
+#IncludePUA Spy
+#IncludePUA Scanner
+#IncludePUA RAT
+
+# This option causes memory or nested map scans to dump the content to disk.
+# If you turn on this option, more data is written to disk and is available
+# when the LeaveTemporaryFiles option is enabled.
+#ForceToDisk yes
+
+# This option allows you to disable the caching feature of the engine. By
+# default, the engine will store an MD5 in a cache of any files that are
+# not flagged as virus or that hit limits checks. Disabling the cache will
+# have a negative performance impact on large scans.
+# Default: no
+#DisableCache yes
+
+# In some cases (eg. complex malware, exploits in graphic files, and others),
+# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
+# may be malicious. This option enables alerting on such heuristically
+# detected potential threats.
+# Default: yes
+#HeuristicAlerts yes
+
+# Allow heuristic alerts to take precedence.
+# When enabled, if a heuristic scan (such as phishingScan) detects
+# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
+# scan-time.
+# When disabled, virus/phish detected by heuristic scans will be reported only
+# at the end of a scan. If an archive contains both a heuristically detected
+# virus/phish, and a real malware, the real malware will be reported
+#
+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
+# differently from "real" malware.
+# If a non-heuristically-detected virus (signature-based) is found first,
+# the scan is interrupted immediately, regardless of this config option.
+#
+# Default: no
+#HeuristicScanPrecedence yes
+
+
+##
+## Heuristic Alerts
+##
+
+# With this option clamav will try to detect broken executables (both PE and
+# ELF) and alert on them with the Broken.Executable heuristic signature.
+# Default: no
+#AlertBrokenExecutables yes
+
+# With this option clamav will try to detect broken media file (JPEG,
+# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
+# Default: no
+#AlertBrokenMedia yes
+
+# Alert on encrypted archives _and_ documents with heuristic signature
+# (encrypted .zip, .7zip, .rar, .pdf).
+# Default: no
+#AlertEncrypted yes
+
+# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
+# .rar).
+# Default: no
+#AlertEncryptedArchive yes
+
+# Alert on encrypted archives with heuristic signature (encrypted .pdf).
+# Default: no
+#AlertEncryptedDoc yes
+
+# With this option enabled OLE2 files containing VBA macros, which were not
+# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
+# Default: no
+#AlertOLE2Macros yes
+
+# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
+# This can lead to false positives.
+# Default: no
+#AlertPhishingSSLMismatch yes
+
+# Alert on cloaked URLs, even if URL isn't in database.
+# This can lead to false positives.
+# Default: no
+#AlertPhishingCloak yes
+
+# Alert on raw DMG image files containing partition intersections
+# Default: no
+#AlertPartitionIntersection yes
+
+
+##
+## Executable files
+##
+
+# PE stands for Portable Executable - it's an executable file format used
+# in all 32 and 64-bit versions of Windows operating systems. This option
+# allows ClamAV to perform a deeper analysis of executable files and it's also
+# required for decompression of popular executable packers such as UPX, FSG,
+# and Petite. If you turn off this option, the original files will still be
+# scanned, but without additional processing.
+# Default: yes
+#ScanPE yes
+
+# Certain PE files contain an authenticode signature. By default, we check
+# the signature chain in the PE file against a database of trusted and
+# revoked certificates if the file being scanned is marked as a virus.
+# If any certificate in the chain validates against any trusted root, but
+# does not match any revoked certificate, the file is marked as whitelisted.
+# If the file does match a revoked certificate, the file is marked as virus.
+# The following setting completely turns off authenticode verification.
+# Default: no
+#DisableCertCheck yes
+
+# Executable and Linking Format is a standard format for UN*X executables.
+# This option allows you to control the scanning of ELF files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanELF yes
+
+
+##
+## Documents
+##
+
+# This option enables scanning of OLE2 files, such as Microsoft Office
+# documents and .msi files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanOLE2 yes
+
+# This option enables scanning within PDF files.
+# If you turn off this option, the original files will still be scanned, but
+# without decoding and additional processing.
+# Default: yes
+#ScanPDF yes
+
+# This option enables scanning within SWF files.
+# If you turn off this option, the original files will still be scanned, but
+# without decoding and additional processing.
+# Default: yes
+#ScanSWF yes
+
+# This option enables scanning xml-based document files supported by libclamav.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanXMLDOCS yes
+
+# This option enables scanning of HWP3 files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanHWP3 yes
+
+
+##
+## Mail files
+##
+
+# Enable internal e-mail scanner.
+# If you turn off this option, the original files will still be scanned, but
+# without parsing individual messages/attachments.
+# Default: yes
+#ScanMail yes
+
+# Scan RFC1341 messages split over many emails.
+# You will need to periodically clean up $TemporaryDirectory/clamav-partial
+# directory.
+# WARNING: This option may open your system to a DoS attack.
+# Never use it on loaded servers.
+# Default: no
+#ScanPartialMessages yes
+
+# With this option enabled ClamAV will try to detect phishing attempts by using
+# HTML.Phishing and Email.Phishing NDB signatures.
+# Default: yes
+#PhishingSignatures no
+
+# With this option enabled ClamAV will try to detect phishing attempts by
+# analyzing URLs found in emails using WDB and PDB signature databases.
+# Default: yes
+#PhishingScanURLs no
+
+
+##
+## Data Loss Prevention (DLP)
+##
+
+# Enable the DLP module
+# Default: No
+#StructuredDataDetection yes
+
+# This option sets the lowest number of Credit Card numbers found in a file
+# to generate a detect.
+# Default: 3
+#StructuredMinCreditCardCount 5
+
+# With this option enabled the DLP module will search for valid Credit Card
+# numbers only. Debit and Private Label cards will not be searched.
+# Default: no
+#StructuredCCOnly yes
+
+# This option sets the lowest number of Social Security Numbers found
+# in a file to generate a detect.
+# Default: 3
+#StructuredMinSSNCount 5
+
+# With this option enabled the DLP module will search for valid
+# SSNs formatted as xxx-yy-zzzz
+# Default: yes
+#StructuredSSNFormatNormal yes
+
+# With this option enabled the DLP module will search for valid
+# SSNs formatted as xxxyyzzzz
+# Default: no
+#StructuredSSNFormatStripped yes
+
+
+##
+## HTML
+##
+
+# Perform HTML normalisation and decryption of MS Script Encoder code.
+# Default: yes
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+#ScanHTML yes
+
+
+##
+## Archives
+##
+
+# ClamAV can scan within archives and compressed files.
+# If you turn off this option, the original files will still be scanned, but
+# without unpacking and additional processing.
+# Default: yes
+#ScanArchive yes
+
+
+##
+## Limits
+##
+
+# The options below protect your system against Denial of Service attacks
+# using archive bombs.
+
+# This option sets the maximum amount of time to a scan may take.
+# In this version, this field only affects the scan time of ZIP archives.
+# Value of 0 disables the limit.
+# Note: disabling this limit or setting it too high may result allow scanning
+# of certain files to lock up the scanning process/threads resulting in a
+# Denial of Service.
+# Time is in milliseconds.
+# Default: 120000
+#MaxScanTime 300000
+
+# This option sets the maximum amount of data to be scanned for each input
+# file. Archives and other containers are recursively extracted and scanned
+# up to this value.
+# Value of 0 disables the limit
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 100M
+#MaxScanSize 150M
+
+# Files larger than this limit won't be scanned. Affects the input file itself
+# as well as files contained inside it (when the input file is an archive, a
+# document or some other kind of container).
+# Value of 0 disables the limit.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Technical design limitations prevent ClamAV from scanning files greater than
+# 2 GB at this time.
+# Default: 25M
+#MaxFileSize 30M
+
+# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
+# file, all files within it will also be scanned. This options specifies how
+# deeply the process should be continued.
+# Note: setting this limit too high may result in severe damage to the system.
+# Default: 16
+#MaxRecursion 10
+
+# Number of files to be scanned within an archive, a document, or any other
+# container file.
+# Value of 0 disables the limit.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10000
+#MaxFiles 15000
+
+# Maximum size of a file to check for embedded PE. Files larger than this value
+# will skip the additional analysis step.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10M
+#MaxEmbeddedPE 10M
+
+# Maximum size of a HTML file to normalize. HTML files larger than this value
+# will not be normalized or scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10M
+#MaxHTMLNormalize 10M
+
+# Maximum size of a normalized HTML file to scan. HTML files larger than this
+# value after normalization will not be scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 2M
+#MaxHTMLNoTags 2M
+
+# Maximum size of a script file to normalize. Script content larger than this
+# value will not be normalized or scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 5M
+#MaxScriptNormalize 5M
+
+# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
+# than this value will skip the step to potentially reanalyze as PE.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 1M
+#MaxZipTypeRcg 1M
+
+# This option sets the maximum number of partitions of a raw disk image to be
+# scanned.
+# Raw disk images with more partitions than this value will have up to
+# the value number partitions scanned. Negative values are not allowed.
+# Note: setting this limit too high may result in severe damage or impact
+# performance.
+# Default: 50
+#MaxPartitions 128
+
+# This option sets the maximum number of icons within a PE to be scanned.
+# PE files with more icons than this value will have up to the value number
+# icons scanned.
+# Negative values are not allowed.
+# WARNING: setting this limit too high may result in severe damage or impact
+# performance.
+# Default: 100
+#MaxIconsPE 200
+
+# This option sets the maximum recursive calls for HWP3 parsing during
+# scanning. HWP3 files using more than this limit will be terminated and
+# alert the user.
+# Scans will be unable to scan any HWP3 attachments if the recursive limit
+# is reached.
+# Negative values are not allowed.
+# WARNING: setting this limit too high may result in severe damage or impact
+# performance.
+# Default: 16
+#MaxRecHWP3 16
+
+# This option sets the maximum calls to the PCRE match function during
+# an instance of regex matching.
+# Instances using more than this limit will be terminated and alert the user
+# but the scan will continue.
+# For more information on match_limit, see the PCRE documentation.
+# Negative values are not allowed.
+# WARNING: setting this limit too high may severely impact performance.
+# Default: 100000
+#PCREMatchLimit 20000
+
+# This option sets the maximum recursive calls to the PCRE match function
+# during an instance of regex matching.
+# Instances using more than this limit will be terminated and alert the user
+# but the scan will continue.
+# For more information on match_limit_recursion, see the PCRE documentation.
+# Negative values are not allowed and values > PCREMatchLimit are superfluous.
+# WARNING: setting this limit too high may severely impact performance.
+# Default: 2000
+#PCRERecMatchLimit 10000
+
+# This option sets the maximum filesize for which PCRE subsigs will be
+# executed. Files exceeding this limit will not have PCRE subsigs executed
+# unless a subsig is encompassed to a smaller buffer.
+# Negative values are not allowed.
+# Setting this value to zero disables the limit.
+# WARNING: setting this limit too high or disabling it may severely impact
+# performance.
+# Default: 25M
+#PCREMaxFileSize 100M
+
+# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
+# MaxRecursion limit will be flagged with the virus
+# "Heuristics.Limits.Exceeded".
+# Default: no
+#AlertExceedsMax yes
+
+##
+## On-access Scan Settings
+##
+
+# Don't scan files larger than OnAccessMaxFileSize
+# Value of 0 disables the limit.
+# Default: 5M
+#OnAccessMaxFileSize 10M
+
+# Max number of scanning threads to allocate to the OnAccess thread pool at
+# startup. These threads are the ones responsible for creating a connection
+# with the daemon and kicking off scanning after an event has been processed.
+# To prevent clamonacc from consuming all clamd's resources keep this lower
+# than clamd's max threads.
+# Default: 5
+#OnAccessMaxThreads 10
+
+# Max amount of time (in milliseconds) that the OnAccess client should spend
+# for every connect, send, and recieve attempt when communicating with clamd
+# via curl.
+# Default: 5000 (5 seconds)
+# OnAccessCurlTimeout 10000
+
+# Toggles dynamic directory determination. Allows for recursively watching
+# include paths.
+# Default: no
+#OnAccessDisableDDD yes
+
+# Set the include paths (all files inside them will be scanned). You can have
+# multiple OnAccessIncludePath directives but each directory must be added
+# in a separate line.
+# Default: disabled
+#OnAccessIncludePath /home
+#OnAccessIncludePath /students
+
+# Set the exclude paths. All subdirectories are also excluded.
+# Default: disabled
+#OnAccessExcludePath /home/user
+
+# Modifies fanotify blocking behaviour when handling permission events.
+# If off, fanotify will only notify if the file scanned is a virus,
+# and not perform any blocking.
+# Default: no
+#OnAccessPrevention yes
+
+# When using prevention, if this option is turned on, any errors that occur
+# during scanning will result in the event attempt being denied. This could
+# potentially lead to unwanted system behaviour with certain configurations,
+# so the client defaults this to off and prefers allowing access events in
+# case of scan or connection error.
+# Default: no
+#OnAccessDenyOnError yes
+
+# Toggles extra scanning and notifications when a file or directory is
+# created or moved.
+# Requires the DDD system to kick-off extra scans.
+# Default: no
+#OnAccessExtraScanning yes
+
+# Set the mount point to be scanned. The mount point specified, or the mount
+# point containing the specified directory will be watched. If any directories
+# are specified, this option will preempt (disable and ignore all options
+# related to) the DDD system. This option will result in verdicts only.
+# Note that prevention is explicitly disallowed to prevent common, fatal
+# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
+# made on vital system directories)
+# It can be used multiple times.
+# Default: disabled
+#OnAccessMountPath /
+#OnAccessMountPath /home/user
+
+# With this option you can whitelist the root UID (0). Processes run under
+# root with be able to access all files without triggering scans or
+# permission denied events.
+# Note that if clamd cannot check the uid of the process that generated an
+# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
+# the process already exited), clamd will perform a scan. Thus, setting
+# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
+# root user from triggering a scan (unless OnAccessPrevention is enabled).
+# Default: no
+#OnAccessExcludeRootUID no
+
+# With this option you can whitelist specific UIDs. Processes with these UIDs
+# will be able to access all files without triggering scans or permission
+# denied events.
+# This option can be used multiple times (one per line).
+# Using a value of 0 on any line will disable this option entirely.
+# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
+# option.
+# Also note that if clamd cannot check the uid of the process that generated an
+# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
+# the process already exited), clamd will perform a scan. Thus, setting
+# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
+# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
+# Default: disabled
+#OnAccessExcludeUID -1
+
+# This option allows exclusions via user names when using the on-access
+# scanning client. It can be used multiple times.
+# It has the same potential race condition limitations of the
+# OnAccessExcludeUID option.
+# Default: disabled
+#OnAccessExcludeUname clamav
+OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamupdate
+
+# Number of times the OnAccess client will retry a failed scan due to
+# connection problems (or other issues).
+# Default: 0
+#OnAccessRetryAttempts 3
+
+##
+## Bytecode
+##
+
+# With this option enabled ClamAV will load bytecode from the database.
+# It is highly recommended you keep this option on, otherwise you'll miss
+# detections for many new viruses.
+# Default: yes
+#Bytecode yes
+
+# Set bytecode security level.
+# Possible values:
+# None - No security at all, meant for debugging.
+# DO NOT USE THIS ON PRODUCTION SYSTEMS.
+# This value is only available if clamav was built
+# with --enable-debug!
+# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
+# runtime safety checks for bytecode loaded from other sources.
+# Paranoid - Don't trust any bytecode, insert runtime checks for all.
+# Recommended: TrustSigned, because bytecode in .cvd files already has these
+# checks.
+# Note that by default only signed bytecode is loaded, currently you can only
+# load unsigned bytecode in --enable-debug mode.
+#
+# Default: TrustSigned
+#BytecodeSecurity TrustSigned
+
+# Allow loading bytecode from outside digitally signed .c[lv]d files.
+# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
+# Doing so may result in arbitrary code execution.
+# Default: no
+#BytecodeUnsigned yes
+
+# Set bytecode timeout in milliseconds.
+#
+# Default: 5000
+# BytecodeTimeout 1000
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index f7e03bd..32f45df 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -11,11 +11,24 @@ package_list:
state: 'present'
- name: 'clamav-update'
state: 'present'
+ - name: 'clamd'
+ state: 'present'
service_list:
+ - name: 'clamav-clamonacc.service'
+ state: 'started'
+ enabled: 'yes'
- name: 'clamav-freshclam.service'
state: 'started'
enabled: 'yes'
+ - name: 'clamd@scan.service'
+ state: 'started'
+ enabled: 'yes'
template_list:
+ - dest: '/etc/clamd.d/scan.conf'
+ group: 'root'
+ mode: '0644'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/clamd.d/scan.conf'
- dest: '/etc/freshclam.conf'
group: 'root'
mode: '0600'
From 782376fc8c0e42fa1df67adc1dbc44e1e13aed71 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 02:35:57 +0000
Subject: [PATCH 04/34] Deploy configuration before starting service
---
tasks/main.yml | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index 8615f73..b3cbba7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,24 +45,6 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
-- name: 'ensure services'
- when:
- - ansible_system == 'Linux'
- - ensure_clamav is defined
- - ensure_clamav.service_list is defined
- - ensure_clamav.service_list is iterable
- ansible.builtin.service:
- enabled: '{{ item.enabled }}'
- name: '{{ item.name }}'
- state: '{{ item.state }}'
- loop: '{{ ensure_clamav.service_list }}'
- loop_control:
- label: '{{ item.name }} will be {{ item.state }}'
- notify:
- - 'ensure_clamav.package_facts'
- - 'ensure_clamav.service_facts'
-- name: 'flush handlers'
- meta: 'flush_handlers'
- name: 'ensure configurations'
when:
- ansible_system == 'Linux'
@@ -88,4 +70,22 @@
- 'ensure_clamav.service_facts'
- name: 'flush handlers'
meta: 'flush_handlers'
+- name: 'ensure services'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.service_list is defined
+ - ensure_clamav.service_list is iterable
+ ansible.builtin.service:
+ enabled: '{{ item.enabled }}'
+ name: '{{ item.name }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_clamav.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+- name: 'flush handlers'
+ meta: 'flush_handlers'
From 3ee1b7a1e22b249a9c0b676ea1960efcd0b1df87 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 02:43:52 +0000
Subject: [PATCH 05/34] Enable OnAccess scanner for /home
---
templates/Fedora/34/etc/clamd.d/scan.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 1d61a20..ed7796f 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -679,6 +679,7 @@ User clamscan
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
+OnAccessIncludePath /home
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
From c366e47026ed2210eef74f1e5d4e1a90f2481fa2 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 03:02:30 +0000
Subject: [PATCH 06/34] If changed configs, restart service
---
handlers/main.yml | 15 +++++++++++++++
tasks/main.yml | 1 +
2 files changed, 16 insertions(+)
diff --git a/handlers/main.yml b/handlers/main.yml
index 82af745..b9a04f1 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,3 +4,18 @@
ansible.builtin.package_facts:
- name: 'ensure_clamav.service_facts'
ansible.builtin.service_facts:
+- name: 'ensure_clamav.services'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.service_list is defined
+ - ensure_clamav.service_list is iterable
+ - item.enabled == 'started'
+ ansible.builtin.service:
+ enabled: '{{ item.enabled }}'
+ name: '{{ item.name }}'
+ state: 'restarted'
+ loop: '{{ ensure_clamav.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be restarted'
+
diff --git a/tasks/main.yml b/tasks/main.yml
index b3cbba7..2336549 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -68,6 +68,7 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+ - 'ensure_clamav.services'
- name: 'flush handlers'
meta: 'flush_handlers'
- name: 'ensure services'
From a8ea1690a649823cd8d99ae9356aef2a621ef685 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 03:04:23 +0000
Subject: [PATCH 07/34] state not enable parameter should be tested
---
handlers/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/handlers/main.yml b/handlers/main.yml
index b9a04f1..d5d2fad 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -10,7 +10,7 @@
- ensure_clamav is defined
- ensure_clamav.service_list is defined
- ensure_clamav.service_list is iterable
- - item.enabled == 'started'
+ - item.state == 'started'
ansible.builtin.service:
enabled: '{{ item.enabled }}'
name: '{{ item.name }}'
From dbc28d1230b54db7cbd0f25f274959e45f38011d Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 03:15:56 +0000
Subject: [PATCH 08/34] OnAccess scan the / mount, not just /home
---
templates/Fedora/34/etc/clamd.d/scan.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index ed7796f..470803a 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -679,7 +679,6 @@ User clamscan
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
-OnAccessIncludePath /home
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
@@ -716,6 +715,7 @@ OnAccessIncludePath /home
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
+OnAccessMountPath /
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
From 887bef0b443793304fecad60d9af4af18cbc4124 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 03:26:42 +0000
Subject: [PATCH 09/34] Fix service order and add SELinux support
---
tasks/main.yml | 13 +++++++++++++
vars/Fedora-34-default.yml | 11 ++++++++---
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index 2336549..ce45222 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,6 +45,19 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+- name: 'ensure seboolean'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.seboolean_list is defined
+ - ensure_clamav.seboolean_list is iterable
+ ansible.posix.seboolean:
+ name: '{{ item.name }}'
+ presistent: '{{ item.persistent }}'
+ state: '{{ item.state }}'
+ loop: '{{ ensure_clamav.seboolean_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.state }}'
- name: 'ensure configurations'
when:
- ansible_system == 'Linux'
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index 32f45df..e167034 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -13,16 +13,21 @@ package_list:
state: 'present'
- name: 'clamd'
state: 'present'
+seboolean_list:
+ - name: 'antivirus_can_scan_system'
+ persistent: 'yes'
+ state: 'yes'
service_list:
+# NOTE: Order is important
+ - name: 'clamd@scan.service'
+ state: 'started'
+ enabled: 'yes'
- name: 'clamav-clamonacc.service'
state: 'started'
enabled: 'yes'
- name: 'clamav-freshclam.service'
state: 'started'
enabled: 'yes'
- - name: 'clamd@scan.service'
- state: 'started'
- enabled: 'yes'
template_list:
- dest: '/etc/clamd.d/scan.conf'
group: 'root'
From b6679a3545c5e3ea592c78c4e7864bccda3ebec8 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 03:28:47 +0000
Subject: [PATCH 10/34] Spelling
---
tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index ce45222..9f11cd2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -53,7 +53,7 @@
- ensure_clamav.seboolean_list is iterable
ansible.posix.seboolean:
name: '{{ item.name }}'
- presistent: '{{ item.persistent }}'
+ persistent: '{{ item.persistent }}'
state: '{{ item.state }}'
loop: '{{ ensure_clamav.seboolean_list }}'
loop_control:
From 7c890e3b823aa0d143fb007852dbabfc2b7d2161 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 20:39:44 -0500
Subject: [PATCH 11/34] Template the mount points to scan
---
templates/Fedora/34/etc/clamd.d/scan.conf | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 470803a..9da6fd2 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -689,6 +689,7 @@ User clamscan
# and not perform any blocking.
# Default: no
#OnAccessPrevention yes
+OnAccessPrevention yes
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
@@ -715,7 +716,9 @@ User clamscan
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
-OnAccessMountPath /
+{% for item in ansible_mounts %}
+OnAccessMountPath {% item.mount %}
+{% endfor %}
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
@@ -757,6 +760,7 @@ OnAccessExcludeUname clamupdate
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
+OnAccessRetryAttempts 3
##
## Bytecode
From c4470f8b3c7fc13a940a34421def19b7ffd716f6 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 20:49:21 -0500
Subject: [PATCH 12/34] Template syntax error
---
templates/Fedora/34/etc/clamd.d/scan.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 9da6fd2..464e117 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -717,7 +717,7 @@ OnAccessPrevention yes
#OnAccessMountPath /
#OnAccessMountPath /home/user
{% for item in ansible_mounts %}
-OnAccessMountPath {% item.mount %}
+OnAccessMountPath {{ item.mount }}
{% endfor %}
# With this option you can whitelist the root UID (0). Processes run under
From b9f60734e0024667d1ca05daa98101c20e6d0cb8 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 22:56:10 -0500
Subject: [PATCH 13/34] Run clamd as root so clamonacc works
---
templates/Fedora/34/etc/clamd.d/scan.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 464e117..36c5826 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -217,7 +217,7 @@ LocalSocket /run/clamd.scan/clamd.sock
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
-User clamscan
+# User clamscan
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
From b1031c462fc6e130322ba9f53a31836bcb607c3e Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 6 Jul 2021 23:06:47 -0500
Subject: [PATCH 14/34] Add TCP Connectivity
---
templates/Fedora/34/etc/clamd.d/scan.conf | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 36c5826..0b28a1e 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -111,6 +111,7 @@ LocalSocket /run/clamd.scan/clamd.sock
# TCP port address.
# Default: no
#TCPSocket 3310
+TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
@@ -119,6 +120,7 @@ LocalSocket /run/clamd.scan/clamd.sock
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
+TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
@@ -301,30 +303,36 @@ LocalSocket /run/clamd.scan/clamd.sock
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
+AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
#AlertBrokenMedia yes
+AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
+AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
+AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
+AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
+AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
@@ -339,6 +347,7 @@ LocalSocket /run/clamd.scan/clamd.sock
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
+AlertPartitionIntersection yes
##
From 9c20653f157663ba1da5b2f51108d4524325c8f9 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Mon, 12 Jul 2021 04:00:57 +0000
Subject: [PATCH 15/34] Increase inotify capacity to prevent Clam OnAccess
Scanner from failing
---
tasks/main.yml | 13 +++++++++++++
templates/Fedora/34/etc/clamd.d/scan.conf | 7 ++++---
vars/Fedora-34-default.yml | 5 +++++
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index 9f11cd2..8ce89fe 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -29,6 +29,19 @@
- ansible_system == 'Linux'
- services is not defined
ansible.builtin.service_facts:
+- name: 'ensure sysctl'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - ensure_clamav.sysctl_list is defined
+ - ensure_clamav.sysctl_list is iterable
+ ansible.posix.sysctl:
+ name: '{{ item.name }}'
+ reload: '{{ item.reload | default(omit) }}'
+ state: '{{ item.state }}'
+ sysctl_file: '{{ item.sysctl_file | default(omit) }}'
+ sysctl_set: '{{ item.sysctl_set | default(omit) }}'
+ value: '{{ item.value | default(omit) }}'
- name: 'ensure packages'
when:
- ansible_system == 'Linux'
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 0b28a1e..d0ff41c 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -739,6 +739,7 @@ OnAccessMountPath {{ item.mount }}
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
+OnAccessExcludeRootUID yes
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
@@ -761,9 +762,9 @@ OnAccessMountPath {{ item.mount }}
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
-OnAccessExcludeUname clamilt
-OnAccessExcludeUname clamscan
-OnAccessExcludeUname clamupdate
+# XXX OnAccessExcludeUname clamilt
+# XXX OnAccessExcludeUname clamscan
+# XXX OnAccessExcludeUname clamupdate
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index e167034..85d2efc 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -28,6 +28,11 @@ service_list:
- name: 'clamav-freshclam.service'
state: 'started'
enabled: 'yes'
+sysctl_list:
+ - name: 'fs.inotify.max_user_watches'
+ state: 'present'
+ sysctl_file: '/etc/sysctl.d/99-clamav.conf'
+ value: '524288'
template_list:
- dest: '/etc/clamd.d/scan.conf'
group: 'root'
From b269fbf31c67fce7d5bd411f8695f2d975894b3a Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Mon, 12 Jul 2021 04:05:17 +0000
Subject: [PATCH 16/34] Add the missing loop
---
tasks/main.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tasks/main.yml b/tasks/main.yml
index 8ce89fe..7ff35ee 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -42,6 +42,9 @@
sysctl_file: '{{ item.sysctl_file | default(omit) }}'
sysctl_set: '{{ item.sysctl_set | default(omit) }}'
value: '{{ item.value | default(omit) }}'
+ loop: '{{ ensure_clamav.sysctl_list }}'
+ loop_control:
+ label: '{{ item.name }} will be {{ item.value }}'
- name: 'ensure packages'
when:
- ansible_system == 'Linux'
From ab73b6088af884e88d7e7e7447272d3c4d604d77 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 13 Jul 2021 04:08:12 +0000
Subject: [PATCH 17/34] Enable quarantine and priv sep
---
handlers/main.yml | 13 +++++++++++++
tasks/main.yml | 1 +
templates/Fedora/34/etc/clamd.d/scan.conf | 8 ++++----
.../lib/systemd/system/clamav-clamonacc.service | 15 +++++++++++++++
vars/Fedora-34-default.yml | 5 +++++
5 files changed, 38 insertions(+), 4 deletions(-)
create mode 100644 templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
diff --git a/handlers/main.yml b/handlers/main.yml
index d5d2fad..88a5ca4 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,6 +4,19 @@
ansible.builtin.package_facts:
- name: 'ensure_clamav.service_facts'
ansible.builtin.service_facts:
+- name: 'ensure_clamav.service_reload'
+ when:
+ - ansible_system == 'Linux'
+ - ansible_service_mgr == 'systemd'
+ - ensure_clamav is defined
+ - ensure_clamav.service_list is defined
+ - ensure_clamav.service_list is iterable
+ ansible.builtin.systemd:
+ daemon_reload: 'yes'
+ name: '{{ item.name }}'
+ loop: '{{ ensure_clamav.service_list }}'
+ loop_control:
+ label: '{{ item.name }} will be reloaded'
- name: 'ensure_clamav.services'
when:
- ansible_system == 'Linux'
diff --git a/tasks/main.yml b/tasks/main.yml
index 7ff35ee..a174aba 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -97,6 +97,7 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+ - 'ensure_clamav.service_reload'
- 'ensure_clamav.services'
- name: 'flush handlers'
meta: 'flush_handlers'
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index d0ff41c..b90033e 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -220,6 +220,7 @@ TCPAddr 127.0.0.1
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
# User clamscan
+User clamscan
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
@@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }}
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
-OnAccessExcludeRootUID yes
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
@@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
-# XXX OnAccessExcludeUname clamilt
-# XXX OnAccessExcludeUname clamscan
-# XXX OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamupdate
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
new file mode 100644
index 0000000..fd6ee6b
--- /dev/null
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
@@ -0,0 +1,15 @@
+# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
+# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340
+
+[Unit]
+Description=ClamAV On-Access Scanner
+Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
+After=clamd@scan.service syslog.target network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
+
+[Install]
+WantedBy=multi-user.target
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index 85d2efc..58c72ab 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -44,4 +44,9 @@ template_list:
mode: '0600'
owner: 'root'
src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
+ - dest: '/usr/lib/systemd/system/clamav-clamonacc.service'
+ group: 'root'
+ mode: '0644'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service
From 7a1ca73b9d1d24385eb0ccdaffb8d801b6bd42e1 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 13 Jul 2021 04:09:53 +0000
Subject: [PATCH 18/34] Quotes
---
vars/Fedora-34-default.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index 58c72ab..21d6962 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -48,5 +48,5 @@ template_list:
group: 'root'
mode: '0644'
owner: 'root'
- src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service'
From d6c465ee559d19ac825bb042ea962401580e458b Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 13 Jul 2021 04:41:51 +0000
Subject: [PATCH 19/34] If templates changed, reload systemd always
---
handlers/main.yml | 6 ------
1 file changed, 6 deletions(-)
diff --git a/handlers/main.yml b/handlers/main.yml
index 88a5ca4..d24275a 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -9,14 +9,8 @@
- ansible_system == 'Linux'
- ansible_service_mgr == 'systemd'
- ensure_clamav is defined
- - ensure_clamav.service_list is defined
- - ensure_clamav.service_list is iterable
ansible.builtin.systemd:
daemon_reload: 'yes'
- name: '{{ item.name }}'
- loop: '{{ ensure_clamav.service_list }}'
- loop_control:
- label: '{{ item.name }} will be reloaded'
- name: 'ensure_clamav.services'
when:
- ansible_system == 'Linux'
From 599d2c922bdb4824ac9291e0bc766f51dc5bd4af Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 13 Jul 2021 04:51:17 +0000
Subject: [PATCH 20/34] Remove tcp connectivity
---
templates/Fedora/34/etc/clamd.d/scan.conf | 2 --
1 file changed, 2 deletions(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index b90033e..64ed222 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -111,7 +111,6 @@ LocalSocket /run/clamd.scan/clamd.sock
# TCP port address.
# Default: no
#TCPSocket 3310
-TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
@@ -120,7 +119,6 @@ TCPSocket 3310
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
-TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
From 33f99de4fe5ad469cdb128e99c1949a5b46d7580 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 13 Jul 2021 05:03:40 +0000
Subject: [PATCH 21/34] Ensure the quarantine directory exists
---
defaults/main.yml | 2 ++
tasks/main.yml | 8 ++++++++
.../34/usr/lib/systemd/system/clamav-clamonacc.service | 2 +-
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 616a3ab..b70c441 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,2 +1,4 @@
---
# defaults file for ensure_clamav
+quarantine_directory: '/root/quarantine'
+
diff --git a/tasks/main.yml b/tasks/main.yml
index a174aba..0920776 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -74,6 +74,14 @@
loop: '{{ ensure_clamav.seboolean_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.state }}'
+- name: 'ensure quarantine directory'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - quarantine_directory is defined
+ ansible.builtin.file:
+ path: '{{ quarantine_directory }}'
+ state: 'directory'
- name: 'ensure configurations'
when:
- ansible_system == 'Linux'
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
index fd6ee6b..7b98ccd 100644
--- a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
@@ -9,7 +9,7 @@ After=clamd@scan.service syslog.target network.target
[Service]
Type=simple
User=root
-ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
+ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move={{ quarantine_directory }} --fdpass
[Install]
WantedBy=multi-user.target
From 1559e309fe888449ec4ecbdb1e4a7ce146a7ff84 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Thu, 15 Jul 2021 00:51:34 +0000
Subject: [PATCH 22/34] Ensure that clamonacc restarts when it fails
---
templates/Fedora/34/etc/clamd.d/scan.conf | 10 +++-------
.../34/usr/lib/systemd/system/clamav-clamonacc.service | 1 +
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 64ed222..3dafd6a 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -302,36 +302,30 @@ User clamscan
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
-AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
#AlertBrokenMedia yes
-AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
-AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
-AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
-AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
-AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
@@ -346,7 +340,6 @@ AlertOLE2Macros yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
-AlertPartitionIntersection yes
##
@@ -691,6 +684,9 @@ AlertPartitionIntersection yes
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
+{% if quarantine_directory is defined %}
+OnAccessExcludePath {{ quarantine_directory }}
+{% endif %}
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
index 7b98ccd..d43ae19 100644
--- a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
@@ -10,6 +10,7 @@ After=clamd@scan.service syslog.target network.target
Type=simple
User=root
ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move={{ quarantine_directory }} --fdpass
+Restart=on-failure
[Install]
WantedBy=multi-user.target
From 201c52ed03e4c1455738bb7c741c0f273409b591 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Sun, 18 Jul 2021 03:41:24 +0000
Subject: [PATCH 23/34] All systemd units now restart on failure
---
.../lib/systemd/system/clamav-freshclam.service | 14 ++++++++++++++
.../34/usr/lib/systemd/system/clamd@.service | 15 +++++++++++++++
vars/Fedora-34-default.yml | 10 ++++++++++
3 files changed, 39 insertions(+)
create mode 100644 templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
create mode 100644 templates/Fedora/34/usr/lib/systemd/system/clamd@.service
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
new file mode 100644
index 0000000..896c29d
--- /dev/null
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=ClamAV virus database updater
+Documentation=man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents
+# If user wants it run from cron, don't start the daemon.
+ConditionPathExists=!/etc/cron.d/clamav-update
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/freshclam -d --foreground=true
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamd@.service b/templates/Fedora/34/usr/lib/systemd/system/clamd@.service
new file mode 100644
index 0000000..2e3011b
--- /dev/null
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamd@.service
@@ -0,0 +1,15 @@
+[Unit]
+Description = clamd scanner (%i) daemon
+Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/
+After = syslog.target nss-lookup.target network.target
+
+[Service]
+Type = forking
+ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
+# Reload the database
+ExecReload=/bin/kill -USR2 $MAINPID
+Restart = on-failure
+TimeoutStartSec=420
+
+[Install]
+WantedBy = multi-user.target
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index 21d6962..a25edb5 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -49,4 +49,14 @@ template_list:
mode: '0644'
owner: 'root'
src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service'
+ - dest: '/usr/lib/systemd/system/clamav-freshclam.service'
+ group: 'root'
+ mode: '0644'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-freshclam.service'
+ - dest: '/usr/lib/systemd/system/clamd@.service'
+ group: 'root'
+ mode: '0644'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamd@.service'
From a171d60c44948800743dea510cd731742440a1e1 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Sun, 18 Jul 2021 03:47:40 +0000
Subject: [PATCH 24/34] Add remaining configuration files
---
templates/Fedora/34/etc/logrotate.d/clamav-update | 8 ++++++++
vars/Fedora-34-default.yml | 5 +++++
2 files changed, 13 insertions(+)
create mode 100644 templates/Fedora/34/etc/logrotate.d/clamav-update
diff --git a/templates/Fedora/34/etc/logrotate.d/clamav-update b/templates/Fedora/34/etc/logrotate.d/clamav-update
new file mode 100644
index 0000000..3cd28f0
--- /dev/null
+++ b/templates/Fedora/34/etc/logrotate.d/clamav-update
@@ -0,0 +1,8 @@
+/var/log/freshclam.log {
+ monthly
+ notifempty
+ missingok
+ postrotate
+ systemctl try-restart clamav-freshclam.service
+ endscript
+}
diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml
index a25edb5..392ce63 100644
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -44,6 +44,11 @@ template_list:
mode: '0600'
owner: 'root'
src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
+ - dest: '/etc/logrotate.d/clamav-update'
+ group: 'root'
+ mode: '0644'
+ owner: 'root'
+ src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/logrotate.d/clamav-update'
- dest: '/usr/lib/systemd/system/clamav-clamonacc.service'
group: 'root'
mode: '0644'
From d8213d2c366633b54cfccfa9a4855f31bd10db57 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 20 Jul 2021 00:37:04 +0000
Subject: [PATCH 25/34] Sort the mounts so they are idempotent
---
templates/Fedora/34/etc/clamd.d/scan.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 3dafd6a..caa610b 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -720,8 +720,8 @@ OnAccessPrevention yes
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
-{% for item in ansible_mounts %}
-OnAccessMountPath {{ item.mount }}
+{% for item in ansible_mounts|map('mount')|sort %}
+OnAccessMountPath {{ item }}
{% endfor %}
# With this option you can whitelist the root UID (0). Processes run under
From f8bddf54c141f1daa75149f896dd9b6a644e7035 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Tue, 20 Jul 2021 00:47:57 +0000
Subject: [PATCH 26/34] pulling the value of a single element didn't work...
---
templates/Fedora/34/etc/clamd.d/scan.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index caa610b..3dafd6a 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -720,8 +720,8 @@ OnAccessPrevention yes
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
-{% for item in ansible_mounts|map('mount')|sort %}
-OnAccessMountPath {{ item }}
+{% for item in ansible_mounts %}
+OnAccessMountPath {{ item.mount }}
{% endfor %}
# With this option you can whitelist the root UID (0). Processes run under
From fc741d1dca075edbcecb36161d606b657d07f60c Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Wed, 21 Jul 2021 01:40:00 +0000
Subject: [PATCH 27/34] Don't scan root activity
---
templates/Fedora/34/etc/clamd.d/scan.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 3dafd6a..869f6f2 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -734,6 +734,7 @@ OnAccessMountPath {{ item.mount }}
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
+OnAccessExcludeRootUID yes
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
From 9bf43ff9042adb4abef55da8fd1b763dedec7bf8 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Wed, 21 Jul 2021 03:04:50 +0000
Subject: [PATCH 28/34] Flush handlers after the package install
---
tasks/main.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tasks/main.yml b/tasks/main.yml
index 0920776..c2460a0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -61,6 +61,8 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+- name: 'flush handlers'
+ meta: 'flush_handlers'
- name: 'ensure seboolean'
when:
- ansible_system == 'Linux'
From 880822fa20159fc8cc520347c1a5f52363804d08 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Thu, 22 Jul 2021 03:18:25 +0000
Subject: [PATCH 29/34] Attempt to prevent disk full on freshclam failure
---
.../Fedora/34/usr/lib/systemd/system/clamav-freshclam.service | 1 -
1 file changed, 1 deletion(-)
diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
index 896c29d..2012214 100644
--- a/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-freshclam.service
@@ -8,7 +8,6 @@ After=network-online.target
[Service]
ExecStart=/usr/bin/freshclam -d --foreground=true
-Restart=on-failure
[Install]
WantedBy=multi-user.target
From 6af460770963c4d2726c5d6dd1bc74b0a3c75f66 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Sun, 25 Jul 2021 03:48:19 +0000
Subject: [PATCH 30/34] Remove handler flush triggering multiple service
restarts
---
tasks/main.yml | 4 ----
1 file changed, 4 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index c2460a0..d289a20 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -61,8 +61,6 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
-- name: 'flush handlers'
- meta: 'flush_handlers'
- name: 'ensure seboolean'
when:
- ansible_system == 'Linux'
@@ -109,8 +107,6 @@
- 'ensure_clamav.service_facts'
- 'ensure_clamav.service_reload'
- 'ensure_clamav.services'
-- name: 'flush handlers'
- meta: 'flush_handlers'
- name: 'ensure services'
when:
- ansible_system == 'Linux'
From 0d65e8e5622d6df8d4f9427dd7fd05a5c8cccb3f Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Mon, 26 Jul 2021 04:00:06 +0000
Subject: [PATCH 31/34] Delete failed freshclam updates >= 1 day old...
---
defaults/main.yml | 2 +-
tasks/main.yml | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index b70c441..516410f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,4 +1,4 @@
---
# defaults file for ensure_clamav
quarantine_directory: '/root/quarantine'
-
+freshclam_retention: '1d'
diff --git a/tasks/main.yml b/tasks/main.yml
index d289a20..6ed1769 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -123,6 +123,35 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+- name: 'find failed freshclam updates...'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - freshclam_retention is defined
+ - freshclam_retention is regex('^[0-9]*[smhdw]$')
+ ansible.builtin.find:
+ age: '{{ freshclam_retention }}'
+ file_type: 'directory'
+ follow: 'no'
+ paths:
+ - '/var/lib/clamav/'
+ patterns:
+ - '^tmp.([0-9]|[a-f}){10}$'
+ recurse: 'yes'
+ register: 'results'
+- name: 'And drop them'
+ when:
+ - ansible_system == 'Linux'
+ - ensure_clamav is defined
+ - freshclam_retention is defined
+ - freshclam_retention is regex('^[0-9]*[smhdw]$')
+ - item.path is regex('^/var/lib/clamav/tmp\.([0-9]|[a-f])*$')
+ ansible.builtin.file:
+ path: '{{ item.path }}'
+ state: 'absent'
+ loop: '{{ results.files }}'
+ loop_control:
+ label: '{{ item.path }} to be removed'
- name: 'flush handlers'
meta: 'flush_handlers'
From e450b114fcc08bac5bd90af4f6bee0cee6452614 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Mon, 26 Jul 2021 04:13:16 +0000
Subject: [PATCH 32/34] Search via regex instead of shell glob
---
tasks/main.yml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index 6ed1769..8a7e68d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -135,9 +135,9 @@
follow: 'no'
paths:
- '/var/lib/clamav/'
- patterns:
- '^tmp.([0-9]|[a-f}){10}$'
recurse: 'yes'
+ use_regex: 'yes'
register: 'results'
- name: 'And drop them'
when:
@@ -145,7 +145,9 @@
- ensure_clamav is defined
- freshclam_retention is defined
- freshclam_retention is regex('^[0-9]*[smhdw]$')
- - item.path is regex('^/var/lib/clamav/tmp\.([0-9]|[a-f])*$')
+ - results is defined
+ - results.files is defined
+ - results.files is iterable
ansible.builtin.file:
path: '{{ item.path }}'
state: 'absent'
From 656ac2e40f7c1c4519bd4e008769cc335245037d Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Sun, 5 Jun 2022 16:47:30 -0500
Subject: [PATCH 33/34] Update tasks
---
tasks/main.yml | 1 -
1 file changed, 1 deletion(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index 8a7e68d..e4f7201 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -51,7 +51,6 @@
- ensure_clamav is defined
- ensure_clamav.package_list is defined
- ensure_clamav.package_list is iterable
- - packages[item.name] is not defined
ansible.builtin.package:
name: '{{ item.name }}'
state: '{{ item.state }}'
From ecbc5660d2ed91914a76aa36934ef8096d1985f8 Mon Sep 17 00:00:00 2001
From: Jason Rothstein
Date: Sun, 25 May 2025 20:05:09 -0500
Subject: [PATCH 34/34] Handler improvements
---
handlers/main.yml | 3 ++-
tasks/main.yml | 15 ++++++++++++++-
templates/Fedora/34/etc/clamd.d/scan.conf | 1 +
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/handlers/main.yml b/handlers/main.yml
index d24275a..4d6b510 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -11,7 +11,7 @@
- ensure_clamav is defined
ansible.builtin.systemd:
daemon_reload: 'yes'
-- name: 'ensure_clamav.services'
+- name: 'ensure_clamav.service_restart'
when:
- ansible_system == 'Linux'
- ensure_clamav is defined
@@ -25,4 +25,5 @@
loop: '{{ ensure_clamav.service_list }}'
loop_control:
label: '{{ item.name }} will be restarted'
+...
diff --git a/tasks/main.yml b/tasks/main.yml
index e4f7201..1ed3559 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -45,6 +45,11 @@
loop: '{{ ensure_clamav.sysctl_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.value }}'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+ - 'ensure_clamav.service_reload'
+ - 'ensure_clamav.service_restart'
- name: 'ensure packages'
when:
- ansible_system == 'Linux'
@@ -60,6 +65,8 @@
notify:
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
+ - 'ensure_clamav.service_reload'
+ - 'ensure_clamav.service_restart'
- name: 'ensure seboolean'
when:
- ansible_system == 'Linux'
@@ -73,6 +80,11 @@
loop: '{{ ensure_clamav.seboolean_list }}'
loop_control:
label: '{{ item.name }} will be {{ item.state }}'
+ notify:
+ - 'ensure_clamav.package_facts'
+ - 'ensure_clamav.service_facts'
+ - 'ensure_clamav.service_reload'
+ - 'ensure_clamav.service_restart'
- name: 'ensure quarantine directory'
when:
- ansible_system == 'Linux'
@@ -105,7 +117,7 @@
- 'ensure_clamav.package_facts'
- 'ensure_clamav.service_facts'
- 'ensure_clamav.service_reload'
- - 'ensure_clamav.services'
+ - 'ensure_clamav.service_restart'
- name: 'ensure services'
when:
- ansible_system == 'Linux'
@@ -155,4 +167,5 @@
label: '{{ item.path }} to be removed'
- name: 'flush handlers'
meta: 'flush_handlers'
+...
diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf
index 869f6f2..ec1b9d0 100644
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -684,6 +684,7 @@ User clamscan
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
+OnAccessExcludePath /etc/selinux
{% if quarantine_directory is defined %}
OnAccessExcludePath {{ quarantine_directory }}
{% endif %}