Increase inotify capacity to prevent Clam OnAccess Scanner from failing

tasks/main.yml

@@ -29,6 +29,19 @@
     - ansible_system == 'Linux'
     - services is not defined
   ansible.builtin.service_facts:
+- name: 'ensure sysctl'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_clamav is defined
+    - ensure_clamav.sysctl_list is defined
+    - ensure_clamav.sysctl_list is iterable
+  ansible.posix.sysctl:
+    name: '{{ item.name }}'
+    reload: '{{ item.reload | default(omit) }}'
+    state: '{{ item.state }}'
+    sysctl_file: '{{ item.sysctl_file | default(omit) }}'
+    sysctl_set: '{{ item.sysctl_set | default(omit) }}'
+    value: '{{ item.value | default(omit) }}'
 - name: 'ensure packages'
   when:
     - ansible_system == 'Linux'

templates/Fedora/34/etc/clamd.d/scan.conf

@@ -739,6 +739,7 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
+OnAccessExcludeRootUID yes
 
 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@@ -761,9 +762,9 @@ OnAccessMountPath {{ item.mount }}
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-OnAccessExcludeUname clamilt
+# XXX OnAccessExcludeUname clamilt
-OnAccessExcludeUname clamscan
+# XXX OnAccessExcludeUname clamscan
-OnAccessExcludeUname clamupdate
+# XXX OnAccessExcludeUname clamupdate
 
 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).

vars/Fedora-34-default.yml

@@ -28,6 +28,11 @@ service_list:
   - name: 'clamav-freshclam.service'
     state: 'started'
     enabled: 'yes'
+sysctl_list:
+  - name: 'fs.inotify.max_user_watches'
+    state: 'present'
+    sysctl_file: '/etc/sysctl.d/99-clamav.conf'
+    value: '524288'
 template_list:
   - dest: '/etc/clamd.d/scan.conf'
     group: 'root'