diff --git a/handlers/main.yml b/handlers/main.yml index d5d2fad..88a5ca4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,6 +4,19 @@ ansible.builtin.package_facts: - name: 'ensure_clamav.service_facts' ansible.builtin.service_facts: +- name: 'ensure_clamav.service_reload' + when: + - ansible_system == 'Linux' + - ansible_service_mgr == 'systemd' + - ensure_clamav is defined + - ensure_clamav.service_list is defined + - ensure_clamav.service_list is iterable + ansible.builtin.systemd: + daemon_reload: 'yes' + name: '{{ item.name }}' + loop: '{{ ensure_clamav.service_list }}' + loop_control: + label: '{{ item.name }} will be reloaded' - name: 'ensure_clamav.services' when: - ansible_system == 'Linux' diff --git a/tasks/main.yml b/tasks/main.yml index 7ff35ee..a174aba 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -97,6 +97,7 @@ notify: - 'ensure_clamav.package_facts' - 'ensure_clamav.service_facts' + - 'ensure_clamav.service_reload' - 'ensure_clamav.services' - name: 'flush handlers' meta: 'flush_handlers' diff --git a/templates/Fedora/34/etc/clamd.d/scan.conf b/templates/Fedora/34/etc/clamd.d/scan.conf index d0ff41c..b90033e 100644 --- a/templates/Fedora/34/etc/clamd.d/scan.conf +++ b/templates/Fedora/34/etc/clamd.d/scan.conf @@ -220,6 +220,7 @@ TCPAddr 127.0.0.1 # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges # User clamscan +User clamscan # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes @@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }} # root user from triggering a scan (unless OnAccessPrevention is enabled). # Default: no #OnAccessExcludeRootUID no -OnAccessExcludeRootUID yes # With this option you can whitelist specific UIDs. Processes with these UIDs # will be able to access all files without triggering scans or permission @@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes # OnAccessExcludeUID option. # Default: disabled #OnAccessExcludeUname clamav -# XXX OnAccessExcludeUname clamilt -# XXX OnAccessExcludeUname clamscan -# XXX OnAccessExcludeUname clamupdate +OnAccessExcludeUname clamilt +OnAccessExcludeUname clamscan +OnAccessExcludeUname clamupdate # Number of times the OnAccess client will retry a failed scan due to # connection problems (or other issues). diff --git a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service new file mode 100644 index 0000000..fd6ee6b --- /dev/null +++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service @@ -0,0 +1,15 @@ +# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton +# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340 + +[Unit] +Description=ClamAV On-Access Scanner +Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents +After=clamd@scan.service syslog.target network.target + +[Service] +Type=simple +User=root +ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass + +[Install] +WantedBy=multi-user.target diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml index 85d2efc..58c72ab 100644 --- a/vars/Fedora-34-default.yml +++ b/vars/Fedora-34-default.yml @@ -44,4 +44,9 @@ template_list: mode: '0600' owner: 'root' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf' + - dest: '/usr/lib/systemd/system/clamav-clamonacc.service' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service