Enable quarantine and priv sep

2021-07-13 04:08:12 +00:00
parent b269fbf31c
commit ab73b6088a
5 changed files with 38 additions and 4 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -4,6 +4,19 @@
  ansible.builtin.package_facts:
 - name: 'ensure_clamav.service_facts'
  ansible.builtin.service_facts:
 - name: 'ensure_clamav.service_reload'
  when:
    - ansible_system == 'Linux'
    - ansible_service_mgr == 'systemd'
    - ensure_clamav is defined
    - ensure_clamav.service_list is defined
    - ensure_clamav.service_list is iterable
  ansible.builtin.systemd:
    daemon_reload: 'yes'
    name: '{{ item.name }}'
  loop: '{{ ensure_clamav.service_list }}'
  loop_control:
    label: '{{ item.name }} will be reloaded'
 - name: 'ensure_clamav.services'
  when:
    - ansible_system == 'Linux'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -97,6 +97,7 @@
  notify:
    - 'ensure_clamav.package_facts'
    - 'ensure_clamav.service_facts'
    - 'ensure_clamav.service_reload'
    - 'ensure_clamav.services'
 - name: 'flush handlers'
  meta: 'flush_handlers'
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@@ -220,6 +220,7 @@ TCPAddr 127.0.0.1
 # Run as another user (clamd must be started by root for this option to work)
 # Default: don't drop privileges
 # User clamscan
 User clamscan
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
@@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
 OnAccessExcludeRootUID yes
 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-# XXX OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamilt
-# XXX OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamscan
-# XXX OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamupdate
 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).
--- a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
@@ -0,0 +1,15 @@
 # clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
 # See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340
 [Unit]
 Description=ClamAV On-Access Scanner
 Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
 After=clamd@scan.service syslog.target network.target
 [Service]
 Type=simple
 User=root
 ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
 [Install]
 WantedBy=multi-user.target
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@@ -44,4 +44,9 @@ template_list:
    mode: '0600'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
  - dest: '/usr/lib/systemd/system/clamav-clamonacc.service'
    group: 'root'
    mode: '0644'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service