Enable quarantine and priv sep

handlers/main.yml

@@ -4,6 +4,19 @@
   ansible.builtin.package_facts:
 - name: 'ensure_clamav.service_facts'
   ansible.builtin.service_facts:
+- name: 'ensure_clamav.service_reload'
+  when:
+    - ansible_system == 'Linux'
+    - ansible_service_mgr == 'systemd'
+    - ensure_clamav is defined
+    - ensure_clamav.service_list is defined
+    - ensure_clamav.service_list is iterable
+  ansible.builtin.systemd:
+    daemon_reload: 'yes'
+    name: '{{ item.name }}'
+  loop: '{{ ensure_clamav.service_list }}'
+  loop_control:
+    label: '{{ item.name }} will be reloaded'
 - name: 'ensure_clamav.services'
   when:
     - ansible_system == 'Linux'

tasks/main.yml

@@ -97,6 +97,7 @@
   notify:
     - 'ensure_clamav.package_facts'
     - 'ensure_clamav.service_facts'
+    - 'ensure_clamav.service_reload'
     - 'ensure_clamav.services'
 - name: 'flush handlers'
   meta: 'flush_handlers'

templates/Fedora/34/etc/clamd.d/scan.conf

@@ -220,6 +220,7 @@ TCPAddr 127.0.0.1
 # Run as another user (clamd must be started by root for this option to work)
 # Default: don't drop privileges
 # User clamscan
+User clamscan
 
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
@@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
-OnAccessExcludeRootUID yes
 
 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-# XXX OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamilt
-# XXX OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamscan
-# XXX OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamupdate
 
 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).

templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service

@@ -0,0 +1,15 @@
+# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
+# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340
+
+[Unit]
+Description=ClamAV On-Access Scanner
+Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
+After=clamd@scan.service syslog.target network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
+
+[Install]
+WantedBy=multi-user.target

vars/Fedora-34-default.yml

@@ -44,4 +44,9 @@ template_list:
     mode: '0600'
     owner: 'root'
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
+  - dest: '/usr/lib/systemd/system/clamav-clamonacc.service'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service