Enable quarantine and priv sep

2021-07-13 04:08:12 +00:00 · 2021-07-13 04:08:12 +00:00 · ab73b6088a
commit ab73b6088a
parent b269fbf31c
5 changed files with 38 additions and 4 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -4,6 +4,19 @@
  ansible.builtin.package_facts:
 - name: 'ensure_clamav.service_facts'
  ansible.builtin.service_facts:
+- name: 'ensure_clamav.service_reload'
+  when:
+    - ansible_system == 'Linux'
+    - ansible_service_mgr == 'systemd'
+    - ensure_clamav is defined
+    - ensure_clamav.service_list is defined
+    - ensure_clamav.service_list is iterable
+  ansible.builtin.systemd:
+    daemon_reload: 'yes'
+    name: '{{ item.name }}'
+  loop: '{{ ensure_clamav.service_list }}'
+  loop_control:
+    label: '{{ item.name }} will be reloaded'
 - name: 'ensure_clamav.services'
  when:
    - ansible_system == 'Linux'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -97,6 +97,7 @@
  notify:
    - 'ensure_clamav.package_facts'
    - 'ensure_clamav.service_facts'
+    - 'ensure_clamav.service_reload'
    - 'ensure_clamav.services'
 - name: 'flush handlers'
  meta: 'flush_handlers'
--- a/templates/Fedora/34/etc/clamd.d/scan.conf
+++ b/templates/Fedora/34/etc/clamd.d/scan.conf
@ -220,6 +220,7 @@ TCPAddr 127.0.0.1
 # Run as another user (clamd must be started by root for this option to work)
 # Default: don't drop privileges
 # User clamscan
+User clamscan

 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
-OnAccessExcludeRootUID yes

 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-# XXX OnAccessExcludeUname clamilt
-# XXX OnAccessExcludeUname clamscan
-# XXX OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamupdate

 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).
--- a/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
+++ b/templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service
@ -0,0 +1,15 @@
+# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
+# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340
+
+[Unit]
+Description=ClamAV On-Access Scanner
+Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
+After=clamd@scan.service syslog.target network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
+
+[Install]
+WantedBy=multi-user.target
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@ -44,4 +44,9 @@ template_list:
    mode: '0600'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/freshclam.conf'
+  - dest: '/usr/lib/systemd/system/clamav-clamonacc.service'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/usr/lib/systemd/system/clamav-clamonacc.service