add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625)

Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616
author: Micah <micah@leap.se> 2015-09-22 15:04:33 -0400
committer: Micah <micah@leap.se> 2015-10-13 10:01:39 -0400
commit: d6b521372243b79105a1513d4559572dfab6db54 (patch)
tree: c54d7433278c2a5b89ea5e2b47e5332efa79d912
parent: b748aeffbdd72d50a7665b9c21c96a9750a840c0 (diff)
13 files changed, 307 insertions, 0 deletions
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index d6e9fff9..70acf5cb 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -24,6 +24,9 @@
   },
   "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
   "rbls": ["zen.spamhaus.org"],
+  "clamav": {
+    "whitelisted_addresses": []
+  },
   "x509": {
     "use": true,
     "use_commercial": true,
diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf
new file mode 100644
index 00000000..abeeb302
--- /dev/null
+++ b/puppet/modules/clamav/files/01-leap.conf
@@ -0,0 +1,58 @@
+# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
+# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
+# are installed on the system, and you want to report whether clamd
+# is running or not, uncomment the "clamd_socket" variable below (you
+# will be warned if neither socat nor IO::Socket::UNIX are found, but
+# the script will still run).  You will also need to set the correct
+# path to your clamd socket file (if unsure of the path, check the
+# "LocalSocket" setting in your clamd.conf file for socket location).
+clamd_socket="/run/clamav/clamd.ctl"
+
+# If you would like to attempt to restart ClamD if detected not running,
+# uncomment the next 2 lines.  Confirm the path to the "clamd_lock" file
+# (usually can be found in the clamd init script) and also enter the clamd
+# start command for your particular distro for the "start_clamd" variable
+# (the sample start command shown below should work for most linux distros).
+# NOTE: these 2 variables are dependant on the "clamd_socket" variable
+# shown above - if not enabled, then the following 2 variables will be
+# ignored, whether enabled or not.
+clamd_lock="/run/clamav/clamd.pid"
+start_clamd="service clamav-daemon start"
+
+ss_dbs="
+   junk.ndb
+   phish.ndb
+   rogue.hdb
+   sanesecurity.ftm
+   scam.ndb
+   sigwhitelist.ign2
+   spamattach.hdb
+   spamimg.hdb
+   winnow.attachments.hdb
+   winnow_bad_cw.hdb
+   winnow_extended_malware.hdb
+   winnow_malware.hdb
+   winnow_malware_links.ndb
+   malwarehash.hsb
+   doppelstern.hdb
+   bofhland_cracked_URL.ndb
+   bofhland_malware_attach.hdb
+   bofhland_malware_URL.ndb
+   bofhland_phishing_URL.ndb
+   crdfam.clamav.hdb
+   phishtank.ndb
+   porcupine.ndb
+   spear.ndb
+   spearl.ndb
+"
+
+# ========================
+# SecuriteInfo Database(s)
+# ========================
+# Add or remove database file names between quote marks as needed.  To
+# disable any SecuriteInfo database downloads, remove the appropriate
+# lines below.  To disable all SecuriteInfo database file downloads,
+# comment all of the following lines.
+si_dbs=""
+
+mbl_dbs=""
+\ No newline at end of file
diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default
new file mode 100644
index 00000000..b4cd6a4f
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-daemon_default
@@ -0,0 +1,8 @@
+# This is a file designed only t0 set special environment variables
+# eg TMP or TMPDIR.  It is sourced from a shell script, so anything
+# put in here must be in variable=value format, suitable for sourcing
+# from a shell script.
+# Examples:
+# export TMPDIR=/dev/shm
+export TMP=/var/tmp
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default
new file mode 100644
index 00000000..5e33e822
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-milter_default
@@ -0,0 +1,14 @@
+#
+# clamav-milter init options
+#
+
+## SOCKET_RWGROUP
+# by default, the socket created by the milter has permissions
+# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
+# permissions to 775 to give read-write access to that group.
+#
+# If you are using postfix to speak to the milter, you have to give permission
+# to the postfix group to write
+#
+SOCKET_RWGROUP=postfix
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp
new file mode 100644
index 00000000..9aebf9b0
--- /dev/null
+++ b/puppet/modules/clamav/manifests/daemon.pp
@@ -0,0 +1,86 @@
+class clamav::daemon {
+
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { [ 'clamav-daemon', 'arj' ]:
+    ensure => installed;
+  }
+
+  service {
+    'clamav-daemon':
+      ensure     => running,
+      name       => clamav-daemon,
+      pattern    => '/usr/sbin/clamd',
+      enable     => true,
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-daemon'];
+  }
+
+  file {
+    '/var/run/clamav':
+      ensure => directory,
+      mode   => '0750',
+      owner  => clamav,
+      group  => postfix;
+
+    '/var/lib/clamav':
+      mode  => '0755',
+      owner => clamav,
+      group => clamav;
+
+    '/etc/default/clamav-daemon':
+      source => 'puppet:///modules/clamav/clamav-daemon_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    # this file contains additional domains that we want the clamav
+    # phishing process to look for (our domain)
+    '/var/lib/clamav/local.pdb':
+      content => template('clamav/local.pdb.erb'),
+      mode    => '0644',
+      owner   => clamav,
+      group   => clamav;
+  }
+
+  file_line {
+    'clamav_daemon_tmp':
+      path    => '/etc/clamav/clamd.conf',
+      line    => 'TemporaryDirectory /var/tmp',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+     'enable_phishscanurls':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'PhishingScanURLs no',
+      line    => 'PhishingScanURLs yes',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_LogSyslog_true':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogSyslog false',
+      line    => 'LogSyslog true',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_MaxThreads':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'MaxThreads 20',
+      line    => 'MaxThreads 100',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+  # remove LogFile line
+  file_line {
+    'clamav_LogFile':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogFile .*',
+      line    => '',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp
new file mode 100644
index 00000000..b9827ede
--- /dev/null
+++ b/puppet/modules/clamav/manifests/freshclam.pp
@@ -0,0 +1,21 @@
+class clamav::freshclam {
+
+  package { 'clamav-freshclam': ensure => installed }
+
+  service {
+    'freshclam':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-freshclam,
+      pattern    => '/usr/bin/freshclam',
+      hasrestart => true;
+  }
+
+  file_line {
+    'freshclam_notify':
+      path   => '/etc/clamav/freshclam.conf',
+      line   => 'NotifyClamd /etc/clamav/clamd.conf',
+      notify => Service[freshclam];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp
new file mode 100644
index 00000000..fa7b553c
--- /dev/null
+++ b/puppet/modules/clamav/manifests/init.pp
@@ -0,0 +1,8 @@
+class clamav {
+
+  include clamav::daemon
+  include clamav::milter
+  include clamav::sanesecurity
+  include clamav::freshclam
+
+}
diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp
new file mode 100644
index 00000000..52ddaef1
--- /dev/null
+++ b/puppet/modules/clamav/manifests/milter.pp
@@ -0,0 +1,48 @@
+class clamav::milter {
+
+  $clamav                = hiera('clamav')
+  $whitelisted_addresses = $clamav['whitelisted_addresses']
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { 'clamav-milter': ensure => installed }
+
+  service {
+    'clamav-milter':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-milter,
+      pattern    => '/usr/sbin/clamav-milter',
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-milter'];
+  }
+
+  file {
+    '/run/clamav/milter.ctl':
+      mode    => '0666',
+      owner   => clamav,
+      group   => postfix,
+      require => Class['clamav::daemon'];
+
+    '/etc/clamav/clamav-milter.conf':
+      content   => template('clamav/clamav-milter.conf.erb'),
+      mode      => '0644',
+      owner     => root,
+      group     => root,
+      subscribe => Service['clamav-milter'];
+
+    '/etc/default/clamav-milter':
+      source => 'puppet:///modules/clamav/clamav-milter_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    '/etc/clamav/whitelisted_addresses':
+      content => template('clamav/whitelisted_addresses.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root;
+
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp
new file mode 100644
index 00000000..316154d3
--- /dev/null
+++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp
@@ -0,0 +1,22 @@
+class clamav::unofficial_sigs {
+
+  package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg',
+              'socat', 'rsync', 'curl' ]:
+    ensure => installed
+  }
+
+  file {
+    '/var/log/clamav-unofficial-sigs.log':
+      ensure  => file,
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-unofficial-sigs'];
+
+    '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf':
+      source  => 'puppet:///modules/clamav/01-leap.conf',
+      mode    => '0755',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-unofficial-sigs'];
+    }
+}
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
new file mode 100644
index 00000000..9bf7099e
--- /dev/null
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -0,0 +1,28 @@
+# THIS FILE MANAGED BY PUPPET
+MilterSocket /var/run/clamav/milter.ctl
+FixStaleSocket true
+User clamav
+MilterSocketGroup clamav
+MilterSocketMode 666
+AllowSupplementaryGroups true
+ReadTimeout 120
+Foreground false
+PidFile /var/run/clamav/clamav-milter.pid
+ClamdSocket unix:/var/run/clamav/clamd.ctl
+OnClean Accept
+OnInfected Reject
+OnFail Defer
+AddHeader Replace
+LogSyslog true
+LogFacility LOG_LOCAL6
+LogVerbose yes
+LogInfected Basic
+LogTime true
+LogFileUnlock false
+LogClean Off
+LogRotate true
+SupportMultipleRecipients false
+MaxFileSize 10M
+TemporaryDirectory /var/tmp
+RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error"
+Whitelist /etc/clamav/whitelisted_addresses
diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb
new file mode 100644
index 00000000..9ea0584a
--- /dev/null
+++ b/puppet/modules/clamav/templates/local.pdb.erb
@@ -0,0 +1 @@
+H:<%= @domain %>
diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb
new file mode 100644
index 00000000..9e068ec5
--- /dev/null
+++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb
@@ -0,0 +1,5 @@
+<%- if @whitelisted_addresses then -%>
+<%   @whitelisted_addresses.each do |name| -%>
+From::<%= name %>
+<%   end -%>
+<% end -%>
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 42313d1a..f0a2554a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -49,6 +49,10 @@ class site_postfix::mx {
     # alias map
     'local_recipient_maps':
       value => '$alias_maps';
+    'smtpd_milters':
+      value => 'unix:/run/clamav/milter.ctl';
+    'milter_default_action':
+      value => 'accept';
   }
 
   include site_postfix::mx::smtpd_checks
@@ -57,6 +61,7 @@ class site_postfix::mx {
   include site_postfix::mx::smtpd_tls
   include site_postfix::mx::static_aliases
   include site_postfix::mx::rewrite_openpgp_header
+  include clamav
 
   # greater verbosity for debugging, take out for production
   #include site_postfix::debug
author	Micah <micah@leap.se>	2015-09-22 15:04:33 -0400
committer	Micah <micah@leap.se>	2015-10-13 10:01:39 -0400
commit	d6b521372243b79105a1513d4559572dfab6db54 (patch)
tree	c54d7433278c2a5b89ea5e2b47e5332efa79d912
parent	b748aeffbdd72d50a7665b9c21c96a9750a840c0 (diff)