Merge branch 'develop' of ssh://leap.se/leap_platform into develop

21 files changed, 358 insertions, 8 deletions

diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index d6e9fff9..70acf5cb 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -24,6 +24,9 @@
   },
   "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
   "rbls": ["zen.spamhaus.org"],
+  "clamav": {
+    "whitelisted_addresses": []
+  },
   "x509": {
     "use": true,
     "use_commercial": true,
diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf
new file mode 100644
index 00000000..abeeb302
--- /dev/null
+++ b/puppet/modules/clamav/files/01-leap.conf
@@ -0,0 +1,58 @@
+# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and
+# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module
+# are installed on the system, and you want to report whether clamd
+# is running or not, uncomment the "clamd_socket" variable below (you
+# will be warned if neither socat nor IO::Socket::UNIX are found, but
+# the script will still run).  You will also need to set the correct
+# path to your clamd socket file (if unsure of the path, check the
+# "LocalSocket" setting in your clamd.conf file for socket location).
+clamd_socket="/run/clamav/clamd.ctl"
+
+# If you would like to attempt to restart ClamD if detected not running,
+# uncomment the next 2 lines.  Confirm the path to the "clamd_lock" file
+# (usually can be found in the clamd init script) and also enter the clamd
+# start command for your particular distro for the "start_clamd" variable
+# (the sample start command shown below should work for most linux distros).
+# NOTE: these 2 variables are dependant on the "clamd_socket" variable
+# shown above - if not enabled, then the following 2 variables will be
+# ignored, whether enabled or not.
+clamd_lock="/run/clamav/clamd.pid"
+start_clamd="service clamav-daemon start"
+
+ss_dbs="
+   junk.ndb
+   phish.ndb
+   rogue.hdb
+   sanesecurity.ftm
+   scam.ndb
+   sigwhitelist.ign2
+   spamattach.hdb
+   spamimg.hdb
+   winnow.attachments.hdb
+   winnow_bad_cw.hdb
+   winnow_extended_malware.hdb
+   winnow_malware.hdb
+   winnow_malware_links.ndb
+   malwarehash.hsb
+   doppelstern.hdb
+   bofhland_cracked_URL.ndb
+   bofhland_malware_attach.hdb
+   bofhland_malware_URL.ndb
+   bofhland_phishing_URL.ndb
+   crdfam.clamav.hdb
+   phishtank.ndb
+   porcupine.ndb
+   spear.ndb
+   spearl.ndb
+"
+
+# ========================
+# SecuriteInfo Database(s)
+# ========================
+# Add or remove database file names between quote marks as needed.  To
+# disable any SecuriteInfo database downloads, remove the appropriate
+# lines below.  To disable all SecuriteInfo database file downloads,
+# comment all of the following lines.
+si_dbs=""
+
+mbl_dbs=""
\ No newline at end of file
diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default
new file mode 100644
index 00000000..b4cd6a4f
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-daemon_default
@@ -0,0 +1,8 @@
+# This is a file designed only t0 set special environment variables
+# eg TMP or TMPDIR.  It is sourced from a shell script, so anything
+# put in here must be in variable=value format, suitable for sourcing
+# from a shell script.
+# Examples:
+# export TMPDIR=/dev/shm
+export TMP=/var/tmp
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default
new file mode 100644
index 00000000..5e33e822
--- /dev/null
+++ b/puppet/modules/clamav/files/clamav-milter_default
@@ -0,0 +1,14 @@
+#
+# clamav-milter init options
+#
+
+## SOCKET_RWGROUP
+# by default, the socket created by the milter has permissions
+# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the
+# permissions to 775 to give read-write access to that group.
+#
+# If you are using postfix to speak to the milter, you have to give permission
+# to the postfix group to write
+#
+SOCKET_RWGROUP=postfix
+export TMPDIR=/var/tmp
diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp
new file mode 100644
index 00000000..bf232e2c
--- /dev/null
+++ b/puppet/modules/clamav/manifests/daemon.pp
@@ -0,0 +1,90 @@
+class clamav::daemon {
+
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { [ 'clamav-daemon', 'arj' ]:
+    ensure => installed;
+  }
+
+  service {
+    'clamav-daemon':
+      ensure     => running,
+      name       => clamav-daemon,
+      pattern    => '/usr/sbin/clamd',
+      enable     => true,
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-daemon'],
+      require    => Package['clamav-daemon'];
+  }
+
+  file {
+    '/var/run/clamav':
+      ensure  => directory,
+      mode    => '0750',
+      owner   => clamav,
+      group   => postfix,
+      require => [Package['postfix'], Package['clamav-daemon']];
+
+    '/var/lib/clamav':
+      mode    => '0755',
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-daemon'];
+
+    '/etc/default/clamav-daemon':
+      source => 'puppet:///modules/clamav/clamav-daemon_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    # this file contains additional domains that we want the clamav
+    # phishing process to look for (our domain)
+    '/var/lib/clamav/local.pdb':
+      content => template('clamav/local.pdb.erb'),
+      mode    => '0644',
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-daemon'];
+  }
+
+  file_line {
+    'clamav_daemon_tmp':
+      path    => '/etc/clamav/clamd.conf',
+      line    => 'TemporaryDirectory /var/tmp',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+     'enable_phishscanurls':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'PhishingScanURLs no',
+      line    => 'PhishingScanURLs yes',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_LogSyslog_true':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogSyslog false',
+      line    => 'LogSyslog true',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_MaxThreads':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'MaxThreads 20',
+      line    => 'MaxThreads 100',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+  # remove LogFile line
+  file_line {
+    'clamav_LogFile':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogFile .*',
+      line    => '',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp
new file mode 100644
index 00000000..80c822a4
--- /dev/null
+++ b/puppet/modules/clamav/manifests/freshclam.pp
@@ -0,0 +1,23 @@
+class clamav::freshclam {
+
+  package { 'clamav-freshclam': ensure => installed }
+
+  service {
+    'freshclam':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-freshclam,
+      pattern    => '/usr/bin/freshclam',
+      hasrestart => true,
+      require    => Package['clamav-freshclam'];
+  }
+
+  file_line {
+    'freshclam_notify':
+      path    => '/etc/clamav/freshclam.conf',
+      line    => 'NotifyClamd /etc/clamav/clamd.conf',
+      require => Package['clamav-freshclam'],
+      notify  => Service['freshclam'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp
new file mode 100644
index 00000000..de8fb4dc
--- /dev/null
+++ b/puppet/modules/clamav/manifests/init.pp
@@ -0,0 +1,8 @@
+class clamav {
+
+  include clamav::daemon
+  include clamav::milter
+  include clamav::unofficial_sigs
+  include clamav::freshclam
+
+}
diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp
new file mode 100644
index 00000000..e8a85e3f
--- /dev/null
+++ b/puppet/modules/clamav/manifests/milter.pp
@@ -0,0 +1,50 @@
+class clamav::milter {
+
+  $clamav                = hiera('clamav')
+  $whitelisted_addresses = $clamav['whitelisted_addresses']
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { 'clamav-milter': ensure => installed }
+
+  service {
+    'clamav-milter':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-milter,
+      pattern    => '/usr/sbin/clamav-milter',
+      hasrestart => true,
+      require    => Package['clamav-milter'],
+      subscribe  => File['/etc/default/clamav-milter'];
+  }
+
+  file {
+    '/run/clamav/milter.ctl':
+      mode    => '0666',
+      owner   => clamav,
+      group   => postfix,
+      require => Class['clamav::daemon'];
+
+    '/etc/clamav/clamav-milter.conf':
+      content   => template('clamav/clamav-milter.conf.erb'),
+      mode      => '0644',
+      owner     => root,
+      group     => root,
+      require   => Package['clamav-milter'],
+      subscribe => Service['clamav-milter'];
+
+    '/etc/default/clamav-milter':
+      source => 'puppet:///modules/clamav/clamav-milter_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    '/etc/clamav/whitelisted_addresses':
+      content => template('clamav/whitelisted_addresses.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-milter'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp
new file mode 100644
index 00000000..316154d3
--- /dev/null
+++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp
@@ -0,0 +1,22 @@
+class clamav::unofficial_sigs {
+
+  package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg',
+              'socat', 'rsync', 'curl' ]:
+    ensure => installed
+  }
+
+  file {
+    '/var/log/clamav-unofficial-sigs.log':
+      ensure  => file,
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-unofficial-sigs'];
+
+    '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf':
+      source  => 'puppet:///modules/clamav/01-leap.conf',
+      mode    => '0755',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-unofficial-sigs'];
+    }
+}
diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb
new file mode 100644
index 00000000..9bf7099e
--- /dev/null
+++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb
@@ -0,0 +1,28 @@
+# THIS FILE MANAGED BY PUPPET
+MilterSocket /var/run/clamav/milter.ctl
+FixStaleSocket true
+User clamav
+MilterSocketGroup clamav
+MilterSocketMode 666
+AllowSupplementaryGroups true
+ReadTimeout 120
+Foreground false
+PidFile /var/run/clamav/clamav-milter.pid
+ClamdSocket unix:/var/run/clamav/clamd.ctl
+OnClean Accept
+OnInfected Reject
+OnFail Defer
+AddHeader Replace
+LogSyslog true
+LogFacility LOG_LOCAL6
+LogVerbose yes
+LogInfected Basic
+LogTime true
+LogFileUnlock false
+LogClean Off
+LogRotate true
+SupportMultipleRecipients false
+MaxFileSize 10M
+TemporaryDirectory /var/tmp
+RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error"
+Whitelist /etc/clamav/whitelisted_addresses
diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb
new file mode 100644
index 00000000..9ea0584a
--- /dev/null
+++ b/puppet/modules/clamav/templates/local.pdb.erb
@@ -0,0 +1 @@
+H:<%= @domain %>
diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb
new file mode 100644
index 00000000..9e068ec5
--- /dev/null
+++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb
@@ -0,0 +1,5 @@
+<%- if @whitelisted_addresses then -%>
+<%   @whitelisted_addresses.each do |name| -%>
+From::<%= name %>
+<%   end -%>
+<% end -%>
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 1f583d9c9157390850a7737630f60832ced8237
+Subproject ae53b180783016faa4331094a52769ddd57463f
diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp
index 00502c0a..b1ad1a2b 100644
--- a/puppet/modules/site_config/manifests/remove.pp
+++ b/puppet/modules/site_config/manifests/remove.pp
@@ -1,5 +1,4 @@
 # remove leftovers from previous deploys
 class site_config::remove {
   include site_config::remove::files
-  include site_config::remove::tapicero
 }
diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp
new file mode 100644
index 00000000..d7095597
--- /dev/null
+++ b/puppet/modules/site_config/manifests/remove/monitoring.pp
@@ -0,0 +1,10 @@
+# remove leftovers on monitoring nodes
+class site_config::remove::monitoring {
+
+  tidy {
+    'checkmk_logwatch_spool':
+      path    => '/var/lib/check_mk/logwatch',
+      recurse => true,
+      matches => '*tapicero.log'
+  }
+}
diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp
index edb4e393..4ce972d0 100644
--- a/puppet/modules/site_config/manifests/remove/tapicero.pp
+++ b/puppet/modules/site_config/manifests/remove/tapicero.pp
@@ -1,6 +1,23 @@
-# remove tapicero leftovers from previous deploys
+# remove tapicero leftovers from previous deploys on couchdb nodes
 class site_config::remove::tapicero {
 
+  # remove tapicero couchdb user
+  $couchdb_config = hiera('couch')
+  $couchdb_mode   = $couchdb_config['mode']
+
+  if $couchdb_mode == 'multimaster'
+  {
+    $port = 5986
+  } else {
+    $port = 5984
+  }
+
+  exec { 'remove_couchdb_user':
+    onlyif  => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'",
+    command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete"
+  }
+
+
   exec { 'kill_tapicero':
     onlyif  => '/usr/bin/test -s /var/run/tapicero.pid',
     command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid'
@@ -33,11 +50,6 @@ class site_config::remove::tapicero {
       matches => 'tapicero*',
       require   => [ Exec['kill_tapicero'] ];
     '/etc/check_mk/logwatch.d/tapicero.cfg':;
-    'checkmk_logwatch_spool':
-      path    => '/var/lib/check_mk/logwatch',
-      recurse => true,
-      matches => '*tapicero.log',
-      require => Exec['kill_tapicero'],
   }
 
   # remove local nagios plugin checks via mrpe
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 1ec15f00..61aa887e 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -62,4 +62,7 @@ class site_couchdb {
 
   include site_check_mk::agent::couchdb
 
+  # remove tapicero leftovers on couchdb nodes
+  include site_config::remove::tapicero
+
 }
diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
index 0d729b8c..981dc12a 100644
--- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
+++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg
@@ -70,7 +70,7 @@ precached_object_file=/var/lib/nagios3/objects.precache
 # defined as macros in this file and restrictive permissions (600)
 # can be placed on this file.
 
-resource_file=/etc/nagios3/private/resource.cfg
+resource_file=/etc/nagios3/resource.cfg
 
 
 
diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp
index eb08cdcb..40ae4b86 100644
--- a/puppet/modules/site_nagios/manifests/init.pp
+++ b/puppet/modules/site_nagios/manifests/init.pp
@@ -1,6 +1,10 @@
+# setup nagios on monitoring node
 class site_nagios  {
   tag 'leap_service'
   Class['site_config::default'] -> Class['site_nagios']
 
   include site_nagios::server
+
+  # remove leftovers on monitoring nodes
+  include site_config::remove::monitoring
 }
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index e2a3124e..ede35a9e 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -229,6 +229,13 @@ class site_openvpn {
   }
 
   leap::logfile { 'openvpn': }
+
+  # Because we currently do not support ipv6 and instead block it (so no leaks
+  # happen), we get a large number of these messages, so we ignore them (#6540)
+  rsyslog::snippet { '01-ignore_icmpv6_send':
+    content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~'
+  }
+
   include site_check_mk::agent::openvpn
 
 }
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 42313d1a..f0a2554a 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -49,6 +49,10 @@ class site_postfix::mx {
     # alias map
     'local_recipient_maps':
       value => '$alias_maps';
+    'smtpd_milters':
+      value => 'unix:/run/clamav/milter.ctl';
+    'milter_default_action':
+      value => 'accept';
   }
 
   include site_postfix::mx::smtpd_checks
@@ -57,6 +61,7 @@ class site_postfix::mx {
   include site_postfix::mx::smtpd_tls
   include site_postfix::mx::static_aliases
   include site_postfix::mx::rewrite_openpgp_header
+  include clamav
 
   # greater verbosity for debugging, take out for production
   #include site_postfix::debug