add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625)

Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616

5 files changed, 185 insertions, 0 deletions

diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp
new file mode 100644
index 00000000..9aebf9b0
--- /dev/null
+++ b/puppet/modules/clamav/manifests/daemon.pp
@@ -0,0 +1,86 @@
+class clamav::daemon {
+
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { [ 'clamav-daemon', 'arj' ]:
+    ensure => installed;
+  }
+
+  service {
+    'clamav-daemon':
+      ensure     => running,
+      name       => clamav-daemon,
+      pattern    => '/usr/sbin/clamd',
+      enable     => true,
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-daemon'];
+  }
+
+  file {
+    '/var/run/clamav':
+      ensure => directory,
+      mode   => '0750',
+      owner  => clamav,
+      group  => postfix;
+
+    '/var/lib/clamav':
+      mode  => '0755',
+      owner => clamav,
+      group => clamav;
+
+    '/etc/default/clamav-daemon':
+      source => 'puppet:///modules/clamav/clamav-daemon_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    # this file contains additional domains that we want the clamav
+    # phishing process to look for (our domain)
+    '/var/lib/clamav/local.pdb':
+      content => template('clamav/local.pdb.erb'),
+      mode    => '0644',
+      owner   => clamav,
+      group   => clamav;
+  }
+
+  file_line {
+    'clamav_daemon_tmp':
+      path    => '/etc/clamav/clamd.conf',
+      line    => 'TemporaryDirectory /var/tmp',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+     'enable_phishscanurls':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'PhishingScanURLs no',
+      line    => 'PhishingScanURLs yes',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_LogSyslog_true':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogSyslog false',
+      line    => 'LogSyslog true',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+
+    'clamav_MaxThreads':
+      path    => '/etc/clamav/clamd.conf',
+      match   => 'MaxThreads 20',
+      line    => 'MaxThreads 100',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+  # remove LogFile line
+  file_line {
+    'clamav_LogFile':
+      path    => '/etc/clamav/clamd.conf',
+      match   => '^LogFile .*',
+      line    => '',
+      require => Package['clamav-daemon'],
+      notify  => Service['clamav-daemon'];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp
new file mode 100644
index 00000000..b9827ede
--- /dev/null
+++ b/puppet/modules/clamav/manifests/freshclam.pp
@@ -0,0 +1,21 @@
+class clamav::freshclam {
+
+  package { 'clamav-freshclam': ensure => installed }
+
+  service {
+    'freshclam':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-freshclam,
+      pattern    => '/usr/bin/freshclam',
+      hasrestart => true;
+  }
+
+  file_line {
+    'freshclam_notify':
+      path   => '/etc/clamav/freshclam.conf',
+      line   => 'NotifyClamd /etc/clamav/clamd.conf',
+      notify => Service[freshclam];
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp
new file mode 100644
index 00000000..fa7b553c
--- /dev/null
+++ b/puppet/modules/clamav/manifests/init.pp
@@ -0,0 +1,8 @@
+class clamav {
+
+  include clamav::daemon
+  include clamav::milter
+  include clamav::sanesecurity
+  include clamav::freshclam
+
+}
diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp
new file mode 100644
index 00000000..52ddaef1
--- /dev/null
+++ b/puppet/modules/clamav/manifests/milter.pp
@@ -0,0 +1,48 @@
+class clamav::milter {
+
+  $clamav                = hiera('clamav')
+  $whitelisted_addresses = $clamav['whitelisted_addresses']
+  $domain_hash           = hiera('domain')
+  $domain                = $domain_hash['full_suffix']
+
+  package { 'clamav-milter': ensure => installed }
+
+  service {
+    'clamav-milter':
+      ensure     => running,
+      enable     => true,
+      name       => clamav-milter,
+      pattern    => '/usr/sbin/clamav-milter',
+      hasrestart => true,
+      subscribe  => File['/etc/default/clamav-milter'];
+  }
+
+  file {
+    '/run/clamav/milter.ctl':
+      mode    => '0666',
+      owner   => clamav,
+      group   => postfix,
+      require => Class['clamav::daemon'];
+
+    '/etc/clamav/clamav-milter.conf':
+      content   => template('clamav/clamav-milter.conf.erb'),
+      mode      => '0644',
+      owner     => root,
+      group     => root,
+      subscribe => Service['clamav-milter'];
+
+    '/etc/default/clamav-milter':
+      source => 'puppet:///modules/clamav/clamav-milter_default',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
+
+    '/etc/clamav/whitelisted_addresses':
+      content => template('clamav/whitelisted_addresses.erb'),
+      mode    => '0644',
+      owner   => root,
+      group   => root;
+
+  }
+
+}
diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp
new file mode 100644
index 00000000..316154d3
--- /dev/null
+++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp
@@ -0,0 +1,22 @@
+class clamav::unofficial_sigs {
+
+  package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg',
+              'socat', 'rsync', 'curl' ]:
+    ensure => installed
+  }
+
+  file {
+    '/var/log/clamav-unofficial-sigs.log':
+      ensure  => file,
+      owner   => clamav,
+      group   => clamav,
+      require => Package['clamav-unofficial-sigs'];
+
+    '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf':
+      source  => 'puppet:///modules/clamav/01-leap.conf',
+      mode    => '0755',
+      owner   => root,
+      group   => root,
+      require => Package['clamav-unofficial-sigs'];
+    }
+}