From 19e5d23e3fe34199265117e033acfabc3cff9109 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 12 Oct 2015 16:30:58 +0200 Subject: [feat] Remove tapicero couchdb user - Resolves: #7514 --- puppet/modules/site_config/manifests/remove.pp | 1 - .../site_config/manifests/remove/monitoring.pp | 10 +++++++++ .../site_config/manifests/remove/tapicero.pp | 24 ++++++++++++++++------ puppet/modules/site_couchdb/manifests/init.pp | 3 +++ puppet/modules/site_nagios/manifests/init.pp | 4 ++++ 5 files changed, 35 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/site_config/manifests/remove/monitoring.pp diff --git a/puppet/modules/site_config/manifests/remove.pp b/puppet/modules/site_config/manifests/remove.pp index 00502c0a..b1ad1a2b 100644 --- a/puppet/modules/site_config/manifests/remove.pp +++ b/puppet/modules/site_config/manifests/remove.pp @@ -1,5 +1,4 @@ # remove leftovers from previous deploys class site_config::remove { include site_config::remove::files - include site_config::remove::tapicero } diff --git a/puppet/modules/site_config/manifests/remove/monitoring.pp b/puppet/modules/site_config/manifests/remove/monitoring.pp new file mode 100644 index 00000000..d7095597 --- /dev/null +++ b/puppet/modules/site_config/manifests/remove/monitoring.pp @@ -0,0 +1,10 @@ +# remove leftovers on monitoring nodes +class site_config::remove::monitoring { + + tidy { + 'checkmk_logwatch_spool': + path => '/var/lib/check_mk/logwatch', + recurse => true, + matches => '*tapicero.log' + } +} diff --git a/puppet/modules/site_config/manifests/remove/tapicero.pp b/puppet/modules/site_config/manifests/remove/tapicero.pp index edb4e393..4ce972d0 100644 --- a/puppet/modules/site_config/manifests/remove/tapicero.pp +++ b/puppet/modules/site_config/manifests/remove/tapicero.pp @@ -1,6 +1,23 @@ -# remove tapicero leftovers from previous deploys +# remove tapicero leftovers from previous deploys on couchdb nodes class site_config::remove::tapicero { + # remove tapicero couchdb user + $couchdb_config = hiera('couch') + $couchdb_mode = $couchdb_config['mode'] + + if $couchdb_mode == 'multimaster' + { + $port = 5986 + } else { + $port = 5984 + } + + exec { 'remove_couchdb_user': + onlyif => "/usr/bin/curl -s 127.0.0.1:${port}/_users/org.couchdb.user:tapicero | grep -qv 'not_found'", + command => "/usr/local/bin/couch-doc-update --host 127.0.0.1:${port} --db _users --id org.couchdb.user:tapicero --delete" + } + + exec { 'kill_tapicero': onlyif => '/usr/bin/test -s /var/run/tapicero.pid', command => '/usr/bin/pkill --pidfile /var/run/tapicero.pid' @@ -33,11 +50,6 @@ class site_config::remove::tapicero { matches => 'tapicero*', require => [ Exec['kill_tapicero'] ]; '/etc/check_mk/logwatch.d/tapicero.cfg':; - 'checkmk_logwatch_spool': - path => '/var/lib/check_mk/logwatch', - recurse => true, - matches => '*tapicero.log', - require => Exec['kill_tapicero'], } # remove local nagios plugin checks via mrpe diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 1ec15f00..61aa887e 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -62,4 +62,7 @@ class site_couchdb { include site_check_mk::agent::couchdb + # remove tapicero leftovers on couchdb nodes + include site_config::remove::tapicero + } diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index eb08cdcb..40ae4b86 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,6 +1,10 @@ +# setup nagios on monitoring node class site_nagios { tag 'leap_service' Class['site_config::default'] -> Class['site_nagios'] include site_nagios::server + + # remove leftovers on monitoring nodes + include site_config::remove::monitoring } -- cgit v1.2.3 From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- provider_base/services/mx.json | 3 + puppet/modules/clamav/files/01-leap.conf | 58 +++++++++++++++ puppet/modules/clamav/files/clamav-daemon_default | 8 ++ puppet/modules/clamav/files/clamav-milter_default | 14 ++++ puppet/modules/clamav/manifests/daemon.pp | 86 ++++++++++++++++++++++ puppet/modules/clamav/manifests/freshclam.pp | 21 ++++++ puppet/modules/clamav/manifests/init.pp | 8 ++ puppet/modules/clamav/manifests/milter.pp | 48 ++++++++++++ puppet/modules/clamav/manifests/unofficial_sigs.pp | 22 ++++++ .../clamav/templates/clamav-milter.conf.erb | 28 +++++++ puppet/modules/clamav/templates/local.pdb.erb | 1 + .../clamav/templates/whitelisted_addresses.erb | 5 ++ puppet/modules/site_postfix/manifests/mx.pp | 5 ++ 13 files changed, 307 insertions(+) create mode 100644 puppet/modules/clamav/files/01-leap.conf create mode 100644 puppet/modules/clamav/files/clamav-daemon_default create mode 100644 puppet/modules/clamav/files/clamav-milter_default create mode 100644 puppet/modules/clamav/manifests/daemon.pp create mode 100644 puppet/modules/clamav/manifests/freshclam.pp create mode 100644 puppet/modules/clamav/manifests/init.pp create mode 100644 puppet/modules/clamav/manifests/milter.pp create mode 100644 puppet/modules/clamav/manifests/unofficial_sigs.pp create mode 100644 puppet/modules/clamav/templates/clamav-milter.conf.erb create mode 100644 puppet/modules/clamav/templates/local.pdb.erb create mode 100644 puppet/modules/clamav/templates/whitelisted_addresses.erb diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index d6e9fff9..70acf5cb 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -24,6 +24,9 @@ }, "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq", "rbls": ["zen.spamhaus.org"], + "clamav": { + "whitelisted_addresses": [] + }, "x509": { "use": true, "use_commercial": true, diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf new file mode 100644 index 00000000..abeeb302 --- /dev/null +++ b/puppet/modules/clamav/files/01-leap.conf @@ -0,0 +1,58 @@ +# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and +# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module +# are installed on the system, and you want to report whether clamd +# is running or not, uncomment the "clamd_socket" variable below (you +# will be warned if neither socat nor IO::Socket::UNIX are found, but +# the script will still run). You will also need to set the correct +# path to your clamd socket file (if unsure of the path, check the +# "LocalSocket" setting in your clamd.conf file for socket location). +clamd_socket="/run/clamav/clamd.ctl" + +# If you would like to attempt to restart ClamD if detected not running, +# uncomment the next 2 lines. Confirm the path to the "clamd_lock" file +# (usually can be found in the clamd init script) and also enter the clamd +# start command for your particular distro for the "start_clamd" variable +# (the sample start command shown below should work for most linux distros). +# NOTE: these 2 variables are dependant on the "clamd_socket" variable +# shown above - if not enabled, then the following 2 variables will be +# ignored, whether enabled or not. +clamd_lock="/run/clamav/clamd.pid" +start_clamd="service clamav-daemon start" + +ss_dbs=" + junk.ndb + phish.ndb + rogue.hdb + sanesecurity.ftm + scam.ndb + sigwhitelist.ign2 + spamattach.hdb + spamimg.hdb + winnow.attachments.hdb + winnow_bad_cw.hdb + winnow_extended_malware.hdb + winnow_malware.hdb + winnow_malware_links.ndb + malwarehash.hsb + doppelstern.hdb + bofhland_cracked_URL.ndb + bofhland_malware_attach.hdb + bofhland_malware_URL.ndb + bofhland_phishing_URL.ndb + crdfam.clamav.hdb + phishtank.ndb + porcupine.ndb + spear.ndb + spearl.ndb +" + +# ======================== +# SecuriteInfo Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. To disable all SecuriteInfo database file downloads, +# comment all of the following lines. +si_dbs="" + +mbl_dbs="" \ No newline at end of file diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default new file mode 100644 index 00000000..b4cd6a4f --- /dev/null +++ b/puppet/modules/clamav/files/clamav-daemon_default @@ -0,0 +1,8 @@ +# This is a file designed only t0 set special environment variables +# eg TMP or TMPDIR. It is sourced from a shell script, so anything +# put in here must be in variable=value format, suitable for sourcing +# from a shell script. +# Examples: +# export TMPDIR=/dev/shm +export TMP=/var/tmp +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default new file mode 100644 index 00000000..5e33e822 --- /dev/null +++ b/puppet/modules/clamav/files/clamav-milter_default @@ -0,0 +1,14 @@ +# +# clamav-milter init options +# + +## SOCKET_RWGROUP +# by default, the socket created by the milter has permissions +# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the +# permissions to 775 to give read-write access to that group. +# +# If you are using postfix to speak to the milter, you have to give permission +# to the postfix group to write +# +SOCKET_RWGROUP=postfix +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp new file mode 100644 index 00000000..9aebf9b0 --- /dev/null +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -0,0 +1,86 @@ +class clamav::daemon { + + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { [ 'clamav-daemon', 'arj' ]: + ensure => installed; + } + + service { + 'clamav-daemon': + ensure => running, + name => clamav-daemon, + pattern => '/usr/sbin/clamd', + enable => true, + hasrestart => true, + subscribe => File['/etc/default/clamav-daemon']; + } + + file { + '/var/run/clamav': + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix; + + '/var/lib/clamav': + mode => '0755', + owner => clamav, + group => clamav; + + '/etc/default/clamav-daemon': + source => 'puppet:///modules/clamav/clamav-daemon_default', + mode => '0644', + owner => root, + group => root; + + # this file contains additional domains that we want the clamav + # phishing process to look for (our domain) + '/var/lib/clamav/local.pdb': + content => template('clamav/local.pdb.erb'), + mode => '0644', + owner => clamav, + group => clamav; + } + + file_line { + 'clamav_daemon_tmp': + path => '/etc/clamav/clamd.conf', + line => 'TemporaryDirectory /var/tmp', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'enable_phishscanurls': + path => '/etc/clamav/clamd.conf', + match => 'PhishingScanURLs no', + line => 'PhishingScanURLs yes', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_LogSyslog_true': + path => '/etc/clamav/clamd.conf', + match => '^LogSyslog false', + line => 'LogSyslog true', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_MaxThreads': + path => '/etc/clamav/clamd.conf', + match => 'MaxThreads 20', + line => 'MaxThreads 100', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + + # remove LogFile line + file_line { + 'clamav_LogFile': + path => '/etc/clamav/clamd.conf', + match => '^LogFile .*', + line => '', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + +} diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp new file mode 100644 index 00000000..b9827ede --- /dev/null +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -0,0 +1,21 @@ +class clamav::freshclam { + + package { 'clamav-freshclam': ensure => installed } + + service { + 'freshclam': + ensure => running, + enable => true, + name => clamav-freshclam, + pattern => '/usr/bin/freshclam', + hasrestart => true; + } + + file_line { + 'freshclam_notify': + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + notify => Service[freshclam]; + } + +} diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp new file mode 100644 index 00000000..fa7b553c --- /dev/null +++ b/puppet/modules/clamav/manifests/init.pp @@ -0,0 +1,8 @@ +class clamav { + + include clamav::daemon + include clamav::milter + include clamav::sanesecurity + include clamav::freshclam + +} diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp new file mode 100644 index 00000000..52ddaef1 --- /dev/null +++ b/puppet/modules/clamav/manifests/milter.pp @@ -0,0 +1,48 @@ +class clamav::milter { + + $clamav = hiera('clamav') + $whitelisted_addresses = $clamav['whitelisted_addresses'] + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { 'clamav-milter': ensure => installed } + + service { + 'clamav-milter': + ensure => running, + enable => true, + name => clamav-milter, + pattern => '/usr/sbin/clamav-milter', + hasrestart => true, + subscribe => File['/etc/default/clamav-milter']; + } + + file { + '/run/clamav/milter.ctl': + mode => '0666', + owner => clamav, + group => postfix, + require => Class['clamav::daemon']; + + '/etc/clamav/clamav-milter.conf': + content => template('clamav/clamav-milter.conf.erb'), + mode => '0644', + owner => root, + group => root, + subscribe => Service['clamav-milter']; + + '/etc/default/clamav-milter': + source => 'puppet:///modules/clamav/clamav-milter_default', + mode => '0644', + owner => root, + group => root; + + '/etc/clamav/whitelisted_addresses': + content => template('clamav/whitelisted_addresses.erb'), + mode => '0644', + owner => root, + group => root; + + } + +} diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp new file mode 100644 index 00000000..316154d3 --- /dev/null +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -0,0 +1,22 @@ +class clamav::unofficial_sigs { + + package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', + 'socat', 'rsync', 'curl' ]: + ensure => installed + } + + file { + '/var/log/clamav-unofficial-sigs.log': + ensure => file, + owner => clamav, + group => clamav, + require => Package['clamav-unofficial-sigs']; + + '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf': + source => 'puppet:///modules/clamav/01-leap.conf', + mode => '0755', + owner => root, + group => root, + require => Package['clamav-unofficial-sigs']; + } +} diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb new file mode 100644 index 00000000..9bf7099e --- /dev/null +++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb @@ -0,0 +1,28 @@ +# THIS FILE MANAGED BY PUPPET +MilterSocket /var/run/clamav/milter.ctl +FixStaleSocket true +User clamav +MilterSocketGroup clamav +MilterSocketMode 666 +AllowSupplementaryGroups true +ReadTimeout 120 +Foreground false +PidFile /var/run/clamav/clamav-milter.pid +ClamdSocket unix:/var/run/clamav/clamd.ctl +OnClean Accept +OnInfected Reject +OnFail Defer +AddHeader Replace +LogSyslog true +LogFacility LOG_LOCAL6 +LogVerbose yes +LogInfected Basic +LogTime true +LogFileUnlock false +LogClean Off +LogRotate true +SupportMultipleRecipients false +MaxFileSize 10M +TemporaryDirectory /var/tmp +RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error" +Whitelist /etc/clamav/whitelisted_addresses diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb new file mode 100644 index 00000000..9ea0584a --- /dev/null +++ b/puppet/modules/clamav/templates/local.pdb.erb @@ -0,0 +1 @@ +H:<%= @domain %> diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb new file mode 100644 index 00000000..9e068ec5 --- /dev/null +++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb @@ -0,0 +1,5 @@ +<%- if @whitelisted_addresses then -%> +<% @whitelisted_addresses.each do |name| -%> +From::<%= name %> +<% end -%> +<% end -%> diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 42313d1a..f0a2554a 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -49,6 +49,10 @@ class site_postfix::mx { # alias map 'local_recipient_maps': value => '$alias_maps'; + 'smtpd_milters': + value => 'unix:/run/clamav/milter.ctl'; + 'milter_default_action': + value => 'accept'; } include site_postfix::mx::smtpd_checks @@ -57,6 +61,7 @@ class site_postfix::mx { include site_postfix::mx::smtpd_tls include site_postfix::mx::static_aliases include site_postfix::mx::rewrite_openpgp_header + include clamav # greater verbosity for debugging, take out for production #include site_postfix::debug -- cgit v1.2.3 From eda35dc4f8a9bb5dab84d917c7a9e9a058ba8d2f Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 11:49:20 -0400 Subject: Update resource_file to not include /private/ as this is not used anymore by the nagios module, and our config template has drifted. Fixes: #7527 Change-Id: I56c3492056fcb95c499cf78b893249adcf0ae67f --- puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 0d729b8c..981dc12a 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -70,7 +70,7 @@ precached_object_file=/var/lib/nagios3/objects.precache # defined as macros in this file and restrictive permissions (600) # can be placed on this file. -resource_file=/etc/nagios3/private/resource.cfg +resource_file=/etc/nagios3/resource.cfg -- cgit v1.2.3 From 717bd0f1061cbc4cd22a22f87b9b00ddf469f2fc Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 12:01:53 -0400 Subject: Make syslog stop logging the icmpv6_send: no reply to icmp error messages, these are spamming provider's logs and will continue to do so until we have ipv6 working for the VPN (#6540) Change-Id: I80673bb64d8239e478bc042794929640f7a7cc39 --- puppet/modules/site_openvpn/manifests/init.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e2a3124e..ede35a9e 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -229,6 +229,13 @@ class site_openvpn { } leap::logfile { 'openvpn': } + + # Because we currently do not support ipv6 and instead block it (so no leaks + # happen), we get a large number of these messages, so we ignore them (#6540) + rsyslog::snippet { '01-ignore_icmpv6_send': + content => ':msg, contains, "icmpv6_send: no reply to icmp error" ~' + } + include site_check_mk::agent::openvpn } -- cgit v1.2.3 From 1c5e9e2afad7e9225ff5eaa8350268654078cf21 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 13 Oct 2015 18:13:05 +0200 Subject: updated submodule couchdb --- puppet/modules/couchdb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb index 1f583d9c..ae53b180 160000 --- a/puppet/modules/couchdb +++ b/puppet/modules/couchdb @@ -1 +1 @@ -Subproject commit 1f583d9c9157390850a7737630f60832ced82374 +Subproject commit ae53b180783016faa4331094a52769ddd57463f8 -- cgit v1.2.3 From 2c8de729a2a4213b8cb312bcb481695ae44f9a62 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 14:01:48 -0400 Subject: Class was renamed, but not properly cared for in the rest of the manifest Change-Id: Ic9f022dcbb9f2096b933c898ae43023e0bf278c6 --- puppet/modules/clamav/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp index fa7b553c..de8fb4dc 100644 --- a/puppet/modules/clamav/manifests/init.pp +++ b/puppet/modules/clamav/manifests/init.pp @@ -2,7 +2,7 @@ class clamav { include clamav::daemon include clamav::milter - include clamav::sanesecurity + include clamav::unofficial_sigs include clamav::freshclam } -- cgit v1.2.3 From 43595b105a21aaccb41c4d9199d87b3dc2d48ab5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 15:58:12 -0400 Subject: Fix ordering of clamav resources, by requiring the package installation as a pre-requisite Change-Id: Ic9c8cc6ccfb31ce5e56937a2d95de7974707c368 --- puppet/modules/clamav/manifests/daemon.pp | 22 +++++++++++++--------- puppet/modules/clamav/manifests/freshclam.pp | 10 ++++++---- puppet/modules/clamav/manifests/milter.pp | 6 ++++-- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index 9aebf9b0..bf232e2c 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -14,20 +14,23 @@ class clamav::daemon { pattern => '/usr/sbin/clamd', enable => true, hasrestart => true, - subscribe => File['/etc/default/clamav-daemon']; + subscribe => File['/etc/default/clamav-daemon'], + require => Package['clamav-daemon']; } file { '/var/run/clamav': - ensure => directory, - mode => '0750', - owner => clamav, - group => postfix; + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix, + require => [Package['postfix'], Package['clamav-daemon']]; '/var/lib/clamav': - mode => '0755', - owner => clamav, - group => clamav; + mode => '0755', + owner => clamav, + group => clamav, + require => Package['clamav-daemon']; '/etc/default/clamav-daemon': source => 'puppet:///modules/clamav/clamav-daemon_default', @@ -41,7 +44,8 @@ class clamav::daemon { content => template('clamav/local.pdb.erb'), mode => '0644', owner => clamav, - group => clamav; + group => clamav, + require => Package['clamav-daemon']; } file_line { diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp index b9827ede..80c822a4 100644 --- a/puppet/modules/clamav/manifests/freshclam.pp +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -8,14 +8,16 @@ class clamav::freshclam { enable => true, name => clamav-freshclam, pattern => '/usr/bin/freshclam', - hasrestart => true; + hasrestart => true, + require => Package['clamav-freshclam']; } file_line { 'freshclam_notify': - path => '/etc/clamav/freshclam.conf', - line => 'NotifyClamd /etc/clamav/clamd.conf', - notify => Service[freshclam]; + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + require => Package['clamav-freshclam'], + notify => Service['freshclam']; } } diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp index 52ddaef1..e8a85e3f 100644 --- a/puppet/modules/clamav/manifests/milter.pp +++ b/puppet/modules/clamav/manifests/milter.pp @@ -14,6 +14,7 @@ class clamav::milter { name => clamav-milter, pattern => '/usr/sbin/clamav-milter', hasrestart => true, + require => Package['clamav-milter'], subscribe => File['/etc/default/clamav-milter']; } @@ -29,6 +30,7 @@ class clamav::milter { mode => '0644', owner => root, group => root, + require => Package['clamav-milter'], subscribe => Service['clamav-milter']; '/etc/default/clamav-milter': @@ -41,8 +43,8 @@ class clamav::milter { content => template('clamav/whitelisted_addresses.erb'), mode => '0644', owner => root, - group => root; - + group => root, + require => Package['clamav-milter']; } } -- cgit v1.2.3