From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- puppet/modules/clamav/manifests/daemon.pp | 86 ++++++++++++++++++++++ puppet/modules/clamav/manifests/freshclam.pp | 21 ++++++ puppet/modules/clamav/manifests/init.pp | 8 ++ puppet/modules/clamav/manifests/milter.pp | 48 ++++++++++++ puppet/modules/clamav/manifests/unofficial_sigs.pp | 22 ++++++ 5 files changed, 185 insertions(+) create mode 100644 puppet/modules/clamav/manifests/daemon.pp create mode 100644 puppet/modules/clamav/manifests/freshclam.pp create mode 100644 puppet/modules/clamav/manifests/init.pp create mode 100644 puppet/modules/clamav/manifests/milter.pp create mode 100644 puppet/modules/clamav/manifests/unofficial_sigs.pp (limited to 'puppet/modules/clamav/manifests') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp new file mode 100644 index 00000000..9aebf9b0 --- /dev/null +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -0,0 +1,86 @@ +class clamav::daemon { + + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { [ 'clamav-daemon', 'arj' ]: + ensure => installed; + } + + service { + 'clamav-daemon': + ensure => running, + name => clamav-daemon, + pattern => '/usr/sbin/clamd', + enable => true, + hasrestart => true, + subscribe => File['/etc/default/clamav-daemon']; + } + + file { + '/var/run/clamav': + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix; + + '/var/lib/clamav': + mode => '0755', + owner => clamav, + group => clamav; + + '/etc/default/clamav-daemon': + source => 'puppet:///modules/clamav/clamav-daemon_default', + mode => '0644', + owner => root, + group => root; + + # this file contains additional domains that we want the clamav + # phishing process to look for (our domain) + '/var/lib/clamav/local.pdb': + content => template('clamav/local.pdb.erb'), + mode => '0644', + owner => clamav, + group => clamav; + } + + file_line { + 'clamav_daemon_tmp': + path => '/etc/clamav/clamd.conf', + line => 'TemporaryDirectory /var/tmp', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'enable_phishscanurls': + path => '/etc/clamav/clamd.conf', + match => 'PhishingScanURLs no', + line => 'PhishingScanURLs yes', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_LogSyslog_true': + path => '/etc/clamav/clamd.conf', + match => '^LogSyslog false', + line => 'LogSyslog true', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_MaxThreads': + path => '/etc/clamav/clamd.conf', + match => 'MaxThreads 20', + line => 'MaxThreads 100', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + + # remove LogFile line + file_line { + 'clamav_LogFile': + path => '/etc/clamav/clamd.conf', + match => '^LogFile .*', + line => '', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + +} diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp new file mode 100644 index 00000000..b9827ede --- /dev/null +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -0,0 +1,21 @@ +class clamav::freshclam { + + package { 'clamav-freshclam': ensure => installed } + + service { + 'freshclam': + ensure => running, + enable => true, + name => clamav-freshclam, + pattern => '/usr/bin/freshclam', + hasrestart => true; + } + + file_line { + 'freshclam_notify': + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + notify => Service[freshclam]; + } + +} diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp new file mode 100644 index 00000000..fa7b553c --- /dev/null +++ b/puppet/modules/clamav/manifests/init.pp @@ -0,0 +1,8 @@ +class clamav { + + include clamav::daemon + include clamav::milter + include clamav::sanesecurity + include clamav::freshclam + +} diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp new file mode 100644 index 00000000..52ddaef1 --- /dev/null +++ b/puppet/modules/clamav/manifests/milter.pp @@ -0,0 +1,48 @@ +class clamav::milter { + + $clamav = hiera('clamav') + $whitelisted_addresses = $clamav['whitelisted_addresses'] + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { 'clamav-milter': ensure => installed } + + service { + 'clamav-milter': + ensure => running, + enable => true, + name => clamav-milter, + pattern => '/usr/sbin/clamav-milter', + hasrestart => true, + subscribe => File['/etc/default/clamav-milter']; + } + + file { + '/run/clamav/milter.ctl': + mode => '0666', + owner => clamav, + group => postfix, + require => Class['clamav::daemon']; + + '/etc/clamav/clamav-milter.conf': + content => template('clamav/clamav-milter.conf.erb'), + mode => '0644', + owner => root, + group => root, + subscribe => Service['clamav-milter']; + + '/etc/default/clamav-milter': + source => 'puppet:///modules/clamav/clamav-milter_default', + mode => '0644', + owner => root, + group => root; + + '/etc/clamav/whitelisted_addresses': + content => template('clamav/whitelisted_addresses.erb'), + mode => '0644', + owner => root, + group => root; + + } + +} diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp new file mode 100644 index 00000000..316154d3 --- /dev/null +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -0,0 +1,22 @@ +class clamav::unofficial_sigs { + + package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', + 'socat', 'rsync', 'curl' ]: + ensure => installed + } + + file { + '/var/log/clamav-unofficial-sigs.log': + ensure => file, + owner => clamav, + group => clamav, + require => Package['clamav-unofficial-sigs']; + + '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf': + source => 'puppet:///modules/clamav/01-leap.conf', + mode => '0755', + owner => root, + group => root, + require => Package['clamav-unofficial-sigs']; + } +} -- cgit v1.2.3 From 2c8de729a2a4213b8cb312bcb481695ae44f9a62 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 14:01:48 -0400 Subject: Class was renamed, but not properly cared for in the rest of the manifest Change-Id: Ic9f022dcbb9f2096b933c898ae43023e0bf278c6 --- puppet/modules/clamav/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/clamav/manifests') diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp index fa7b553c..de8fb4dc 100644 --- a/puppet/modules/clamav/manifests/init.pp +++ b/puppet/modules/clamav/manifests/init.pp @@ -2,7 +2,7 @@ class clamav { include clamav::daemon include clamav::milter - include clamav::sanesecurity + include clamav::unofficial_sigs include clamav::freshclam } -- cgit v1.2.3 From 43595b105a21aaccb41c4d9199d87b3dc2d48ab5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 15:58:12 -0400 Subject: Fix ordering of clamav resources, by requiring the package installation as a pre-requisite Change-Id: Ic9c8cc6ccfb31ce5e56937a2d95de7974707c368 --- puppet/modules/clamav/manifests/daemon.pp | 22 +++++++++++++--------- puppet/modules/clamav/manifests/freshclam.pp | 10 ++++++---- puppet/modules/clamav/manifests/milter.pp | 6 ++++-- 3 files changed, 23 insertions(+), 15 deletions(-) (limited to 'puppet/modules/clamav/manifests') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index 9aebf9b0..bf232e2c 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -14,20 +14,23 @@ class clamav::daemon { pattern => '/usr/sbin/clamd', enable => true, hasrestart => true, - subscribe => File['/etc/default/clamav-daemon']; + subscribe => File['/etc/default/clamav-daemon'], + require => Package['clamav-daemon']; } file { '/var/run/clamav': - ensure => directory, - mode => '0750', - owner => clamav, - group => postfix; + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix, + require => [Package['postfix'], Package['clamav-daemon']]; '/var/lib/clamav': - mode => '0755', - owner => clamav, - group => clamav; + mode => '0755', + owner => clamav, + group => clamav, + require => Package['clamav-daemon']; '/etc/default/clamav-daemon': source => 'puppet:///modules/clamav/clamav-daemon_default', @@ -41,7 +44,8 @@ class clamav::daemon { content => template('clamav/local.pdb.erb'), mode => '0644', owner => clamav, - group => clamav; + group => clamav, + require => Package['clamav-daemon']; } file_line { diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp index b9827ede..80c822a4 100644 --- a/puppet/modules/clamav/manifests/freshclam.pp +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -8,14 +8,16 @@ class clamav::freshclam { enable => true, name => clamav-freshclam, pattern => '/usr/bin/freshclam', - hasrestart => true; + hasrestart => true, + require => Package['clamav-freshclam']; } file_line { 'freshclam_notify': - path => '/etc/clamav/freshclam.conf', - line => 'NotifyClamd /etc/clamav/clamd.conf', - notify => Service[freshclam]; + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + require => Package['clamav-freshclam'], + notify => Service['freshclam']; } } diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp index 52ddaef1..e8a85e3f 100644 --- a/puppet/modules/clamav/manifests/milter.pp +++ b/puppet/modules/clamav/manifests/milter.pp @@ -14,6 +14,7 @@ class clamav::milter { name => clamav-milter, pattern => '/usr/sbin/clamav-milter', hasrestart => true, + require => Package['clamav-milter'], subscribe => File['/etc/default/clamav-milter']; } @@ -29,6 +30,7 @@ class clamav::milter { mode => '0644', owner => root, group => root, + require => Package['clamav-milter'], subscribe => Service['clamav-milter']; '/etc/default/clamav-milter': @@ -41,8 +43,8 @@ class clamav::milter { content => template('clamav/whitelisted_addresses.erb'), mode => '0644', owner => root, - group => root; - + group => root, + require => Package['clamav-milter']; } } -- cgit v1.2.3