From d6b521372243b79105a1513d4559572dfab6db54 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 22 Sep 2015 15:04:33 -0400 Subject: add clamav filtering, with sanesecurity signature updating and provider whitelisting (#3625) Change-Id: I15985ca00ee95bc62855f098a78e364ebbc32616 --- puppet/modules/clamav/files/01-leap.conf | 58 +++++++++++++++ puppet/modules/clamav/files/clamav-daemon_default | 8 ++ puppet/modules/clamav/files/clamav-milter_default | 14 ++++ puppet/modules/clamav/manifests/daemon.pp | 86 ++++++++++++++++++++++ puppet/modules/clamav/manifests/freshclam.pp | 21 ++++++ puppet/modules/clamav/manifests/init.pp | 8 ++ puppet/modules/clamav/manifests/milter.pp | 48 ++++++++++++ puppet/modules/clamav/manifests/unofficial_sigs.pp | 22 ++++++ .../clamav/templates/clamav-milter.conf.erb | 28 +++++++ puppet/modules/clamav/templates/local.pdb.erb | 1 + .../clamav/templates/whitelisted_addresses.erb | 5 ++ 11 files changed, 299 insertions(+) create mode 100644 puppet/modules/clamav/files/01-leap.conf create mode 100644 puppet/modules/clamav/files/clamav-daemon_default create mode 100644 puppet/modules/clamav/files/clamav-milter_default create mode 100644 puppet/modules/clamav/manifests/daemon.pp create mode 100644 puppet/modules/clamav/manifests/freshclam.pp create mode 100644 puppet/modules/clamav/manifests/init.pp create mode 100644 puppet/modules/clamav/manifests/milter.pp create mode 100644 puppet/modules/clamav/manifests/unofficial_sigs.pp create mode 100644 puppet/modules/clamav/templates/clamav-milter.conf.erb create mode 100644 puppet/modules/clamav/templates/local.pdb.erb create mode 100644 puppet/modules/clamav/templates/whitelisted_addresses.erb (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf new file mode 100644 index 00000000..abeeb302 --- /dev/null +++ b/puppet/modules/clamav/files/01-leap.conf @@ -0,0 +1,58 @@ +# If running clamd in "LocalSocket" mode (*NOT* in TCP/IP mode), and +# either "SOcket Cat" (socat) or the "IO::Socket::UNIX" perl module +# are installed on the system, and you want to report whether clamd +# is running or not, uncomment the "clamd_socket" variable below (you +# will be warned if neither socat nor IO::Socket::UNIX are found, but +# the script will still run). You will also need to set the correct +# path to your clamd socket file (if unsure of the path, check the +# "LocalSocket" setting in your clamd.conf file for socket location). +clamd_socket="/run/clamav/clamd.ctl" + +# If you would like to attempt to restart ClamD if detected not running, +# uncomment the next 2 lines. Confirm the path to the "clamd_lock" file +# (usually can be found in the clamd init script) and also enter the clamd +# start command for your particular distro for the "start_clamd" variable +# (the sample start command shown below should work for most linux distros). +# NOTE: these 2 variables are dependant on the "clamd_socket" variable +# shown above - if not enabled, then the following 2 variables will be +# ignored, whether enabled or not. +clamd_lock="/run/clamav/clamd.pid" +start_clamd="service clamav-daemon start" + +ss_dbs=" + junk.ndb + phish.ndb + rogue.hdb + sanesecurity.ftm + scam.ndb + sigwhitelist.ign2 + spamattach.hdb + spamimg.hdb + winnow.attachments.hdb + winnow_bad_cw.hdb + winnow_extended_malware.hdb + winnow_malware.hdb + winnow_malware_links.ndb + malwarehash.hsb + doppelstern.hdb + bofhland_cracked_URL.ndb + bofhland_malware_attach.hdb + bofhland_malware_URL.ndb + bofhland_phishing_URL.ndb + crdfam.clamav.hdb + phishtank.ndb + porcupine.ndb + spear.ndb + spearl.ndb +" + +# ======================== +# SecuriteInfo Database(s) +# ======================== +# Add or remove database file names between quote marks as needed. To +# disable any SecuriteInfo database downloads, remove the appropriate +# lines below. To disable all SecuriteInfo database file downloads, +# comment all of the following lines. +si_dbs="" + +mbl_dbs="" \ No newline at end of file diff --git a/puppet/modules/clamav/files/clamav-daemon_default b/puppet/modules/clamav/files/clamav-daemon_default new file mode 100644 index 00000000..b4cd6a4f --- /dev/null +++ b/puppet/modules/clamav/files/clamav-daemon_default @@ -0,0 +1,8 @@ +# This is a file designed only t0 set special environment variables +# eg TMP or TMPDIR. It is sourced from a shell script, so anything +# put in here must be in variable=value format, suitable for sourcing +# from a shell script. +# Examples: +# export TMPDIR=/dev/shm +export TMP=/var/tmp +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/files/clamav-milter_default b/puppet/modules/clamav/files/clamav-milter_default new file mode 100644 index 00000000..5e33e822 --- /dev/null +++ b/puppet/modules/clamav/files/clamav-milter_default @@ -0,0 +1,14 @@ +# +# clamav-milter init options +# + +## SOCKET_RWGROUP +# by default, the socket created by the milter has permissions +# clamav:clamav:755. SOCKET_RWGROUP changes the group and changes the +# permissions to 775 to give read-write access to that group. +# +# If you are using postfix to speak to the milter, you have to give permission +# to the postfix group to write +# +SOCKET_RWGROUP=postfix +export TMPDIR=/var/tmp diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp new file mode 100644 index 00000000..9aebf9b0 --- /dev/null +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -0,0 +1,86 @@ +class clamav::daemon { + + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { [ 'clamav-daemon', 'arj' ]: + ensure => installed; + } + + service { + 'clamav-daemon': + ensure => running, + name => clamav-daemon, + pattern => '/usr/sbin/clamd', + enable => true, + hasrestart => true, + subscribe => File['/etc/default/clamav-daemon']; + } + + file { + '/var/run/clamav': + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix; + + '/var/lib/clamav': + mode => '0755', + owner => clamav, + group => clamav; + + '/etc/default/clamav-daemon': + source => 'puppet:///modules/clamav/clamav-daemon_default', + mode => '0644', + owner => root, + group => root; + + # this file contains additional domains that we want the clamav + # phishing process to look for (our domain) + '/var/lib/clamav/local.pdb': + content => template('clamav/local.pdb.erb'), + mode => '0644', + owner => clamav, + group => clamav; + } + + file_line { + 'clamav_daemon_tmp': + path => '/etc/clamav/clamd.conf', + line => 'TemporaryDirectory /var/tmp', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'enable_phishscanurls': + path => '/etc/clamav/clamd.conf', + match => 'PhishingScanURLs no', + line => 'PhishingScanURLs yes', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_LogSyslog_true': + path => '/etc/clamav/clamd.conf', + match => '^LogSyslog false', + line => 'LogSyslog true', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + + 'clamav_MaxThreads': + path => '/etc/clamav/clamd.conf', + match => 'MaxThreads 20', + line => 'MaxThreads 100', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + + # remove LogFile line + file_line { + 'clamav_LogFile': + path => '/etc/clamav/clamd.conf', + match => '^LogFile .*', + line => '', + require => Package['clamav-daemon'], + notify => Service['clamav-daemon']; + } + +} diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp new file mode 100644 index 00000000..b9827ede --- /dev/null +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -0,0 +1,21 @@ +class clamav::freshclam { + + package { 'clamav-freshclam': ensure => installed } + + service { + 'freshclam': + ensure => running, + enable => true, + name => clamav-freshclam, + pattern => '/usr/bin/freshclam', + hasrestart => true; + } + + file_line { + 'freshclam_notify': + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + notify => Service[freshclam]; + } + +} diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp new file mode 100644 index 00000000..fa7b553c --- /dev/null +++ b/puppet/modules/clamav/manifests/init.pp @@ -0,0 +1,8 @@ +class clamav { + + include clamav::daemon + include clamav::milter + include clamav::sanesecurity + include clamav::freshclam + +} diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp new file mode 100644 index 00000000..52ddaef1 --- /dev/null +++ b/puppet/modules/clamav/manifests/milter.pp @@ -0,0 +1,48 @@ +class clamav::milter { + + $clamav = hiera('clamav') + $whitelisted_addresses = $clamav['whitelisted_addresses'] + $domain_hash = hiera('domain') + $domain = $domain_hash['full_suffix'] + + package { 'clamav-milter': ensure => installed } + + service { + 'clamav-milter': + ensure => running, + enable => true, + name => clamav-milter, + pattern => '/usr/sbin/clamav-milter', + hasrestart => true, + subscribe => File['/etc/default/clamav-milter']; + } + + file { + '/run/clamav/milter.ctl': + mode => '0666', + owner => clamav, + group => postfix, + require => Class['clamav::daemon']; + + '/etc/clamav/clamav-milter.conf': + content => template('clamav/clamav-milter.conf.erb'), + mode => '0644', + owner => root, + group => root, + subscribe => Service['clamav-milter']; + + '/etc/default/clamav-milter': + source => 'puppet:///modules/clamav/clamav-milter_default', + mode => '0644', + owner => root, + group => root; + + '/etc/clamav/whitelisted_addresses': + content => template('clamav/whitelisted_addresses.erb'), + mode => '0644', + owner => root, + group => root; + + } + +} diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp new file mode 100644 index 00000000..316154d3 --- /dev/null +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -0,0 +1,22 @@ +class clamav::unofficial_sigs { + + package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', + 'socat', 'rsync', 'curl' ]: + ensure => installed + } + + file { + '/var/log/clamav-unofficial-sigs.log': + ensure => file, + owner => clamav, + group => clamav, + require => Package['clamav-unofficial-sigs']; + + '/etc/clamav-unofficial-sigs.conf.d/01-leap.conf': + source => 'puppet:///modules/clamav/01-leap.conf', + mode => '0755', + owner => root, + group => root, + require => Package['clamav-unofficial-sigs']; + } +} diff --git a/puppet/modules/clamav/templates/clamav-milter.conf.erb b/puppet/modules/clamav/templates/clamav-milter.conf.erb new file mode 100644 index 00000000..9bf7099e --- /dev/null +++ b/puppet/modules/clamav/templates/clamav-milter.conf.erb @@ -0,0 +1,28 @@ +# THIS FILE MANAGED BY PUPPET +MilterSocket /var/run/clamav/milter.ctl +FixStaleSocket true +User clamav +MilterSocketGroup clamav +MilterSocketMode 666 +AllowSupplementaryGroups true +ReadTimeout 120 +Foreground false +PidFile /var/run/clamav/clamav-milter.pid +ClamdSocket unix:/var/run/clamav/clamd.ctl +OnClean Accept +OnInfected Reject +OnFail Defer +AddHeader Replace +LogSyslog true +LogFacility LOG_LOCAL6 +LogVerbose yes +LogInfected Basic +LogTime true +LogFileUnlock false +LogClean Off +LogRotate true +SupportMultipleRecipients false +MaxFileSize 10M +TemporaryDirectory /var/tmp +RejectMsg "Message refused due to content violation: %v - contact https://<%= @domain %>/tickets/new if this is in error" +Whitelist /etc/clamav/whitelisted_addresses diff --git a/puppet/modules/clamav/templates/local.pdb.erb b/puppet/modules/clamav/templates/local.pdb.erb new file mode 100644 index 00000000..9ea0584a --- /dev/null +++ b/puppet/modules/clamav/templates/local.pdb.erb @@ -0,0 +1 @@ +H:<%= @domain %> diff --git a/puppet/modules/clamav/templates/whitelisted_addresses.erb b/puppet/modules/clamav/templates/whitelisted_addresses.erb new file mode 100644 index 00000000..9e068ec5 --- /dev/null +++ b/puppet/modules/clamav/templates/whitelisted_addresses.erb @@ -0,0 +1,5 @@ +<%- if @whitelisted_addresses then -%> +<% @whitelisted_addresses.each do |name| -%> +From::<%= name %> +<% end -%> +<% end -%> -- cgit v1.2.3 From 2c8de729a2a4213b8cb312bcb481695ae44f9a62 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 14:01:48 -0400 Subject: Class was renamed, but not properly cared for in the rest of the manifest Change-Id: Ic9f022dcbb9f2096b933c898ae43023e0bf278c6 --- puppet/modules/clamav/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/manifests/init.pp b/puppet/modules/clamav/manifests/init.pp index fa7b553c..de8fb4dc 100644 --- a/puppet/modules/clamav/manifests/init.pp +++ b/puppet/modules/clamav/manifests/init.pp @@ -2,7 +2,7 @@ class clamav { include clamav::daemon include clamav::milter - include clamav::sanesecurity + include clamav::unofficial_sigs include clamav::freshclam } -- cgit v1.2.3 From 43595b105a21aaccb41c4d9199d87b3dc2d48ab5 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 13 Oct 2015 15:58:12 -0400 Subject: Fix ordering of clamav resources, by requiring the package installation as a pre-requisite Change-Id: Ic9c8cc6ccfb31ce5e56937a2d95de7974707c368 --- puppet/modules/clamav/manifests/daemon.pp | 22 +++++++++++++--------- puppet/modules/clamav/manifests/freshclam.pp | 10 ++++++---- puppet/modules/clamav/manifests/milter.pp | 6 ++++-- 3 files changed, 23 insertions(+), 15 deletions(-) (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index 9aebf9b0..bf232e2c 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -14,20 +14,23 @@ class clamav::daemon { pattern => '/usr/sbin/clamd', enable => true, hasrestart => true, - subscribe => File['/etc/default/clamav-daemon']; + subscribe => File['/etc/default/clamav-daemon'], + require => Package['clamav-daemon']; } file { '/var/run/clamav': - ensure => directory, - mode => '0750', - owner => clamav, - group => postfix; + ensure => directory, + mode => '0750', + owner => clamav, + group => postfix, + require => [Package['postfix'], Package['clamav-daemon']]; '/var/lib/clamav': - mode => '0755', - owner => clamav, - group => clamav; + mode => '0755', + owner => clamav, + group => clamav, + require => Package['clamav-daemon']; '/etc/default/clamav-daemon': source => 'puppet:///modules/clamav/clamav-daemon_default', @@ -41,7 +44,8 @@ class clamav::daemon { content => template('clamav/local.pdb.erb'), mode => '0644', owner => clamav, - group => clamav; + group => clamav, + require => Package['clamav-daemon']; } file_line { diff --git a/puppet/modules/clamav/manifests/freshclam.pp b/puppet/modules/clamav/manifests/freshclam.pp index b9827ede..80c822a4 100644 --- a/puppet/modules/clamav/manifests/freshclam.pp +++ b/puppet/modules/clamav/manifests/freshclam.pp @@ -8,14 +8,16 @@ class clamav::freshclam { enable => true, name => clamav-freshclam, pattern => '/usr/bin/freshclam', - hasrestart => true; + hasrestart => true, + require => Package['clamav-freshclam']; } file_line { 'freshclam_notify': - path => '/etc/clamav/freshclam.conf', - line => 'NotifyClamd /etc/clamav/clamd.conf', - notify => Service[freshclam]; + path => '/etc/clamav/freshclam.conf', + line => 'NotifyClamd /etc/clamav/clamd.conf', + require => Package['clamav-freshclam'], + notify => Service['freshclam']; } } diff --git a/puppet/modules/clamav/manifests/milter.pp b/puppet/modules/clamav/manifests/milter.pp index 52ddaef1..e8a85e3f 100644 --- a/puppet/modules/clamav/manifests/milter.pp +++ b/puppet/modules/clamav/manifests/milter.pp @@ -14,6 +14,7 @@ class clamav::milter { name => clamav-milter, pattern => '/usr/sbin/clamav-milter', hasrestart => true, + require => Package['clamav-milter'], subscribe => File['/etc/default/clamav-milter']; } @@ -29,6 +30,7 @@ class clamav::milter { mode => '0644', owner => root, group => root, + require => Package['clamav-milter'], subscribe => Service['clamav-milter']; '/etc/default/clamav-milter': @@ -41,8 +43,8 @@ class clamav::milter { content => template('clamav/whitelisted_addresses.erb'), mode => '0644', owner => root, - group => root; - + group => root, + require => Package['clamav-milter']; } } -- cgit v1.2.3 From 2443311119a618e544f0f701c4a596690a3fcd05 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 15 Oct 2015 17:12:48 -0400 Subject: switch to ensure_packages to avoid puppet duplicate package definitions (#7530) Change-Id: I398b929fc96cf64e46075266ace0d8d1145b3aac --- puppet/modules/clamav/manifests/unofficial_sigs.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/manifests/unofficial_sigs.pp b/puppet/modules/clamav/manifests/unofficial_sigs.pp index 316154d3..2d849585 100644 --- a/puppet/modules/clamav/manifests/unofficial_sigs.pp +++ b/puppet/modules/clamav/manifests/unofficial_sigs.pp @@ -1,10 +1,11 @@ class clamav::unofficial_sigs { - package { [ 'clamav-unofficial-sigs', 'wget', 'gnupg', - 'socat', 'rsync', 'curl' ]: + package { 'clamav-unofficial-sigs': ensure => installed } + ensure_packages(['wget', 'gnupg', 'socat', 'rsync', 'curl']) + file { '/var/log/clamav-unofficial-sigs.log': ensure => file, -- cgit v1.2.3 From 8370875d608ebddae09fcd05741bb77e0e31c122 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Apr 2016 18:28:29 +0200 Subject: [style] more manual linting for custom manifests --- puppet/modules/clamav/manifests/daemon.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/manifests/daemon.pp b/puppet/modules/clamav/manifests/daemon.pp index bf232e2c..2e13a8fb 100644 --- a/puppet/modules/clamav/manifests/daemon.pp +++ b/puppet/modules/clamav/manifests/daemon.pp @@ -1,3 +1,4 @@ +# deploy clamav daemon class clamav::daemon { $domain_hash = hiera('domain') @@ -55,7 +56,7 @@ class clamav::daemon { require => Package['clamav-daemon'], notify => Service['clamav-daemon']; - 'enable_phishscanurls': + 'enable_phishscanurls': path => '/etc/clamav/clamd.conf', match => 'PhishingScanURLs no', line => 'PhishingScanURLs yes', -- cgit v1.2.3 From 2c5d27327bc1a90f5813e55a40d0acac644a13eb Mon Sep 17 00:00:00 2001 From: Micah Date: Mon, 18 Apr 2016 21:58:06 -0400 Subject: Fix clamd start configuration (#8048) If clamd is not running, the helpful cronjob tries to start it again, but the way it is being started can only be run as root, and the cronjob is run as the clamav user, so you get an error on each cron run. This fixes that problem Change-Id: I4cdb29dc651bee8a2eef1655ad4748d885afae0f --- puppet/modules/clamav/files/01-leap.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/clamav') diff --git a/puppet/modules/clamav/files/01-leap.conf b/puppet/modules/clamav/files/01-leap.conf index abeeb302..a7e49d17 100644 --- a/puppet/modules/clamav/files/01-leap.conf +++ b/puppet/modules/clamav/files/01-leap.conf @@ -17,7 +17,7 @@ clamd_socket="/run/clamav/clamd.ctl" # shown above - if not enabled, then the following 2 variables will be # ignored, whether enabled or not. clamd_lock="/run/clamav/clamd.pid" -start_clamd="service clamav-daemon start" +start_clamd="clamdscan --reload" ss_dbs=" junk.ndb -- cgit v1.2.3