Giter Club home page Giter Club logo

clamav-chef's Introduction

clamav Cookbook

Cookbook Version Build Status Code Climate Coverage Status

A cookbook for installing and configuring ClamAV.

Requirements

This cookbook requires a RHEL/CentOS/Scientific, Debian/Ubuntu, or compatible OS.

As of v2.0, it requires Chef 12.5+ or Chef 12.x and the compat_resource cookbook.

Usage

Either add the default recipe to your run list, or use the included custom resources in a recipe of your own.

Recipes

default

Performs an attribute-driven (see below) installation and configuration of ClamAV.

Attributes

default

A recipe-based install offers several attributes that can be overridden and passed into the various resources.

You can choose to install a specific version of ClamAV instead of the latest.

default['clamav']['version'] = nil

The development libraries can be installed as well, but are not by default.

default['clamav']['dev'] = false

A configuration hash can be provided for the clamd.conf and freshclam.conf that will be generated.

default['clamav']['clamd']['config'] = nil
default['clamav']['freshclam']['config'] = nil

Configuration attributes are set with ClamAV property names in camel-case format, for example:

default['clamav"]['clamd']['log_file'] = '/var/log/clamav/clamd.log'
default['clamav']['clamd']['scan_p_e'] = false

See the ClamAV documentation for other valid settings.

The two ClamAV daemons are disabled by default.

default['clamav']['clamd']['enabled'] = false
default['clamav']['freshclam']['enabled'] = false

Resources

clamav

A parent resource that wraps both installation and configuration.

Syntax:

clamav 'default' do
  enable_clamd false
  enable_freshclam false
  clamd_config {}
  freshclam_config {}
  version '0.9.8'
  dev true
  action :create
end

Actions:

Action Description
:create Install and configure ClamAV
:remove Uninstall ClamAV

Properties:

Property Default Description
enable_clamd false Whether to enable the clamd daemon
enable_freshclam false Whether to enable the freshclam daemon
clamd_config {} A camel-cased clamd.conf config
freshclam_config {} A camel-cased freshclam.conf config
version nil A specific version of ClamAV to install
dev false Whether to install the dev libraries
action :create Action(s) to perform

clamav_app

A resource for managing installation of the ClamAV packages.

Syntax:

clamav_app 'default' do
  version '0.9.8'
  dev true
  action :install
end

Actions:

Action Description
:install Install the ClamAV packages
:upgrade Upgrade the ClamAV packages
:remove Uninstall the ClamAV packages

Properties:

Property Default Description
version nil A specific version of ClamAV to install
dev false Whether to install the dev libraries
action :install Action(s) to perform

clamav_config

A resource for managing the clamd.conf and freshclam.conf files.

Syntax:

clamav_config 'clamd' do
  path '/etc/clamav/clamd.conf'
  config {}
  action :create
end

Actions:

Action Description
:create Render the config file
:remove Delete the config file

Properties:

Property Default Description
path nil A custom path to store the file at
config {} A camel-cased clamd.conf config
action :create Action(s) to perform

clamav_service

A resource for managing the clamd and freshclam daemons.

Syntax:

clamav_service 'clamd' do
  action %i(enable start)
end

Actions:

Action Description
:enable Set the service to start on boot
:disable Set the service to not start on boot
:start Start the service
:stop Stop the service
:restart Restart the service

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Add tests for the new feature; ensure they pass (rake)
  4. Commit your changes (git commit -am 'Add some feature')
  5. Push to the branch (git push origin my-new-feature)
  6. Create a new Pull Request

License & Authors

Copyright 2012-2016, Jonathan Hartman

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

clamav-chef's People

Contributors

av1nashs1ngh avatar bknowles avatar computerlyrik avatar d-ross avatar daxtens avatar hartmantis avatar mikeputnam avatar stromp avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

clamav-chef's Issues

Syntax Error while uploading cookbook

Hi,

When I try to upload the cookbook, I get following error. I have Ruby version 1.8.7

knife cookbook upload clamav
Uploading clamav [1.0.2]
FATAL: Cookbook file recipes/services.rb has a ruby syntax error:
FATAL:/chef-repo/cookbooks/clamav/recipes/services.rb:35: syntax error, unexpected ':', expecting kEND
FATAL: supports status: true, restart: true
FATAL: ^
FATAL: /chef-repo/cookbooks/clamav/recipes/services.rb:35: Can't assign to true
FATAL: supports status: true, restart: true
FATAL: ^
FATAL: /chef-repo/cookbooks/clamav/recipes/services.rb:35: syntax error, unexpected ':', expecting '='
FATAL: supports status: true, restart: true
FATAL: ^
FATAL: /chef-repo/cookbooks/clamav/recipes/services.rb:42: syntax error, unexpected ':', expecting kEND
FATAL: supports status: true, restart: true
FATAL: ^
FATAL: /chef-repo/cookbooks/clamav/recipes/services.rb:42: Can't assign to true
FATAL: supports status: true, restart: true
FATAL: ^
FATAL:/chef-repo/cookbooks/clamav/recipes/services.rb:42: syntax error, unexpected ':', expecting '='
FATAL: supports status: true, restart: true
FATAL:

Thanks,
Anoop

Cookbook disables root account

There are specific cases where clamd needs to run as root. Setting default['clamav']['user'] = 'root' to get the desired results ends up locking out the root account because of this code in recipes/users.rb:

user node['clamav']['user'] do
  comment 'Clam Anti Virus Checker'
  system true
  shell '/sbin/nologin'
end

Please at least consider a guard of not_if { node['clamav']['user'] == 'root' }

Run Freshclam on as few runs as possible

  • Nodes with packages missing any main.cvd (Ubuntu) need to update before they can do anything
  • Nodes that run the freshclam service but start without a main.cvd (above) can't download one fast enough to keep a start of the clamd service from failing
  • That first freshclam run takes a LOOOONG time

Reminder: Don't overthink this too much, since #14 will fix it for 2.0.0

Deprecated Config Options

From the build log with the latest ClamAV version:

WARNING: Ignoring deprecated option ClamukoScanOnAccess at line 448

Something to be said for going back to a default version attribute.

Or one more thing switching to a common set of Omnibus packages could fix.

Add CentOS 7 support

CentOS 7 has a different set of package names. Among other things, it has separate server packages for sysvinit and systemd.

Use custom packages instead of OS ones

Among many issues with the vendor packages:

  • Each distro updates its packages on a different timeline
  • Pinned package versions would be preferable if they weren't such a pain (see #5 and #13).
  • CentOS packages come with a main.cvd, making for faster freshclam runs. Ubuntu has no main.cvd and is slow as &#&@.
  • CentOS and Ubuntu use different paths for their config files

Possible use case for either (Omnibus + Bintray) or, less preferably, OBS.

Windows support?

ClamAV for Windows exists. Adding support for it could be interesting.

Remove ubuntu-clamav PPA

It apparently ceased to exist sometime over the weekend.

Err http://ppa.launchpad.net trusty/main amd64 Packages
      404  Not Found
    STDERR: W: Failed to fetch http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu/dists/trusty/main/binary-amd64/Packages  404  Not Found

    E: Some index files failed to download. They have been ignored, or old ones used instead.
    ---- End output of apt-get update ----

WIP: Rewrite, rewrite, rewrite

This whole thing got way too complex. Everything needs to be resource-ified and generally brought up to current cookbook standards.

Why are rhel platform no longer supported?

Hi,

We've been using this cookbook for some time in production on RHEL family Linux servers and now see you've removed support for them.

What was the reason for this? Is there anything we can assist with to restore support for the previously supported OSes?

Recipe is incorrectly setting acronym options as camel case

When overridding the config for [clamd].[config].[tcp_socket] it will update the clamd.conf file with:

Below are the values I'm overriding along with a null value for local_socket to remove that option in the config.

       - update content in file /etc/clamav/clamd.conf
         ##############################################
         StreamMaxPort XXXXX
         StreamMinPort XXXXX
        +TcpSocket XXXX

This property is then not recognised when starting up the clamav service. I assume this would be the case for any acronym in that should be upper case in the config file.

Update version of apt dependency

The package apt dependency is apt ~> 2.1. The current version of apt in the chef supermarket is 4.0.1. A fresh install of chef with the newest version of both packages fails to upload the clamav package due to the missing apt package. This is due to the pessimistic constraint on the apt version number.

Planned Release?

Any chance your planning a release in the near future? I noticed today I was bumping up against the issue resolved in this commit 145d4cf, however that doesn't appear to be included in the latest released version. I can certainly work around this in my wrapper cookbook,but if you've got a release coming, I'd rather just use that.

Thanks (PS nice job on this cookbook, saving me a bunch of time).

Fix service ordering

include_recipe 'clamav::services' in recipes that send service notifications makes them runnable on their own, but causes the service actions to try and fail before the packages containing the init scripts are installed.

Converge fails for when freshclam enabled

I am trying to test out the clamav cookbook and when I the following attributes enabled:

default["clamav"]["freshclam"]["enabled"] = true
default["clamav"]["clamd"]["enabled"] = true

The cookbook fails to converge with the following error:

`
[2017-03-07T15:53:41+00:00] INFO: template[/etc/clamav/freshclam.conf] mode changed to 644

       - change mode from '0444' to '0644'
       - change group from 'adm' to 'clamav'
   [2017-03-07T15:53:41+00:00] INFO: template[/etc/clamav/freshclam.conf] not queuing delayed action restart on service[clamav-freshclam] (delayed), as it's already been queued
     * execute[freshclam] action run[2017-03-07T15:53:41+00:00] INFO: Processing execute[freshclam] action run (clamav::freshclam line 55)

       [execute] ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
          ERROR: /var/log/clamav/freshclam.log is locked by another process

       ================================================================================
       Error executing action `run` on resource 'execute[freshclam]'
       ================================================================================

       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '62'
       ---- Begin output of freshclam ----
       STDOUT: ERROR: /var/log/clamav/freshclam.log is locked by another process
       STDERR: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).
       ---- End output of freshclam ----
       Ran freshclam returned 62

       Resource Declaration:
       ---------------------
       # In /tmp/kitchen/cache/cookbooks/clamav/recipes/freshclam.rb

        55: execute 'freshclam' do
        56:   command 'freshclam'
        57:   creates ::File.join(node['clamav']['database_directory'], 'daily.cvd')
        58:   not_if { node['clamav']['freshclam']['skip_initial_run'] }
        59: end

       Compiled Resource:
       ------------------
       # Declared in /tmp/kitchen/cache/cookbooks/clamav/recipes/freshclam.rb:55:in `from_file'

       execute("freshclam") do
         action [:run]
         retries 0
         retry_delay 2
         default_guard_interpreter :execute
         command "freshclam"
         backup 5
         creates "/var/lib/clamav/daily.cvd"
         returns 0
         user nil
         declared_type :execute
         cookbook_name "clamav"
         recipe_name "freshclam"
         not_if { #code block }
       end

       Platform:
       ---------
       x86_64-linux

`

kitchen converge failing on Centos

When running

kitchen converge all-options-enabled-centos-67

The chef client fails :

 Recipe: clamav::services
         * service[clamd] action enable
           - enable service service[clamd]
         * service[clamd] action start

           ================================================================================
           Error executing action `start` on resource 'service[clamd]'
           ================================================================================

           Mixlib::ShellOut::ShellCommandFailed
           ------------------------------------
           Expected process to exit with [0], but received '1'
           ---- Begin output of /sbin/service clamd start ----
           STDOUT: Starting clamd: Closing the main socket.
[FAILED]   [FAILED]
           STDERR: LibClamAV Warning: **************************************************
           LibClamAV Warning: ***  The virus database is older than 7 days!  ***
           LibClamAV Warning: ***   Please update it as soon as possible.    ***
           LibClamAV Warning: **************************************************
           LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Can't verify database integrity
           LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd
           ERROR: Can't verify database integrity
           ---- End output of /sbin/service clamd start ----
           Ran /sbin/service clamd start returned 1

The second time the command is executed, the chef client run finishes successfully

Same thing happens on all CentOS all-options-enabled platforms , Ubuntu works fine though

Version of clamav-freshclam package should be managed

I just ran into an issue when bumping my attribute-specified version of clamav where I had clamav at 0.98.4 but freshclam was still at 0.98.1 after the chef run. I was running into an issue with freshclam after the run. Manually upgrading clamav-freshclam to 0.98.4 mostly* fixed my issue. I would think these should default to being in sync.

  • As a side note there is a bug in the sysvinit init script which ships with 0.98.4 of clamav-freshclam on ubuntu 12.04 causing the clamav-freshclam daemon to fail starting. I just confirmed it with a clamav dev this morning and a fix is in the works.

Create cron job or daemon to run clamdscan?

One thing I noticed about this cookbook is that it installs and configured clamd and freshclam, but it doesn't actually set up any regular scans by clamscan or clamdscan. Is this an intentional choice? If so, what is the recommended method for doing something like this on a site-local basis?

Cookbook generates CHEF-3694 warnings

Running the cookbook generates CHEF-3694 warnings.

I'm not quite sure what causes them or how to fix them, and they aren't causing any problems for me yet, but I understand them to indicate the use of deprecated behaviours.

[2013-12-28T17:28:12+00:00] WARN: Cloning resource attributes for service[freshclam] from prior resource (CHEF-3694)
[2013-12-28T17:28:12+00:00] WARN: Previous service[freshclam]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/install_rpm.rb:23:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Current  service[freshclam]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/freshclam.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Cloning resource attributes for service[clamd] from prior resource (CHEF-3694)
[2013-12-28T17:28:12+00:00] WARN: Previous service[clamd]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/install_rpm.rb:22:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Current  service[clamd]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/clamd.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Cloning resource attributes for service[freshclam] from prior resource (CHEF-3694)
[2013-12-28T17:28:12+00:00] WARN: Previous service[freshclam]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/freshclam.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Current  service[freshclam]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/freshclam_service.rb:27:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Cloning resource attributes for directory[/var/run/clamav] from prior resource (CHEF-3694)
[2013-12-28T17:28:12+00:00] WARN: Previous directory[/var/run/clamav]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/freshclam_service.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Current  directory[/var/run/clamav]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/clamd_service.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Cloning resource attributes for service[clamd] from prior resource (CHEF-3694)
[2013-12-28T17:28:12+00:00] WARN: Previous service[clamd]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/clamd.rb:20:in `from_file'
[2013-12-28T17:28:12+00:00] WARN: Current  service[clamd]: /tmp/vagrant-chef-1/chef-solo-1/cookbooks/clamav/recipes/clamd_service.rb:27:in `from_file'

Make freshclam execution optionnable via attribute (even of debian/ubuntu)

It is currently possible to use freshclam as a service the attribute node['clamav']['freshclam']['enabled'], which is great.

But if you are running a VM with paltform_family == 'debian' a freshclam execution is forced.

  if !node['clamav']['freshclam']['enabled'] || platform_family == 'debian'
    notifies :run, 'execute[freshclam]', :immediately
  end

Is there a reason why this is not 100% customizable via the attribute ? (something like default is true but if you are running debian the default is false). That way we can choose to force a freshclam refresh during the chef_run or not.

Make Repo Setup Disable-able(?)

Some use cases, for security or out of paranoia or in order to host their own internal repos, might want the ability to disable the setup of EPEL/Ubuntu's ClamAV repo.

Proxy settings should not be set in /etc/freshclams.conf when node attributes are nil or empty

https://github.com/RoboticCheese/clamav-chef/blob/master/templates/default/freshclam.conf.erb#L110-L113

These lines should also check for #empty? and not enable proxy settings. We have a separate process that tries to determine proxy settings based on a node's location in the network. In particular, we have nodes that need outbound http proxy settings for other things, but not to get to clamav db mirrors. However, we can override node['clamav']['freshclam']['http_proxy_server'] and node['clamav']['freshclam']['http_proxy_port'] with empty String values in our roles and environment settings. Doing so results in a rendered /etc/freshclam.conf that has these settings enabled but with empty values. This causes a failure when the freshclam command is executed:

# freshclam
ERROR: Missing argument for option at line 106
ERROR: Can't open/parse the config file /etc/freshclam.conf

clamav-scan.sh refers to incorrect clamscan binary on Ubuntu 14.04 - possibly other distros

On line 8 of the included clamav-scan.sh shell script the clamscan binary is hard-coded as /usr/bin/clamdscan - on my Ubuntu 14.04 version this should be /usr/bin/clamscan - I've also noticed the script is using CLI options which are not valid (--fdpass).

root@ubuntu-14-04-test:/usr/local/bin# ./clamav-scan.sh ./clamav-scan.sh: 20: ./clamav-scan.sh: /usr/bin/clamdscan: not found root@ubuntu-14-04-test:/usr/local/bin# which clamscan /usr/bin/clamscan

I plan to submit a pull request fixing the shell script - maybe building it from a template to make it more distro portable? We'll see how it goes. I'm putting lots of work into getting clamav going across multiple AWS environments so I'd be happy to help with updating this cookbook.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.