Skip to content
Snippets Groups Projects
Commit 5cbacdcd authored by Jörg Sachse's avatar Jörg Sachse
Browse files

feat: add installation tasks for ClamAV on RedHat

parent 1b4ea3f9
No related branches found
No related tags found
No related merge requests found
---
# based on https://www.golinuxcloud.com/steps-install-configure-clamav-antivirus-centos-linux/
- name: include vars clamav
include_vars: "clamav.yml"
tags: [apt]
- name: install clamav packages (Debian)
apt:
name: "clamav-daemon"
......@@ -13,8 +17,15 @@
- name: install clamav packages (RedHat)
yum:
name: [
'clamav-server',
'clamav',
'clamav-scanner-systemd',
'clamav-server-systemd',
#'clamav-data', # pulled in by dependency
#'clamav-update', # pulled in by dependency
#'clamav-filesystem', # pulled in by dependency
#'clamav-lib', # pulled in by dependency
"clamd",
"clamav"
]
state: present
when: ansible_os_family == "RedHat"
......@@ -71,13 +82,67 @@
DatabaseMirror database.clamav.net
OnUpdateExecute "/usr/local/bin/refresh_rkhunter.sh"
#- name: patch Freshclam service
# lineinfile:
# path: "/usr/lib/systemd/system/clamav-freshclam.service"
# regexp: "ExecStart="
# # original line ad installed by distro:
# # ExecStart=/usr/bin/freshclam -d --foreground=true
# line: "ExecStart=/usr/bin/freshclam"
# when: ansible_os_family == "RedHat"
- name: install Freshclam timer
copy:
src: "etc/systemd/system/clamav-freshclam.timer"
dest: "/etc/systemd/system/clamav-freshclam.timer"
when: ansible_os_family == "RedHat"
- name: start and enable Freshclam timer
systemd:
service: "clamav-freshclam.timer"
enabled: true
state: started
when: ansible_os_family == "RedHat"
- name: configure ClamD
blockinfile:
name: "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else ansible_hostname }}.conf"
mode: "0444"
owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamscan' }}"
group: "adm"
create: true
insertafter: EOF
marker: "# {mark} ANSIBLE MANAGED BLOCK - CLAMD SCAN SETTINGS"
block: |
LogFileMaxSize 0
LogTime yes
LogVerbose yes
TemporaryDirectory /var/tmp
DatabaseDirectory /var/lib/clamav
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 200
StreamMaxLength 4000K
# AllowSupplementaryGroups yes # DEPRECATED
ScanPE yes
ScanELF yes
# DetectBrokenExecutables yes # DEPRECATED
ScanOLE2 yes
ScanMail yes
ScanArchive yes
ArchiveBlockEncrypted no
notify: restart clamd
- name: configure ClamD exclude paths
blockinfile:
name: "{{ clamav_cfg_path }}/clamd.conf"
name: "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else ansible_hostname }}.conf"
mode: "0444"
owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamscan' }}"
group: "adm"
create: "yes"
create: true
insertafter: EOF
marker: "### {mark} ANSIBLE MANAGED BLOCK - CLAMD FILE WHITELIST"
block: |
......@@ -103,3 +168,17 @@
if [ -x /usr/bin/rkhunter ]; then
/usr/bin/rkhunter --propupd --nolog
fi
- name: copy systemd service
copy:
src: "/usr/lib/systemd/system/clamd@.service"
dest: "/etc/systemd/system/"
remote_src: true
when: ansible_os_family == "RedHat"
- name: enable ClamD systemd service
systemd:
service: "clamd@{{ ansible_hostname }}.service"
enabled: true
state: "started"
when: ansible_os_family == "RedHat"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment