diff --git a/tasks/install-clamav.yml b/tasks/install-clamav.yml
index a26115569d455779ae32f06dd6717793a8bbcfb4..6508cf5905a76e8beb91f6d4e953443220eaa17b 100644
--- a/tasks/install-clamav.yml
+++ b/tasks/install-clamav.yml
@@ -1,8 +1,12 @@
---
+# based on https://www.golinuxcloud.com/steps-install-configure-clamav-antivirus-centos-linux/
+
- name: include vars clamav
include_vars: "clamav.yml"
tags: [apt]
+
+
- name: install clamav packages (Debian)
apt:
name: "clamav-daemon"
@@ -13,8 +17,15 @@
- name: install clamav packages (RedHat)
yum:
name: [
+ 'clamav-server',
+ 'clamav',
+ 'clamav-scanner-systemd',
+ 'clamav-server-systemd',
+ #'clamav-data', # pulled in by dependency
+ #'clamav-update', # pulled in by dependency
+ #'clamav-filesystem', # pulled in by dependency
+ #'clamav-lib', # pulled in by dependency
"clamd",
- "clamav"
]
state: present
when: ansible_os_family == "RedHat"
@@ -71,13 +82,67 @@
DatabaseMirror database.clamav.net
OnUpdateExecute "/usr/local/bin/refresh_rkhunter.sh"
+#- name: patch Freshclam service
+# lineinfile:
+# path: "/usr/lib/systemd/system/clamav-freshclam.service"
+# regexp: "ExecStart="
+# # original line ad installed by distro:
+# # ExecStart=/usr/bin/freshclam -d --foreground=true
+# line: "ExecStart=/usr/bin/freshclam"
+# when: ansible_os_family == "RedHat"
+
+- name: install Freshclam timer
+ copy:
+ src: "etc/systemd/system/clamav-freshclam.timer"
+ dest: "/etc/systemd/system/clamav-freshclam.timer"
+ when: ansible_os_family == "RedHat"
+
+- name: start and enable Freshclam timer
+ systemd:
+ service: "clamav-freshclam.timer"
+ enabled: true
+ state: started
+ when: ansible_os_family == "RedHat"
+
+
+
+- name: configure ClamD
+ blockinfile:
+ name: "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else ansible_hostname }}.conf"
+ mode: "0444"
+ owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamscan' }}"
+ group: "adm"
+ create: true
+ insertafter: EOF
+ marker: "# {mark} ANSIBLE MANAGED BLOCK - CLAMD SCAN SETTINGS"
+ block: |
+ LogFileMaxSize 0
+ LogTime yes
+ LogVerbose yes
+ TemporaryDirectory /var/tmp
+ DatabaseDirectory /var/lib/clamav
+ FixStaleSocket yes
+ TCPSocket 3310
+ TCPAddr 127.0.0.1
+ MaxConnectionQueueLength 200
+ StreamMaxLength 4000K
+ # AllowSupplementaryGroups yes # DEPRECATED
+ ScanPE yes
+ ScanELF yes
+ # DetectBrokenExecutables yes # DEPRECATED
+ ScanOLE2 yes
+ ScanMail yes
+ ScanArchive yes
+ ArchiveBlockEncrypted no
+ notify: restart clamd
+
- name: configure ClamD exclude paths
blockinfile:
- name: "{{ clamav_cfg_path }}/clamd.conf"
+ name: "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else ansible_hostname }}.conf"
mode: "0444"
owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamscan' }}"
group: "adm"
- create: "yes"
+ create: true
insertafter: EOF
marker: "### {mark} ANSIBLE MANAGED BLOCK - CLAMD FILE WHITELIST"
block: |
@@ -103,3 +168,17 @@
if [ -x /usr/bin/rkhunter ]; then
/usr/bin/rkhunter --propupd --nolog
fi
+
+- name: copy systemd service
+ copy:
+ src: "/usr/lib/systemd/system/clamd@.service"
+ dest: "/etc/systemd/system/"
+ remote_src: true
+ when: ansible_os_family == "RedHat"
+
+- name: enable ClamD systemd service
+ systemd:
+ service: "clamd@{{ ansible_hostname }}.service"
+ enabled: true
+ state: "started"
+ when: ansible_os_family == "RedHat"