feat: resolves GitLab issue 2368...

feat: resolves GitLab issue 2368 (https://git.slub-dresden.de/import-jira-projekte/referat_2.3/-/issues/2368) by making sure that all ClamAV components are uninstalled

feat: resolves GitLab issue 2368...
d2e3217f · Jörg Sachse · 94c6e77c · d2e3217f · d2e3217f · 94c6e77c
Commit d2e3217f authored 10 months ago by Jörg Sachse
--- a/molecule/virtualbox/molecule.yml
+++ b/molecule/virtualbox/molecule.yml
@@ -12,7 +12,7 @@ platforms:
  # Check out the documentation at
  # https://github.com/ansible-community/molecule-vagrant#documentation
  # for more platform parameters.
-  - name: vm-runner
+  - name: vm-harden-mol-deb
    box: debian/bookworm64
    memory: 3072
    # List of raw Vagrant `config` options.

--- a/molecule/virtualbox_rocky8/molecule.yml
+++ b/molecule/virtualbox_rocky8/molecule.yml
@@ -8,7 +8,7 @@ platforms:
  # Check out the documentation at
  # https://github.com/ansible-community/molecule-vagrant#documentation
  # for more platform parameters.
-  - name: vm-harden-mol
+  - name: vm-harden-mol-rocky8
    box: rockylinux/8
    memory: 3072
    # List of raw Vagrant `config` options.

--- a/tasks/install_clamav.yml
+++ b/tasks/install_clamav.yml
---
-# based on https://www.golinuxcloud.com/steps-install-configure-clamav-antivirus-centos-linux/
- name: include vars clamav
-  ansible.builtin.include_vars: "clamav.yml"
-  tags: [apt]
- name: install clamav packages (Debian)
-  ansible.builtin.apt:
-    name: "clamav-daemon"
-    state: present
-  when: ansible_os_family == "Debian"
-  tags: [apt]
- name: install clamav packages (RedHat)
-  ansible.builtin.dnf:
-    name: [
-      'clamav-server',
-      'clamav',
-      'clamav-scanner-systemd',
-      'clamav-server-systemd',
-      'clamav-update',
-      # 'clamav-data',           # pulled in by dependency
-      # 'clamav-filesystem',     # pulled in by dependency
-      # 'clamav-lib',            # pulled in by dependency
-      "clamd",
-    ]
-    state: present
-    update_cache: true
-  when: ansible_os_family == "RedHat"
-  tags: [yum]
- name: create ClamAV log directory
-  ansible.builtin.file:
-    path: "/var/log/clamav/"
-    state: directory
-    mode: "0755"
-    owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamupdate' }}"
-    group: "adm"
-# clamav-freshclam.service und clamav-daemon.service laufen nach der Installation sofort los
- name: configure freshclam
-  ansible.builtin.blockinfile:
-    name: "{{ clamav_cfg_path }}/freshclam.conf"
-    mode: "0444"
-    owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamupdate' }}"
-    group: "adm"
-    create: true
-    block: |
-      # Automatically created by the clamav-freshclam postinst
-      # Comments will get lost when you reconfigure the clamav-freshclam package
-      DatabaseOwner {{ 'clamav' if ansible_os_family == 'Debian' else 'clamupdate' }}
-      UpdateLogFile /var/log/clamav/freshclam.log
-      LogVerbose false
-      LogSyslog false
-      LogFacility LOG_LOCAL6
-      LogFileMaxSize 50M
-      LogRotate true
-      LogTime true
-      Foreground false
-      Debug false
-      MaxAttempts 5
-      DatabaseDirectory /var/lib/clamav
-      DNSDatabaseInfo current.cvd.clamav.net
-      ConnectTimeout 30
-      ReceiveTimeout 30
-      TestDatabases yes
-      ScriptedUpdates yes
-      CompressLocalDatabase no
-      # SafeBrowsing false      # DEPRECATED
-      Bytecode true
-      NotifyClamd /etc/clamav/clamd.conf
-      # Check for new database 24 times a day
-      Checks 24
-      # Default: DatabaseMirror db.local.clamav.net
-      DatabaseMirror db.de.clamav.net
-      DatabaseMirror database.clamav.net
-      OnUpdateExecute "/usr/local/bin/refresh_rkhunter.sh"
-  notify: restart freshclam
- name: remove legacy config
-  ansible.builtin.file:
-    path: "{{ clamav_cfg_path }}/{{ ansible_hostname }}.conf"
-    state: absent
-# Config paths according to manpage/systemd-unit:
-#   - Debian: "/etc/clamav/clamd.conf"
-#   - RedHat: "/etc/clamd.d/scan.conf"
- name: configure ClamD
-  ansible.builtin.blockinfile:
-    name: "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else 'scan' }}.conf"
-    mode: "0444"
-    owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamscan' }}"
-    group: "adm"
-    create: true
-    insertafter: EOF
-    marker: "{{ item.marker }}"
-    block: "{{ item.block }}"
-  loop:
-    # configure general settings
-    - marker: "# {mark} ANSIBLE MANAGED BLOCK - CLAMD SCAN SETTINGS"
-      block: |
-        LogFileMaxSize 0
-        LogTime yes
-        LogVerbose yes
-        TemporaryDirectory /var/tmp
-        DatabaseDirectory /var/lib/clamav
-        FixStaleSocket yes
-        TCPSocket 3310
-        TCPAddr 127.0.0.1
-        MaxConnectionQueueLength 200
-        StreamMaxLength 4000M
-        # AllowSupplementaryGroups yes            # DEPRECATED
-        ScanPE yes
-        ScanELF yes
-        # DetectBrokenExecutables yes             # DEPRECATED
-        ScanOLE2 yes
-        ScanMail yes
-        ScanArchive yes
-        ArchiveBlockEncrypted no
-        OnAccessExcludeUname root
-        OnAccessIncludePath /
-    # configure ClamD exclude paths
-    - marker: "### {mark} ANSIBLE MANAGED BLOCK - CLAMD FILE WHITELIST"
-      block: |
-        # Exclude paths from being checked. Use 'man regex' to get more information about REGEX format (clamav uses the regex.c library).
-        # Default: ExcludePath REGEX
-        ExcludePath "/mnt/*"
-        # Default: disabled
-        OnAccessExcludePath "/mnt/*"
-  notify:
-    - restart clamav-daemon service
-    - restart clamd service
- name: configure ClamD to refresh rkhunter after DB updates
-  ansible.builtin.blockinfile:
-    name: "/usr/local/bin/refresh_rkhunter.sh"
-    mode: "0755"
-    owner: "{{ 'clamav' if ansible_os_family == 'Debian' else 'clamupdate' }}"
-    group: "adm"
-    create: true
-    insertafter: EOF
-    block: |
-      #!/usr/bin/env bash
-      set -e
-      if [ -x /usr/bin/rkhunter ]; then
-          /usr/bin/rkhunter --propupd --nolog
-      fi
- name: enable Freshclam systemd service now to make sure we have signature databases on the system 
-  ansible.builtin.systemd:
-    service: "clamav-freshclam.service"
-    enabled: true
-    state: "started"
-  when: ansible_os_family == "RedHat"
- name: wait for signature file to appear
-  ansible.builtin.wait_for:
-    path: "/var/lib/clamav/{{ item }}"
-    timeout: 600   # Maximum number of seconds to wait for
-  loop:
-    - "bytecode.cvd"    # compiled bytecode signatures evaluated by the
-                        # bytecode interpreter engine
-    # - "daily.cld"     # signatures for the latest threats (updated daily)
-                        # We don't wait for these, because they might not exist
-                        # on a fresh installation.
-    - "main.cvd"        # signatures previously in daily.cvd that have shown to
-                        # have a low false-positive risk.
-  when: ansible_os_family == "RedHat"
- name: find out if unnecessary systemd service exists
-  ansible.builtin.stat:
-    path: "/etc/systemd/system/multi-user.target.wants/clamd@{{ ansible_hostname }}.service"
-  register: clamd_unit
- name: remove unnecessary systemd services
-  ansible.builtin.systemd:
-    service: "clamd@{{ ansible_hostname }}.service"
-    state: stopped
-    enabled: false
-  loop:
-    - "clamd@{{ ansible_hostname }}.service"
-    - "clamd@.service"
-  when: 
-    - ( ansible_os_family == "RedHat" )
-    - ( clamd_unit.stat.exists )
- name: remove custom clamd service
-  ansible.builtin.file:
-    path: "/etc/systemd/system/clamd@.service"
-    state: absent
-  when: 
-    - ( ansible_os_family == "RedHat" )
-    - ( clamd_unit.stat.exists )
- name: enable ClamD systemd service
-  ansible.builtin.systemd:
-    service: "clamd@scan.service"
-    enabled: true
-    state: "started"
-  when: ansible_os_family == "RedHat"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -52,8 +52,8 @@
  ansible.builtin.import_tasks: "install_rkhunter.yml"
  tags: [rkhunter]
- name: include ClamAV install task
+- name: include ClamAV uninstall task
-  ansible.builtin.import_tasks: "install_clamav.yml"
+  ansible.builtin.import_tasks: "uninstall_clamav.yml"
  tags: [clamav]
 - name: include auditd install task

--- a/tasks/uninstall_clamav.yml
+++ b/tasks/uninstall_clamav.yml
+---
+# based on https://www.golinuxcloud.com/steps-install-configure-clamav-antivirus-centos-linux/
+- name: include vars clamav
+  ansible.builtin.include_vars: "clamav.yml"
+  tags: [apt]
+- name: uninstall clamav packages (Debian)
+  ansible.builtin.apt:
+    name: "clamav-daemon"
+    state: absent
+  when: ansible_os_family == "Debian"
+  tags: [apt]
+- name: uninstall clamav packages (RedHat)
+  ansible.builtin.dnf:
+    name: [
+      'clamav-server',
+      'clamav',
+      'clamav-scanner-systemd',
+      'clamav-server-systemd',
+      'clamav-update',
+      # 'clamav-data',           # pulled in by dependency
+      # 'clamav-filesystem',     # pulled in by dependency
+      # 'clamav-lib',            # pulled in by dependency
+      "clamd",
+    ]
+    state: absent
+  when: ansible_os_family == "RedHat"
+  tags: [yum]
+- name: purge ClamAV files (configs, logs)
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/var/log/clamav"    # Logdir
+    - "{{ clamav_cfg_path }}/freshclam.conf"    # Freshclam config
+    - "{{ clamav_cfg_path }}/{{ 'clamd' if ansible_os_family == 'Debian' else 'scan' }}.conf"    # ClamAV config
+    - "{{ clamav_cfg_path }}/{{ ansible_hostname }}.conf"    # Legacy config
+    - "/usr/local/bin/refresh_rkhunter.sh"    # RKhunter
+- name: find out if Freshclam/ClamAV services exist    # noqa command-instead-of-module
+  ansible.builtin.command:
+    cmd: "systemctl is-active {{ item }}"
+  loop:
+    - "clamav-freshclam.service"
+    - "clamd@scan.service"
+  when: ansible_os_family == "RedHat"
+  changed_when: false
+  failed_when: false
+  register: services
+- name: disable Freshclam and Clamd systemd service
+  ansible.builtin.systemd:
+    service: "{{ item.item }}"
+    enabled: false
+    state: "stopped"
+  when:
+    - ansible_os_family == "RedHat"
+    - '"inactive" != item.stdout'
+  loop: "{{ services.results }}"
+- name: find out if unnecessary systemd service exists
+  ansible.builtin.stat:
+    path: "/etc/systemd/system/multi-user.target.wants/clamd@{{ ansible_hostname }}.service"
+  register: clamd_unit
+- name: remove unnecessary systemd services
+  ansible.builtin.systemd:
+    service: "clamd@{{ ansible_hostname }}.service"
+    state: stopped
+    enabled: false
+  loop:
+    - "clamd@{{ ansible_hostname }}.service"
+    - "clamd@.service"
+  when: 
+    - ( ansible_os_family == "RedHat" )
+    - ( clamd_unit.stat.exists )
+- name: remove custom clamd service
+  ansible.builtin.file:
+    path: "/etc/systemd/system/clamd@.service"
+    state: absent
+  when: 
+    - ( ansible_os_family == "RedHat" )
+    - ( clamd_unit.stat.exists )