From 219686f57a3f4f50e188fb5a543ce85f5dbc70b6 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 23 Dec 2020 18:08:37 +0100 Subject: [PATCH] Support for the urlhaus signatures. --- defaults/main.yml | 6 ++-- tasks/main.yml | 53 ++++++++++++++++++++++++++++++- templates/urlhaus-signatures.j2 | 56 +++++++++++++++++++++++++++++++++ vars/main.yml | 5 ++- 4 files changed, 114 insertions(+), 6 deletions(-) create mode 100644 templates/urlhaus-signatures.j2 diff --git a/defaults/main.yml b/defaults/main.yml index cc7fb62..583d83e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,6 +6,8 @@ clamav_install: True clamav_milter_install: False clamav_clamd_spamassassin_service: False clamav_unofficial_sigs_install: '{{ clamav_install }}' +# See https://urlhaus.abuse.ch/api/#clamav +clamav_urlhaus_signatures_install: '{{ clamav_install }}' clamav_rh_pkgs: - clamd @@ -22,14 +24,10 @@ clamav_unofficial_sigs_rh_pkgs: - clamav-unofficial-sigs - perl -clamav_signatures_db_dir: '/var/lib/clamav' clamav_signatures_dbs_to_wipe: [] # - 'scamnailer.ndb' clamav_signatures_whitelist_file: 'local_whitelist.ign2' clamav_signatures_whitelist: [] -clamav_clamd_user: clamscan -clamav_clamd_conf_dir: '/etc/clamd.d' -clamav_clamd_conf_file: '{{ clamav_clamd_conf_dir }}/scan.conf' # Main service (clamd@scan) clamav_clamd_verbose_logging: 'yes' diff --git a/tasks/main.yml b/tasks/main.yml index b31d787..69410bb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -78,7 +78,58 @@ when: clamav_unofficial_sigs_install | bool tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_unofficial_sigs' ] -- name: Configure clamav milter +- name: Manage the clamav urlhaus signatures + block: + - name: Install the procmail package on RH based systems + yum: pkg=procmail state=present + when: ansible_distribution_file_variety == "RedHat" + + - name: Install the clamav urlhaus script + template: src=urlhaus-signatures.j2 dest=/usr/local/bin/clamav-urlhaus-signatures owner=root group=root mode='0755' + + - name: Install a cron job that downloads the urlhaus signatures + cron: + cron_file: clamav-urlhaus + minute: '*' + hour: '*' + day: '*' + weekday: '*' + month: '*' + disabled: no + job: "/usr/local/bin/clamav-urlhaus-signatures >/dev/null 2>& 1" + user: "{{ clamav_clamd_user }}" + name: 'manage-urlhaus-signatures' + state: present + + when: clamav_urlhaus_signatures_install + tags: [ 'clamav', 'clamav_urlhaus' ] + +- name: Manage the clamav urlhaus signatures + block: + - name: Install the clamav urlhaus script + file: dest=/usr/local/bin/clamav-urlhaus-signatures state=absent + + - name: Install the clamav urlhaus script + file: dest={{ clamav_signatures_db_dir }}/urlhaus.ndb state=absent + + - name: Remove the cron job that downloads the urlhaus signatures + cron: + cron_file: clamav-urlhaus + minute: '*' + hour: '*' + day: '*' + weekday: '*' + month: '*' + disabled: no + job: "/usr/local/bin/clamav-urlhaus-signatures >/dev/null 2>& 1" + user: "{{ clamav_clamd_user }}" + name: 'manage-urlhaus-signatures' + state: absent + + when: not clamav_urlhaus_signatures_install + tags: [ 'clamav', 'clamav_urlhaus' ] + +- name: Configure the clamav milter block: - name: Install the clamav milter configuration template: src=clamav-milter.conf.j2 dest=/etc/mail/clamav-milter.conf owner=root group=root mode=0444 diff --git a/templates/urlhaus-signatures.j2 b/templates/urlhaus-signatures.j2 new file mode 100644 index 0000000..0a21b34 --- /dev/null +++ b/templates/urlhaus-signatures.j2 @@ -0,0 +1,56 @@ +#!/bin/bash +# +# This script updates Clamav definitions with data from URLhaus (https://urlhaus.abuse.ch/api/#clamav) +# +# The original script lives at https://github.com/abusech/urlhaus/blob/master/clamav.sh +# + +CLAMDIR="{{ clamav_signatures_db_dir }}" +CLAMUSER="{{ clamav_clamd_user }}" +CLAMGROUP="{{ clamav_clamd_user }}" + +tmpdir=/var/tmp +tmp_urlhaus="$tmpdir/urlhaus" + +current_user=$( id -u -n ) +if [ "$current_user" != "$CLAMUSER" ] ; then + logger "urlhaus-signatures: must run as user $CLAMUSER" + echo "Must run as user $CLAMUSER" + exit 1 +fi + +RELOAD=0 + +lockfile -r 0 /tmp/local.the.lock 2>/dev/null || exit 1 + +rm -rf $tmp_urlhaus +mkdir $tmp_urlhaus + +curl -s https://urlhaus.abuse.ch/downloads/urlhaus.ndb -o $tmp_urlhaus/urlhaus.ndb + +if [ $? -eq 0 ]; then + clamscan --quiet -d $tmp_urlhaus $tmp_urlhaus 2>&1 >/dev/null + if [ $? -eq 0 ]; then + if [ -f "$CLAMDIR"/urlhaus.ndb ]; then + MD5old=`md5sum "$CLAMDIR"/urlhaus.ndb` + MD5new=`md5sum $tmp_urlhaus/urlhaus.ndb` + if ! [ "$MD5old" = "$MD5new" ]; then + # Updated file + cp $tmp_urlhaus/urlhaus.ndb $CLAMDIR + RELOAD=1 + fi + else + # Looks like it's the first run + cp $tmp_urlhaus/urlhaus.ndb $CLAMDIR + chown $CLAMUSER.$CLAMGROUP "$CLAMDIR"/urlhaus.ndb + RELOAD=1 + fi + fi +fi + +if [ $RELOAD -eq 1 ]; then + clamdscan --reload +fi + +rm -rf $tmp_urlhaus +rm -f /tmp/local.the.lock \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 3808477..b6e19d9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,5 @@ --- -# vars file for ansible-role-template \ No newline at end of file +clamav_clamd_user: clamscan +clamav_clamd_conf_dir: '/etc/clamd.d' +clamav_clamd_conf_file: '{{ clamav_clamd_conf_dir }}/scan.conf' +clamav_signatures_db_dir: '/var/lib/clamav'