ISTI-ansible-roles
/
ansible-role-clamav
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Import the old role.

This commit is contained in:
Andrea Dell'Amico 2020-06-08 17:01:51 +02:00
parent ccc4741ae0
commit 35ee3e0804
10 changed files with 1496 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -1,31 +1,22 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that installs and configures clamav and its milter conterpart eventually.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
clamav_install: True
clamav_milter_install: False
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
None
License
-------
@ -35,4 +26,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

98
defaults/main.yml
View File

@ -1,2 +1,98 @@
---
# defaults file for ansible-role-template
#
# clamd wants a lot of RAM at startup time. Ensure to have at least 4GB of available memory
#
clamav_install: True
clamav_milter_install: False
clamav_unofficial_sigs_install: '{{ clamav_install }}'
clamav_rh_pkgs:
- clamd
- clamav-filesystem
- clamav
- clamav-data
- clamav-lib
- clamav-update
clamav_milter_rh_pkgs:
- clamav-milter
clamav_unofficial_sigs_rh_pkgs:
- clamav-unofficial-sigs
- perl
clamav_signatures_db_dir: '/var/lib/clamav'
clamav_signatures_dbs_to_wipe:
- 'scamnailer.ndb'
clamav_clamd_user: clamscan
clamav_clamd_conf_file: '/etc/clamd.d/scan.conf'
clamav_clamd_verbose_logging: 'yes'
clamav_clamd_extended_info: 'yes'
clamav_clamd_pidfile: '/run/clamd.scan/clamd.pid'
clamav_clamd_tmp: '/var/tmp'
clamav_clamd_official_db_only: 'no'
clamav_clamd_alert_exceeding_max: 'no'
clamav_clamd_use_local_socket: True
clamav_clamd_local_socket: '/run/clamd.scan/clamd.sock'
clamav_clamd_use_net_socket: False
clamav_clamd_net_socket_port: 3310
clamav_clamd_net_main_socket_addr: '127.0.0.1'
clamav_clamd_net_socket_addrs:
- '{{ clamav_clamd_net_main_socket_addr }}'
# Set this to your MTA max message size. Expressed in MB (M)
clamav_clamd_stream_max_lenght: 25
clamav_clamd_detect_pua: True
clamav_clamd_heuristic_alert: 'yes'
clamav_clamd_heuristic_has_precedence: 'no'
clamav_clamd_additional_doc_scanning: True
clamav_clamd_email_scan: 'yes'
clamav_clamd_html_scan: 'yes'
clamav_clamd_archives_scan: 'yes'
clamav_clamd_max_scan_time: 120000
# Options: None, TrustSigned, Paranoid. Stick to the default
clamav_clamd_bytecode_security: 'TrustSigned'
clamav_additional_signatures_use_proxy: False
clamav_additional_signatures_use_proxy_auth: False
clamav_additional_signatures_proxy_host: ''
clamav_additional_signatures_proxy_port: 3128
clamav_additional_signatures_proxy_user: ''
clamav_additional_signatures_proxy_pwd: ''
clamav_additional_signatures_db_dir: '/var/lib/clamav-unofficial-sigs'
clamav_additional_signatures_dbs_to_wipe:
- 'dbs-ss/scamnailer.ndb'
# Freshclam
clamav_freshclam_check_frequency: 12
clamav_freshclam_use_proxy: False
clamav_freshclam_use_proxy_auth: False
clamav_freshclam_proxy_host: ''
clamav_freshclam_proxy_port: 3128
clamav_freshclam_proxy_user: ''
clamav_freshclam_proxy_pwd: ''
clamav_freshclam_reload_clamd: True
clamav_freshclam_enable_safebrowsing: 'no'
clamav_freshclam_enable_bytecode: 'yes'
#clamav_freshclam_additional_databases:
# - ''
# - ''
# tcp example: inet:7357@127.0.0.1
clamav_milter_socket: 'local:/run/clamav-milter/clamav-milter.socket'
clamav_milter_use_whitelist_file: False
clamav_milter_whitelist_file: '/etc/mail/clamav-whitelist'
clamav_milter_use_skip_authenticated_file: False
clamav_milter_skip_authenticated_file: '/etc/mail/clamav-skip-authenticated'
clamav_milter_onclean_action: 'Accept'
clamav_milter_oninfected_action: 'Reject'
clamav_milter_onfail_action: 'Defer'
clamav_milter_send_reject_msg: True
clamav_milter_reject_msg: 'Virus %v present, email rejected!'
clamav_milter_add_header: True
clamav_milter_add_header_action: 'Add'
clamav_milter_report_hostname: '{{ ansible_fqdn }}'
clamav_milter_clamd_net_socket_addrs:
- { addr: '{{ clamav_clamd_net_main_socket_addr }}', port: '{{ clamav_clamd_net_socket_port }}' }

9
handlers/main.yml
View File

@ -1,2 +1,9 @@
---
# handlers file for ansible-role-template
- name: Reload clamd
service: name=clamd@scan state=reloaded enabled=yes
- name: Restart clamd
service: name=clamd@scan state=restarted enabled=yes
- name: Restart clamav-milter
service: name=clamav-milter state=restarted enabled=yes

56
meta/main.yml
View File

@ -1,61 +1,23 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: EL
versions:
- 7
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- users
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

78
tasks/main.yml
View File

@ -1,2 +1,78 @@
---
# tasks file for ansible-role-template
- name: Install the clamav packages
block:
- name: Install the clamav packages on RH based systems
yum: pkg={{ clamav_rh_pkgs }} state=present
when: clamav_install | bool
- name: Install the clamav unofficial signature packages on RH based systems
yum: pkg={{ clamav_unofficial_sigs_rh_pkgs }} state=present
when: clamav_unofficial_sigs_install | bool
- name: Install the clamav milter packages on RH based systems
yum: pkg={{ clamav_milter_rh_pkgs}} state=present
when: clamav_milter_install | bool
when: ansible_distribution_file_variety == "RedHat"
tags: [ 'clamav', 'clamav_clamd' ]
- name: Configure freshclam and clamd
block:
- name: Install the clamd configuration
template: src=scan.conf.j2 dest={{ clamav_clamd_conf_file }} owner=root group=root mode=0444
notify: Restart clamd
- name: Install the freshclam configuration
template: src=freshclam.conf.j2 dest=/etc/freshclam.conf owner=root group=root mode=0400
- name: Change the /var/lib/clamav permissions so that freshclam can write into it
file: dest=/var/lib/clamav state=directory owner=clamscan group=clamupdate mode='u=rwx,g=rwsx,o=rx'
- name: Add the clamupdate user to the clamscan group so that it can update the signatures
user: name=clamupdate groups=clamscan append=yes
- name: Ensure that the clamd service is running and enabled
service: name=clamd@scan state=started enabled=yes
- name: Remove some signature files that are broken.
file: dest={{ clamav_signatures_db_dir }}/{{ item }} state=absent
with_items: '{{ clamav_signatures_dbs_to_wipe }}'
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures' ]
- name: Install a cron job that wipes the wrong signature files, just in case they reappear after an update
cron: name="Wipe some clamav signature dbs that are broken" user=root special_time=hourly job="{% for db in clamav_signatures_dbs_to_wipe %}/bin/rm -f {{ clamav_signatures_db_dir }}/{{ db }}{% if not loop.last %}; {% endif %}{% endfor %}"
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures' ]
when: clamav_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]
- name: Configure clamav unofficial sigs
block:
- name: Install the unofficial sigs configuration files
template: src={{ item }}.j2 dest=/etc/clamav-unofficial-sigs/{{ item }} owner=root group=root mode=0444
with_items:
- os.conf
- user.conf
- name: Wipe some unofficial signature files that are broken. Disabling them seems not enough
copy: content="" dest={{ clamav_additional_signatures_db_dir }}/{{ item }} force=yes
with_items: '{{ clamav_additional_signatures_dbs_to_wipe }}'
notify: Restart clamd
- name: Install a cron job that wipes the wrong unofficial signature files, just in case they reappear after an update
cron: name="Wipe some unofficial clamav signature dbs that are broken" user=root special_time=hourly job="{% for db in clamav_additional_signatures_dbs_to_wipe %}echo '' > {{ clamav_additional_signatures_db_dir }}/{{ db }}{% if not loop.last %}; {% endif %}{% endfor %}"
when: clamav_unofficial_sigs_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_unofficial_sigs' ]
- name: Configure clamav milter
block:
- name: Install the clamav milter configuration
template: src=clamav-milter.conf.j2 dest=/etc/mail/clamav-milter.conf owner=root group=root mode=0444
notify: Restart clamav-milter
- name: Ensure that clamav milter is running and enabled
service: name=clamav-milter state=started enabled=yes
when: clamav_milter_install | bool
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]

302
templates/clamav-milter.conf.j2 Normal file
View File

@ -0,0 +1,302 @@
##
## Example config file for clamav-milter
##
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket local:/run/clamav-milter/clamav-milter.socket
MilterSocket {{ clamav_milter_socket }}
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option
# to work)
#
# Default: unset (don't drop privileges)
User clamilt
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before
# dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon (main thread).
#
# Default: disabled
PidFile /run/clamav-milter/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/var/run/clamd/clamd.socket
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.
#
# Default: no default
{% if clamav_clamd_use_local_socket %}
ClamdSocket unix:{{ clamav_clamd_local_socket }}
{% elif clamav_clamd_use_net_socket %}
{% for clamsock in clamav_milter_clamd_net_socket_addrs %}
ClamdSocket tcp:{{ clamsock.addr }}:{{ clamsock.port }}
{% endfor %}
{% endif %}
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally originated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be whitelisted.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#Whitelist /etc/whitelisted_addresses
{% if clamav_milter_use_whitelist_file %}
Whitelist {{ clamav_milter_whitelist_file }}
{% endif %}
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no whitelisting based on SMTP auth)
{% if clamav_milter_use_skip_authenticated_file %}
SkipAuthenticated file:{{ clamav_milter_skip_authenticated_file }}
{% endif %}
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
MaxFileSize {{ clamav_clamd_stream_max_lenght }}M
##
## Actions
##
# The following group of options controls the delivery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delivery
# - Reject
# Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
OnClean {{ clamav_milter_onclean_action }}
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
OnInfected {{ clamav_milter_oninfected_action }}
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
OnFail {{ clamav_milter_onfail_action }}
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
{% if clamav_milter_send_reject_msg %}
RejectMsg "{{ clamav_milter_reject_msg }}"
{% endif %}
{% if clamav_milter_add_header %}
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
AddHeader {{ clamav_milter_add_header_action }}
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
ReportHostname {{ clamav_milter_report_hostname }}
{% endif %}
# Execute a command (possibly searching PATH) when an infected message is
# found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delivery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /var/log/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
LogInfected Basic
# This option allows to tune what is logged when no threat is found in
# a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default
# value
# is currently set to off for legacy reasons.
# Default: no
SupportMultipleRecipients no

193
templates/freshclam.conf.j2 Normal file
View File

@ -0,0 +1,193 @@
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamupdate
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
# Number of database checks per day.
# Default: 12 (every two hours)
Checks {{ clamav_freshclam_check_frequency }}
{% if clamav_freshclam_use_proxy %}
# Proxy settings
# Default: disabled
HTTPProxyServer {{ clamav_freshclam_proxy_host }}
HTTPProxyPort {{ clamav_freshclam_proxy_port }}
{% if clamav_freshclam_use_proxy_auth %}
HTTPProxyUsername {{ clamav_freshclam_proxy_user }}
HTTPProxyPassword {{ clamav_freshclam_proxy_pwd }}
{% endif %}
{% endif %}
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
{% if clamav_freshclam_reload_clamd %}
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd {{ clamav_clamd_conf_file }}
{% endif %}
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file
# (safebrowsing.cvd) which will be automatically loaded by clamd and
# clamscan during the next reload, provided that the heuristic phishing
# detection is turned on. This database includes information about websites
# that may be phishing sites or possible sources of malware. When using this
# option, it's mandatory to run freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See https://www.google.com/transparencyreport/safebrowsing
# and https://www.clamav.net/documents/safebrowsing
# for more information.
# Default: disabled
SafeBrowsing {{ clamav_freshclam_enable_safebrowsing }}
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
Bytecode {{ clamav_freshclam_enable_bytecode }}
{% if clamav_freshclam_additional_databases is defined %}
# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
{% for clamdb in clamav_freshclam_additional_databases %}
ExtraDatabase {{ clamdb }}
{% endfor %}
{% endif %}

41
templates/os.conf.j2 Normal file
View File

@ -0,0 +1,41 @@
# This file contains os configuration settings for clamav-unofficial-sigs.sh
###################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
# License: BSD (Berkeley Software Distribution)
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
#
##################
#
# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
#
################################################################################
# SEE MASTER.CONF FOR CONFIG EXPLANATIONS
################################################################################
# Rename to os.conf to enable this file
################################################################################
# RHEL/CentOS 7, using ClamAV packages from EPEL
clam_user="{{ clamav_clamd_user }}"
clam_group="{{ clamav_clamd_user }}"
clam_dbs="/var/lib/clamav"
clamd_pid="{{ clamav_clamd_pidfile }}"
clamd_restart_opt="systemctl try-restart clamd@scan"
{% if clamav_clamd_use_local_socket %}
clamd_socket="{{ clamav_clamd_local_socket }}"
{% endif %}
clamd_reload_opt="clamdscan --config-file={{ clamav_clamd_conf_file }} --reload"
# By default clamupdate has no permissions to run service restarts
reload_dbs="no"
# https://eXtremeSHOK.com ######################################################

688
templates/scan.conf.j2 Normal file
View File

@ -0,0 +1,688 @@
# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
LogVerbose {{ clamav_clamd_verbose_logging }}
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo {{ clamav_clamd_extended_info }}
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile {{ clamav_clamd_pidfile }}
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory {{ clamav_clamd_tmp }}
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
OfficialDatabaseOnly {{ clamav_clamd_official_db_only }}
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
{% if clamav_clamd_use_local_socket %}
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket {{ clamav_clamd_local_socket }}
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes
{% endif %}
{% if clamav_clamd_use_net_socket %}
# TCP port address.
# Default: no
TCPSocket {{ clamav_clamd_net_socket_port }}
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
{% for ip in clamav_clamd_net_socket_addrs %}
TCPAddr {{ ip }}
{% endfor %}
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
StreamMaxLength {{ clamav_clamd_stream_max_lenght }}M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
{% endif %}
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
ExcludePath ^/proc/
ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User {{ clamav_clamd_user }}
# Stop daemon when libclamav reports out of memory condition.
ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
AllowAllMatchScan yes
{% if clamav_clamd_detect_pua %}
# Detect Possibly Unwanted Applications.
# Default: no
DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
IncludePUA Spy
IncludePUA Scanner
IncludePUA RAT
{% endif %}
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
DisableCache no
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
HeuristicAlerts {{ clamav_clamd_heuristic_alert }}
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
HeuristicScanPrecedence {{ clamav_clamd_heuristic_has_precedence }}
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# Alert on encrypted archives _and_ documents with heuristic signature (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
{% if clamav_clamd_additional_doc_scanning %}
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
ScanHWP3 yes
{% endif %}
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
ScanMail {{ clamav_clamd_email_scan }}
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
PhishingSignatures yes
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
PhishingScanURLs yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
ScanHTML {{ clamav_clamd_html_scan }}
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
ScanArchive {{ clamav_clamd_archives_scan }}
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a Denial
# of Service.
# Time is in milliseconds.
# Default: 120000
MaxScanTime {{ clamav_clamd_max_scan_time }}
# This option sets the maximum amount of data to be scanned for each input
# file.
# Archives and other containers are recursively extracted and scanned up to
# this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
MaxScanSize {{ clamav_clamd_stream_max_lenght }}M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
MaxFileSize {{ clamav_clamd_stream_max_lenght }}M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus
# "Heuristics.Limits.Exceeded".
# Default: no
AlertExceedsMax {{ clamav_clamd_alert_exceeding_max }}
##
## On-access Scan Settings
##
# Enable on-access scanning. Currently, this is supported via fanotify.
# Clamuko/Dazuko support has been deprecated.
# Default: no
#ScanOnAccess yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt the DDD system. This will notify
# only. It can be used multiple times.
# (On-access scan only)
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line. (On-access scan only)
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# (On-access scan only)
# Default: disabled
#OnAccessExcludePath /home/bofh
# With this option you can whitelist the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# (On-access scan only)
# Default: no
#OnAccessDisableDDD yes
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# (On-access scan only)
# Default: no
#OnAccessPrevention yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# NOTE: This feature is disabled until a thread resource leak bug
# in the OnAccessExtraScanning code can be resolved.
# (On-access scan only)
# Default: no
#OnAccessExtraScanning yes
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
BytecodeSecurity {{ clamav_clamd_bytecode_security }}
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000
##
## Statistics gathering and submitting
##

72
templates/user.conf.j2 Normal file
View File

@ -0,0 +1,72 @@
# This file contains user configuration settings for clamav-unofficial-sigs.sh
###################
# This is property of eXtremeSHOK.com
# You are free to use, modify and distribute, however you may not remove this notice.
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
# License: BSD (Berkeley Software Distribution)
##################
#
# Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
#
##################
#
# NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
#
################################################################################
# SEE MASTER.CONF FOR CONFIG EXPLANATIONS
################################################################################
# Values in this file will always override those in the master.conf and os.conf files.
# This is useful to specify your authorisation/receipt codes and to always force certain options.
# Please note, it is your responsibility to manage the contents of this file.
# Values provided here are just examples, feel free to use any values from the main config file.
#malwarepatrol_receipt_code="YOUR-RECEIPT-NUMBER"
#malwarepatrol_product_code="8"
#malwarepatrol_list="clamav_basic" # clamav_basic or clamav_ext
#malwarepatrol_free="yes"
#securiteinfo_authorisation_signature="YOUR-SIGNATURE-NUMBER"
# Default dbs rating (Default: MEDIUM)
# valid rating: LOW, MEDIUM, HIGH
default_dbs_rating="LOW"
# Per Database
# These ratings will override the global rating for the specific database
# valid rating: LOW, MEDIUM, HIGH, DISABLE
#sanesecurity_dbs_rating="HIGH"
#securiteinfo_dbs_rating="HIGH"
#linuxmalwaredetect_dbs_rating="HIGH"
#yararulesproject_dbs_rating="HIGH"
# =========================
# Additional signature databases
# =========================
#declare -a additional_dbs=(
# ftp://ftp.example.net/pub/sigs.ndb
# http://www.example.org/sigs.ldb
#) #END ADDITIONAL DATABASES
# master.conf single signatures overrides.
scamnailer.ndb|DISABLE
# Uncomment the following line to enable the script
user_configuration_complete="yes"
{% if clamav_additional_signatures_use_proxy %}
# Proxy Support
# If necessary to proxy database downloads, define the rsync, curl, wget, dig, hosr proxy settings here.
#rsync_proxy="username:password@proxy_host:proxy_port"
{% if clamav_additional_signatures_use_proxy_auth %}
curl_proxy="--proxy http://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
wget_proxy="-e http_proxy=http://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }} -e https_proxy=https://{{ clamav_additional_signatures_proxy_user }}:{{ clamav_additional_signatures_proxy_pwd }}@{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
{% else %}
curl_proxy="--proxy http://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
wget_proxy="-e http_proxy=http://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }} -e https_proxy=https://{{ clamav_additional_signatures_proxy_host }}:{{ clamav_additional_signatures_proxy_port }}"
{% endif %}
#dig_proxy="@proxy_host -p proxy_host:proxy_port"
#host_proxy="@proxy_host" #does not support port
{% endif %}
# https://eXtremeSHOK.com ######################################################