164 lines
7.0 KiB
YAML
164 lines
7.0 KiB
YAML
---
|
|
- name: Install the clamav packages
|
|
block:
|
|
- name: Install the clamav packages on RH based systems
|
|
yum: pkg={{ clamav_rh_pkgs }} state=present
|
|
when: clamav_install | bool
|
|
|
|
- name: Install the clamav unofficial signature packages on RH based systems
|
|
yum: pkg={{ clamav_unofficial_sigs_rh_pkgs }} state=present
|
|
when: clamav_unofficial_sigs_install | bool
|
|
|
|
- name: Install the clamav milter packages on RH based systems
|
|
yum: pkg={{ clamav_milter_rh_pkgs}} state=present
|
|
when: clamav_milter_install | bool
|
|
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
tags: [ 'clamav', 'clamav_clamd' ]
|
|
|
|
- name: Configure freshclam and clamd
|
|
block:
|
|
- name: Install the clamd configuration
|
|
template: src=scan.conf.j2 dest={{ clamav_clamd_conf_file }} owner=root group=root mode=0444
|
|
notify: Restart clamd
|
|
|
|
- name: Install the freshclam configuration
|
|
template: src=freshclam.conf.j2 dest=/etc/freshclam.conf owner=root group=root mode=0400
|
|
|
|
- name: Change the /var/lib/clamav permissions so that freshclam can write into it
|
|
file: dest=/var/lib/clamav state=directory owner=clamscan group=clamupdate mode='u=rwx,g=rwsx,o=rx'
|
|
|
|
- name: Add the clamupdate user to the clamscan group so that it can update the signatures
|
|
user: name=clamupdate groups=clamscan append=yes
|
|
|
|
- name: Ensure that the clamd service is running and enabled
|
|
service: name=clamd@scan state=started enabled=yes
|
|
|
|
- name: Remove some signature files that are broken.
|
|
file: dest={{ clamav_signatures_db_dir }}/{{ item }} state=absent
|
|
with_items: '{{ clamav_signatures_dbs_to_wipe }}'
|
|
notify: Restart clamd
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures' ]
|
|
|
|
- name: Install the local whitelist file
|
|
template: src=local_whitelist.ign2.j2 dest={{ clamav_signatures_db_dir }}/{{ clamav_signatures_whitelist_file }} owner=clamscan group=clamscan mode='0444'
|
|
notify: Restart clamd
|
|
when: clamav_signatures_whitelist != []
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures', 'clamav_whitelist' ]
|
|
|
|
- name: Remove the local whitelist file if it's empty
|
|
file: dest={{ clamav_signatures_db_dir }}/{{ clamav_signatures_whitelist_file }} state=absent
|
|
notify: Restart clamd
|
|
when: clamav_signatures_whitelist == []
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures', 'clamav_whitelist' ]
|
|
|
|
- name: Install a cron job that wipes the wrong signature files, just in case they reappear after an update
|
|
cron: name="Wipe some clamav signature dbs that are broken" user=root special_time=hourly job="{% for db in clamav_signatures_dbs_to_wipe %}/bin/rm -f {{ clamav_signatures_db_dir }}/{{ db }}{% if not loop.last %}; {% endif %}{% endfor %}"
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_signatures' ]
|
|
|
|
when: clamav_install | bool
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]
|
|
|
|
- name: Configure clamav unofficial sigs
|
|
block:
|
|
- name: Install the unofficial sigs configuration files
|
|
template: src={{ item }}.j2 dest=/etc/clamav-unofficial-sigs/{{ item }} owner=root group=root mode=0444
|
|
with_items:
|
|
- os.conf
|
|
- user.conf
|
|
|
|
- name: Wipe some unofficial signature files that are broken. Disabling them seems not enough
|
|
copy: content="" dest={{ clamav_additional_signatures_db_dir }}/{{ item }} force=yes
|
|
with_items: '{{ clamav_additional_signatures_dbs_to_wipe }}'
|
|
notify: Restart clamd
|
|
|
|
- name: Install a cron job that wipes the wrong unofficial signature files, just in case they reappear after an update
|
|
cron: name="Wipe some unofficial clamav signature dbs that are broken" user=root special_time=hourly job="{% for db in clamav_additional_signatures_dbs_to_wipe %}echo '' > {{ clamav_additional_signatures_db_dir }}/{{ db }}{% if not loop.last %}; {% endif %}{% endfor %}"
|
|
|
|
when: clamav_unofficial_sigs_install | bool
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config', 'clamav_unofficial_sigs' ]
|
|
|
|
- name: Manage the clamav urlhaus signatures
|
|
block:
|
|
- name: Install the procmail package on RH based systems
|
|
yum: pkg=procmail state=present
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
|
|
- name: Install the clamav urlhaus script
|
|
template: src=urlhaus-signatures.j2 dest=/usr/local/bin/clamav-urlhaus-signatures owner=root group=root mode='0755'
|
|
|
|
- name: Install a cron job that downloads the urlhaus signatures
|
|
cron:
|
|
cron_file: clamav-urlhaus
|
|
minute: '*'
|
|
hour: '*'
|
|
day: '*'
|
|
weekday: '*'
|
|
month: '*'
|
|
disabled: no
|
|
job: "/usr/local/bin/clamav-urlhaus-signatures >/dev/null 2>& 1"
|
|
user: "{{ clamav_clamd_user }}"
|
|
name: 'manage-urlhaus-signatures'
|
|
state: present
|
|
|
|
when: clamav_urlhaus_signatures_install
|
|
tags: [ 'clamav', 'clamav_urlhaus' ]
|
|
|
|
- name: Manage the clamav urlhaus signatures
|
|
block:
|
|
- name: Install the clamav urlhaus script
|
|
file: dest=/usr/local/bin/clamav-urlhaus-signatures state=absent
|
|
|
|
- name: Install the clamav urlhaus script
|
|
file: dest={{ clamav_signatures_db_dir }}/urlhaus.ndb state=absent
|
|
|
|
- name: Remove the cron job that downloads the urlhaus signatures
|
|
cron:
|
|
cron_file: clamav-urlhaus
|
|
minute: '*'
|
|
hour: '*'
|
|
day: '*'
|
|
weekday: '*'
|
|
month: '*'
|
|
disabled: no
|
|
job: "/usr/local/bin/clamav-urlhaus-signatures >/dev/null 2>& 1"
|
|
user: "{{ clamav_clamd_user }}"
|
|
name: 'manage-urlhaus-signatures'
|
|
state: absent
|
|
|
|
when: not clamav_urlhaus_signatures_install
|
|
tags: [ 'clamav', 'clamav_urlhaus' ]
|
|
|
|
- name: Configure the clamav milter
|
|
block:
|
|
- name: Install the clamav milter configuration
|
|
template: src=clamav-milter.conf.j2 dest=/etc/mail/clamav-milter.conf owner=root group=root mode=0444
|
|
notify: Restart clamav-milter
|
|
|
|
- name: Ensure that clamav milter is running and enabled
|
|
service: name=clamav-milter state=started enabled=yes
|
|
|
|
when: clamav_milter_install | bool
|
|
tags: [ 'clamav', 'clamav_clamd', 'clamav_config' ]
|
|
|
|
- name: Configure the clamd service used by spamassassin
|
|
block:
|
|
- name: Install the clamd configuration for the spamassassin service
|
|
template: src=spamassassin-scan.conf.j2 dest={{ clamav_clamd_conf_dir }}/spamassassin.conf owner=root group=root mode=0444
|
|
notify: Restart clamd spamassassin
|
|
|
|
- name: Install the tmpfile configuration for clamd spamassassin
|
|
copy: content="d /run/clamd.spamassassin 0710 clamscan virusgroup" dest=/usr/lib/tmpfiles.d/clamd.spamassassin.conf owner=root group=root mode='0755'
|
|
|
|
- name: Create the runtime directory for the clamd spamassassin service
|
|
file: dest="/run/clamd.spamassassin" state=directory mode='0710' owner=clamscan group=virusgroup
|
|
|
|
- name: Add the spamassassin user to the virusgroup group so that it can access the clamd socket
|
|
user: name=spamassassin groups=virusgroup append=yes
|
|
|
|
- name: Ensure that the clamd service is running and enabled
|
|
service: name=clamd@spamassassin state=started enabled=yes
|
|
|
|
when: clamav_clamd_spamassassin_service
|
|
tags: [ 'clamav', 'clamav_spamassassin', 'clamav_config' ]
|