geerlingguy / ansible-role-clamav Goto Github PK
View Code? Open in Web Editor NEWAnsible Role - ClamAV.
Home Page: https://galaxy.ansible.com/geerlingguy/clamav/
License: MIT License
Ansible Role - ClamAV.
Home Page: https://galaxy.ansible.com/geerlingguy/clamav/
License: MIT License
amazon-ebs: failed: [default] (item=[u'clamav', u'clamav-update', u'clamav-scanner-systemd']) => {
amazon-ebs: "changed": false,
amazon-ebs: "invocation": {
amazon-ebs: "module_args": {
amazon-ebs: "allow_downgrade": false,
amazon-ebs: "bugfix": false,
amazon-ebs: "conf_file": null,
amazon-ebs: "disable_gpg_check": false,
amazon-ebs: "disable_plugin": [],
amazon-ebs: "disablerepo": null,
amazon-ebs: "enable_plugin": [],
amazon-ebs: "enablerepo": null,
amazon-ebs: "exclude": null,
amazon-ebs: "install_repoquery": true,
amazon-ebs: "installroot": "/",
amazon-ebs: "list": null,
amazon-ebs: "name": [
amazon-ebs: "clamav",
amazon-ebs: "clamav-update",
amazon-ebs: "clamav-scanner-systemd"
amazon-ebs: ],
amazon-ebs: "security": false,
amazon-ebs: "skip_broken": false,
amazon-ebs: "state": "latest",
amazon-ebs: "update_cache": false,
amazon-ebs: "update_only": false,
amazon-ebs: "validate_certs": true
amazon-ebs: }
amazon-ebs: },
amazon-ebs: "item": [
amazon-ebs: "clamav",
amazon-ebs: "clamav-update",
amazon-ebs: "clamav-scanner-systemd"
amazon-ebs: ],
amazon-ebs: "msg": "No package matching 'clamav' found available, installed or updated",
amazon-ebs: "rc": 126,
amazon-ebs: "results": [
amazon-ebs: "No package matching 'clamav' found available, installed or updated"
amazon-ebs: ]
amazon-ebs: }
amazon-ebs: to retry, use: --limit @/opt/mirs/mirs-ansible/base.retry
amazon-ebs:
amazon-ebs: PLAY RECAP *********************************************************************
amazon-ebs: default : ok=21 changed=12 unreachable=0 failed=1
Hello! I recently started testing out this role for ClamAV. So far I'm a fan as it's made the deployment as LOT easier.
I've noticed one thing during the creation / editing of the Configuration file when you use the "clamav_daemon_configuration_changes" variable.
I've noticed that Debian & RedHat flavors use different verbiage for their boolean value for some settings. Example:
Centos:
...
LogRotate yes
...
Ubuntu:
...
LogRotate true
...
If I set the variables for the role, I'll end up with consistent boolean attributes across both flavors.
---
- hosts: all
tasks:
- import_role:
name: installed_clamav
vars:
clamav_daemon_configuration_changes:
- regexp: '^.*LogRotate .*$'
line: 'LocalSocket yes'
The vars set above will set this conf to "yes" for both flavors, even though debian flavors will require a "true" value.
If Cron is available, it would be nice to be able to run scans on a cron schedule. See: https://raymii.org/s/tutorials/ClamAV.html
After installing ClamAV in one my EC2 servers (t2.micro) ClamAV will consume all EBS bust capacity and severely throttle my server.
Is it an idea we could add something to limit clamav resource consumption?
Example System Slice from https://www.scylladb.com/2019/09/25/isolating-workloads-with-systemd-slices/:
Description=Slice used to run companion programs to Scylla. Memory, CPU and IO restricted
Before=slices.target
[Slice]
MemoryAccounting=true
IOAccounting=true
CPUAccounting=true
CPUWeight=10
IOWeight=10
MemoryHigh=4%
MemoryLimit=5%
CPUShares=10
BlockIOWeight=10
I got this error when installing inside a local Vagrant box for testing.
Inside the VM, I noticed:
$ sudo lsof /var/log/clamav/freshclam.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
freshclam 26230 clamav 3wW REG 252,0 248 528916 /var/log/clamav/freshclam.log
So maybe don't automatically run freshclam
if it's already running? Maybe we can default to not running it, then the user can choose to run it or not.
When I installed on our t3a.small server it became unresponsive (high cpu / memory usage maybe?). After a while I was able to access the server again but the daemon failed.
[email protected]:~$ sudo journalctl -u clamav-daemon
-- Logs begin at Fri 2020-03-06 02:11:25 UTC, end at Thu 2021-02-04 21:52:48 UTC. --
Feb 04 21:07:21 influxdb0 systemd[1]: Starting Clam AntiVirus userspace daemon...
Feb 04 21:07:21 influxdb0 systemd[1]: Started Clam AntiVirus userspace daemon.
Feb 04 21:07:34 influxdb0 systemd[1]: Stopping Clam AntiVirus userspace daemon...
Feb 04 21:07:34 influxdb0 systemd[1]: Stopped Clam AntiVirus userspace daemon.
Feb 04 21:07:34 influxdb0 mkdir[8035]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists
Feb 04 21:07:34 influxdb0 systemd[1]: Starting Clam AntiVirus userspace daemon...
Feb 04 21:07:34 influxdb0 systemd[1]: Started Clam AntiVirus userspace daemon.
Feb 04 21:22:14 influxdb0 systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=9/KILL
Feb 04 21:22:14 influxdb0 systemd[1]: clamav-daemon.service: Failed with result 'signal'.
[email protected]:~$ sudo cat /var/log/clamav/clamav.log
Thu Feb 4 21:07:21 2021 -> +++ Started at Thu Feb 4 21:07:21 2021
Thu Feb 4 21:07:21 2021 -> Received 0 file descriptor(s) from systemd.
Thu Feb 4 21:07:21 2021 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Thu Feb 4 21:07:21 2021 -> Running as user clamav (UID 114, GID 119)
Thu Feb 4 21:07:21 2021 -> Log file size limited to 4294967295 bytes.
Thu Feb 4 21:07:21 2021 -> Reading databases from /var/lib/clamav
Thu Feb 4 21:07:21 2021 -> Not loading PUA signatures.
Thu Feb 4 21:07:21 2021 -> Bytecode: Security mode set to "TrustSigned".
Thu Feb 4 21:07:34 2021 -> +++ Started at Thu Feb 4 21:07:34 2021
Thu Feb 4 21:07:34 2021 -> Received 0 file descriptor(s) from systemd.
Thu Feb 4 21:07:34 2021 -> clamd daemon 0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Thu Feb 4 21:07:34 2021 -> Running as user clamav (UID 114, GID 119)
Thu Feb 4 21:07:34 2021 -> Log file size limited to 4294967295 bytes.
Thu Feb 4 21:07:34 2021 -> Reading databases from /var/lib/clamav
Thu Feb 4 21:07:34 2021 -> Not loading PUA signatures.
Thu Feb 4 21:07:34 2021 -> Bytecode: Security mode set to "TrustSigned".
Thu Feb 4 21:07:51 2021 -> Loaded 8681271 signatures.
Is there any chance that clamdscan will be added to this role?
Despite clamav-daemon is already provided and additional packages should be treated very carefully in a base role, I would promote to add clamdscan because of its enhanced performance. Let me know if you think that others will also benefit from it.
I am using your geerlingguy/docker-debian10-ansible in Dockerfile and when I run docker build, I am getting:
#10 132.2 TASK [geerlingguy.clamav : include_tasks] **************************************
#10 132.3 included: /tmp/provisioner/roles/geerlingguy.clamav/tasks/setup-vars.yml for localhost
#10 132.3
#10 132.3 TASK [geerlingguy.clamav : Define clamav_daemon.] ******************************
#10 132.3 ok: [localhost]
#10 132.3
#10 132.3 TASK [geerlingguy.clamav : Define clamav_freshclam_daemon.] ********************
#10 132.4 ok: [localhost]
#10 132.4
#10 132.4 TASK [geerlingguy.clamav : Define clamav_packages.] ****************************
#10 132.4 ok: [localhost]
#10 132.4
#10 132.4 TASK [geerlingguy.clamav : Ensure ClamAV packages are installed.] **************
#10 139.8 changed: [localhost] => (item=clamav)
#10 142.1 ok: [localhost] => (item=clamav-base)
#10 146.6 changed: [localhost] => (item=clamav-daemon)
#10 146.6
#10 146.6 TASK [geerlingguy.clamav : Run freshclam after ClamAV packages change.] ********
#10 176.2 changed: [localhost]
#10 176.2
#10 176.2 TASK [geerlingguy.clamav : include_tasks] **************************************
#10 176.2 skipping: [localhost]
#10 176.2
#10 176.2 TASK [geerlingguy.clamav : Change configuration for the ClamAV daemon.] ********
#10 176.6 ok: [localhost] => (item={'regexp': '^.*Example$', 'state': 'absent'})
#10 176.8 ok: [localhost] => (item={'regexp': '^.*LocalSocket .*$', 'line': 'LocalSocket /var/run/clamav/clamd.ctl'})
#10 176.8
#10 176.8 TASK [geerlingguy.clamav : Ensure ClamAV daemon is running (if configured).] ***
#10 177.4 fatal: [localhost]: FAILED! => {"changed": false, "msg": "Service is in unknown state", "status": {}}
#10 177.4
#10 177.4 RUNNING HANDLER [geerlingguy.clamav : restart clamav daemon] *******************
#10 177.4
#10 177.4 PLAY RECAP *********************************************************************
#10 177.4 localhost : ok=13 changed=6 unreachable=0 failed=1 skipped=1 rescued=0 ignored=0
#10 177.4
In the task "Change configuration for the ClamAV daemon" is it possible to add "notify: restart clamav daemon"
In fact, if the file scan.conf change the configuration is not reload
Thanks a lot
The image is being loaded from https://github.com/geerlingguy/ansible-role-clamav/workflows/CI/badge.svg?event=push
Which I imagine it will miss the currently broken schedule builds which shows the actual state of the repository at the moment (due to external changes I guess), which will requires changes to work again
CentOS is complaining that the default /etc/clamd.d/scan.conf
file is not parseable, and that's because the Example
that comes preinstalled is still in the file. We should comment the Example
line and uncomment LocalSocket
by default. I need to see if this file is in a different path on Ubuntu, though.
Fails at Ensure ClamAV daemon is running (if configured) under Centos 7 with SELinux active
sudo getsebool -a | grep antivirus
Returns:
antivirus_can_scan_system --> off antivirus_use_jit --> off
Running following
sudo setsebool -P antivirus_can_scan_system 1
sudo setsebool -P clamd_use_jit 1
Before trying again resolved the issue.
I have been able to execute this within a playbook on RHEL 7, however, after approaching the "ensure ClamAV packages are installed" portion of the playbook it gives me errors stating that 'no package matching 'clamav' were found available.
Really confused on why this role is overwriting the systemd service file that the rpm distributes?
The proper way to customize systemd service files is with a unit file in /etc - one should never touch the file in /lib
So this happens, when it's not supposed to:
RUNNING HANDLER [geerlingguy.clamav : restart clamav daemon] ***********************************************************
changed: [127.0.0.1]
Hi,
Because of the loop in main task that install the needed packages, clamav pull clam-data as dependency (at least on rhel8, surely more).
Using the supported list of packages syntax resolve the problem.
PR on its way.
Regards,
Clément
I'm using this role in my playbooks and it's working nicely on CentOS 7. However, in my environment I need to set an HttpProxy in /etc/freshclam.conf. Would it be possible to add an extension point to allow this file to be configured in the same way that we can configure the clamav daemon?
Currently I have to do something like the following to get this to work, but it's pretty ugly
- name: populate service facts
service_facts:
- name: Use clamav role to do most of setup
include_role:
name: geerlingguy.clamav
vars:
# Don't change the state of the clamav_daemon - this is done in a later task once freshclam has been configured and run
clamav_daemon_state: "{{ 'started' if (ansible_facts.services['[email protected]'] is defined) and (ansible_facts.services['[email protected]'].state == 'running') else 'stopped' }}"
- name: Configure proxy for freshclam
lineinfile:
path: /etc/freshclam.conf
regex: "{{ item.regex }}"
line: "{{ item.line }}"
with_items:
- { regex: '^#?Example', line: '#Example'}
- { regex: '^#?HTTPProxyServer', line: 'HTTPProxyServer {{ http_proxy_host }}'}
- { regex: '^#?HTTPProxyPort', line: 'HTTPProxyPort {{ http_proxy_port }}'}
register: freshclam_config
- name: Run freshclam after changing freshclam config.
command: freshclam
when: freshclam_config.changed
notify: restart clamav daemon
- name: Ensure clamav daemon is running
service:
name: clamd@scan
state: started
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.