Awesome
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
Table of Contents
<!-- vim-markdown-toc GFM --> <!-- vim-markdown-toc -->Description
This module provides an interface to the installation and management of ClamAV.
See REFERENCE.md for API documentation.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the
simp-simp_optionsmodule for details. These catalysts are used by SIMP to allow users to override default behavior of classes that are included by default.
NOTE:
-
SIMP's
clamavclass was removed from the default class list in all SIMP scenarios in SIMP 6.5. Users of SIMP 6.5 or later must manually addclamavto the class list or include it via a manifest. -
Because of the SIMP 6.5 clamav change, SIMP's
simp_options::clamavcatalyst has been deprecated and will be removed in a future release. In the interim, the catalyst is still used as a wrapper for this module for backwards compatibility. Therefore, you must havesimp_options::clamavundefined or set totruefor this module to do anything. -
Setting the SIMP catalyst,
simp_options::clamav, tofalsedoes not uninstall ClamAV, it simply prevents this module from doing anything. See theUsing clamavsection below for how to remove ClamAV from the system.
Using clamav
This module can be used to add or remove clamav from a system.
To manage ClamAV with this module:
include clamav
By default this module will install ClamAV and set up a cron to do a scan.
To remove ClamAV from the system set the following via Hiera:
---
clamav::enable: false
Enabling updates
Generally, your updates will be provided by an upstream package repository, such as EPEL. However, there are two optional methods for enabling DAT file updates.
freshclam
To enable the freshclam update system, set the following via Hiera:
---
clamav::enable_freshclam: true
NOTE: No additional configuration of freshclam is currently supported. To
update the configuration file, you will need to create your own File
resource.
rsync
You may choose to enable rsync downloads of the DAT files from a SIMP rsync
server. The module defaults are already set to support this configuration.
Client side
Add the following to Hiera to enable rsync downloads:
---
clamav::enable_data_rsync: true
Server side
To add DAT files to the server, you should place them in
/var/simp/environments/<environment>/rsync/Global/clamav and ensure that the
permissions are set to 409:409.
Limitations
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the metadata.json file
for the most up-to-date list of supported operating systems, Puppet versions,
and module dependencies.
Development
Please see the SIMP Contribution Guidelines.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.