From a11c9a7c893c9e22771b0264ee25f0e3c9a2ba6f Mon Sep 17 00:00:00 2001
From: Stephane Armanet <stephanearmanet@esss.lu.se>
Date: Wed, 27 Feb 2019 11:31:12 +0100
Subject: [PATCH] add AV scanning
---
defaults/main.yml | 2 ++
meta/main.yml | 6 ++----
molecule/default/molecule.yml | 2 ++
tasks/main.yml | 38 +++++++++++++++++++++++++++--------
templates/smb.conf.j2 | 28 ++++++++++++++++----------
5 files changed, 53 insertions(+), 23 deletions(-)
diff --git a/defaults/main.yml b/defaults/main.yml
index 56d1eb0..1d190ee 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,3 +4,5 @@ smb_users:
passwd: 'stephanearmanet_defaultpasswd'
- username: "testuser1"
passwd: "tiiiestuser1"
+
+smb_interface: eth0
diff --git a/meta/main.yml b/meta/main.yml
index 245a1f6..a762234 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -9,7 +9,5 @@ galaxy_info:
- name: CentOS
versions:
- 7
-dependencies: []
-# List your role dependencies here, one per line.
-# Be sure to remove the '[]' above if you add dependencies
-# to this list.
+dependencies:
+ - role: ics-ans-role-repository
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index 35283de..761637d 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -10,6 +10,8 @@ provisioner:
inventory:
group_vars:
default_group:
+ host_vars:
+ ics-ans-role-samba-default:
scenario:
name: default
verifier:
diff --git a/tasks/main.yml b/tasks/main.yml
index 279d456..0a893b3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,15 +5,27 @@
state: present
with_items:
- samba
+ - clamd
-- name: enable samba services
- service:
- name: "{{ item }}"
- state: started
- enabled: true
+- name: copy clamav initial DB
+ copy:
+ src: "{{ item }}"
+ dest: "/var/lib/clamav/{{ item }}"
+ owner: root
+ group: root
+ mode: 0755
with_items:
- - smb
- - nmb
+ - bytecode.cvd
+ - daily.cvd
+ - main.cvd
+
+- name: copy clamd config file
+ copy:
+ src: "scan.conf"
+ dest: "/etc/clamd.d/scan.conf"
+ owner: root
+ group: root
+ mode: 0755
- name: setup smb.conf
template:
@@ -24,6 +36,16 @@
mode: 0755
notify: restart_samba
+- name: enable services
+ service:
+ name: "{{ item }}"
+ state: started
+ enabled: true
+ with_items:
+ - smb
+ - nmb
+ - clamd@scan
+
- name: create local user
user:
name: "{{ item.username }}"
@@ -39,7 +61,7 @@
- name: create samba user
shell: "(pdbedit --user={{ item.username }} 2>&1 > /dev/null) || (echo {{ item.passwd }};echo {{ item.passwd }}) | smbpasswd -s -a {{ item.username }}"
with_items: "{{smb_users}}"
- no_log: false
+ no_log: true
register: create_user_output
changed_when: "'Added user' in create_user_output.stdout"
when: user_created.changed
diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2
index 2f1d5d9..afa44ba 100644
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@@ -4,21 +4,27 @@
security = user
passdb backend = tdbsam
+ log level = 3
+ log file = /var/log/samba/samba.log
+ interfaces = {{ smb_interface }}
printing = bsd
printcap name = /dev/null
disable spoolss = yes
load printers = no
-{% for user in smb_users %}
-[ {{user.username}} ]
- path = /home/{{ user.username }}
- comment = {{ user.username }} Directories
- valid users = {{ user.username }}
- browseable = No
- read only = No
- inherit acls = Yes
-{% endfor %}
-
-
+[homes]
+ comment = Home Directory
+ read only = No
+ browseable = No
+ valid users = %S
+ vfs objects = virusfilter
+ virusfilter:scanner = clamav
+ virusfilter:socket path = /run/clamd.scan/clamd.sock
+ virusfilter:connect timeout = 30000
+ virusfilter:scan on open = yes
+ #virusfilter:scan on close = yes
+ virusfilter:max file size = 1000000000
+ virusfilter:infected file action = quarantine
+ virusfilter:quarantine directory = /var/tmp/quarantine
--
GitLab