(SIMP-7113) Remove clamav from default class list (#46)

- Updated the README to clarify what simp_options::clamav actually does
  and to note that clamav was removed from the SIMP's default class list
  in SIMP 6.5.
- Set the default for clamav::set_schedule::enable to lookup clamav::enable,
  so that class will remove the clamav schedule if clamav is disabled.

SIMP-7113 #close
SIMP-7161 #close
SIMP-7163 #close

CHANGELOG

@@ -1,3 +1,10 @@
+* Tue Oct 29 2019 Jeanne Greulich <[email protected]> - 6.4.0-0
+- Updated the README to clarify what simp_options::clamav actually does
+  and to note that clamav was removed from the SIMP's default class list
+  in SIMP 6.5.
+- Set the default for clamav::set_schedule::enable to lookup clamav::enable,
+  so that class will remove the clamav schedule if clamav is disabled.
+
 * Tue Sep 24 2019 Trevor Vaughan <[email protected]> - 6.4.0-0
 - Disable rsync pulls by default
 - Update README.md

README.md

@@ -54,18 +54,41 @@ it can be used independently:
 
   * If used independently, all SIMP-managed security subsystems are disabled by
     default and must be explicitly opted into by administrators.  Please review
-    the `simp-simp_options` module for details.
+    the `simp-simp_options` module for details.  These catalysts are used by
+    SIMP to allow users to override default behavior of classes that are
+    included by default.
 
+**NOTE:**
+
+* SIMP's `clamav` class was removed from the default class list in all SIMP
+  scenarios in SIMP 6.5.  Users of SIMP 6.5 or later must manually add `clamav`
+  to the class list or include it via a manifest.
+
+* Because of the SIMP 6.5 clamav change, SIMP's `simp_options::clamav` catalyst
+  has been deprecated and will be removed in a future release.  In the interim,
+  the catalyst is still used as a wrapper for this module for backwards
+  compatibility.  Therefore, you must have `simp_options::clamav` undefined or set
+  to `true` for this module to do anything.
+
+* Setting the SIMP catalyst, `simp_options::clamav`, to `false` does *not* uninstall
+  ClamAV, it simply prevents this module from doing anything.  See the
+  ``Using clamav`` section below for how to remove ClamAV from the system.
 
 ## Using clamav
 
-To configure ClamAV to install and run:
+This module can be used to add or remove clamav from a system.
+
+To manage ClamAV with this module:
 
 ```puppet
 include clamav
 ```
 
-To remove clamav from the system, set the following via Hiera:
+By default this module will install ClamAV and set up a cron
+to do a scan.
+
+
+To remove ClamAV from the system set the following via Hiera:
 
 ```yaml
 ---

manifests/init.pp

@@ -70,7 +70,8 @@
 
   simplib::assert_metadata($module_name)
 
-  # If the catalyst is disabled, don't manage anything
+  # Setting simp_options::clamav to false disables this module and it will do nothing.
+  # It will not remove clamav from a system.  See README for more information.
   if simplib::lookup('simp_options::clamav', { 'default_value' =>  true }) {
 
     if $schedule_scan {

manifests/set_schedule.pp

@@ -42,7 +42,7 @@
 # @author Trevor Vaughan <[email protected]>
 #
 class clamav::set_schedule (
-  Boolean                       $enable            = true,
+  Boolean                       $enable            = simplib::lookup('clamav::enable', { 'default_value' => true}),
   Simplib::Cron::Minute         $minute            = '32',
   Simplib::Cron::Hour           $hour              = '5',
   Simplib::Cron::MonthDay       $monthday          = '*',

spec/acceptance/suites/default/00_default_spec.rb

@@ -68,6 +68,11 @@
         it { is_expected.to be_file }
       }
 
+      it 'should create a crontab entry' do
+        stdout = on(client, 'crontab -l' ).stdout
+        expect(stdout).to include('/usr/bin/clamscan -l /var/log/clamscan.log')
+      end
+
       if on(client, '/usr/sbin/selinuxenabled', :accept_all_exit_codes => true).exit_code == 0
         it 'should have the selinux boolean "antivirus_can_scan_system" set' do
           result = on(client, '/usr/sbin/getsebool antivirus_can_scan_system')
@@ -98,6 +103,11 @@
         it { is_expected.to_not be_file }
       }
 
+      it 'should not create a crontab entry' do
+        stdout = on(client, 'crontab -l' ).stdout
+        expect(stdout).not_to include('/usr/bin/clamscan -l /var/log/clamscan.log')
+      end
+
       if on(client, '/usr/sbin/selinuxenabled', :accept_all_exit_codes => true).exit_code == 0
         it 'should have the selinux boolean "antivirus_can_scan_system" set' do
           result = on(client, '/usr/sbin/getsebool antivirus_can_scan_system')

spec/classes/init_spec.rb

@@ -10,35 +10,38 @@
       let(:environment) {'production'}
 
       context "on #{os}" do
-        it { is_expected.to create_class('clamav') }
-        it { is_expected.to compile.with_all_deps }
+        context 'with default params' do
+          it { is_expected.to create_class('clamav') }
+          it { is_expected.to compile.with_all_deps }
 
-        it { is_expected.to create_group('clam').with_ensure('present') }
-        it { is_expected.to create_user('clam').with({
-          :ensure    => 'present',
-          :allowdupe => false,
-          :uid       => '409',
-          :shell     => '/sbin/nologin',
-          :gid       => 'clam',
-          :home      => '/var/lib/clamav',
-          :require   => 'Group[clam]'
-          })
-        }
-        it { is_expected.to contain_package('clamav').with({
-            :ensure  => 'installed',
-            :require => ['User[clam]', 'Group[clam]']
-          })
-        }
-        it { is_expected.to contain_package('clamav-lib.i386').with({
-            :ensure => 'absent',
-            :notify => 'Package[clamav]'
-          })
-        }
-        it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') }
-        it { is_expected.not_to contain_rsync('clamav').with({
-          :source => 'clamav_production/'
-          })
-        }
+          it { is_expected.to create_group('clam').with_ensure('present') }
+          it { is_expected.to create_user('clam').with({
+            :ensure    => 'present',
+            :allowdupe => false,
+            :uid       => '409',
+            :shell     => '/sbin/nologin',
+            :gid       => 'clam',
+            :home      => '/var/lib/clamav',
+            :require   => 'Group[clam]'
+            })
+          }
+          it { is_expected.to contain_package('clamav').with({
+              :ensure  => 'installed',
+              :require => ['User[clam]', 'Group[clam]']
+            })
+          }
+          it { is_expected.to contain_package('clamav-lib.i386').with({
+              :ensure => 'absent',
+              :notify => 'Package[clamav]'
+            })
+          }
+          it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') }
+          it { is_expected.not_to contain_rsync('clamav').with({
+            :source => 'clamav_production/'
+            })
+          }
+          it { is_expected.to contain_class('clamav::set_schedule')}
+        end
 
         context 'with manage_group_and_user => false' do
           let(:params) {{
@@ -98,6 +101,18 @@
           it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') }
           it { is_expected.not_to contain_rsync('clamav') }
         end
+
+        context 'with enable => false and manage user and group false' do
+          let(:params) {{
+            :enable => false,
+            :schedule_scan => false,
+            :manage_group_and_user => false
+          }}
+          it { is_expected.to contain_package('clamav').with_ensure('absent') }
+          it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') }
+          it { is_expected.not_to contain_rsync('clamav') }
+          it { is_expected.to_not contain_class('clamav::set_schedule')}
+        end
       end
     end
   end