From 3601ec1064f00c19e18994061e62991f8fe47b09 Mon Sep 17 00:00:00 2001 From: jeannegreulich Date: Thu, 31 Oct 2019 16:59:12 -0400 Subject: [PATCH] (SIMP-7113) Remove clamav from default class list (#46) - Updated the README to clarify what simp_options::clamav actually does and to note that clamav was removed from the SIMP's default class list in SIMP 6.5. - Set the default for clamav::set_schedule::enable to lookup clamav::enable, so that class will remove the clamav schedule if clamav is disabled. SIMP-7113 #close SIMP-7161 #close SIMP-7163 #close --- CHANGELOG | 7 ++ README.md | 29 +++++++- manifests/init.pp | 3 +- manifests/set_schedule.pp | 2 +- .../suites/default/00_default_spec.rb | 10 +++ spec/classes/init_spec.rb | 71 +++++++++++-------- 6 files changed, 89 insertions(+), 33 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 3599afa..6a31595 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,10 @@ +* Tue Oct 29 2019 Jeanne Greulich - 6.4.0-0 +- Updated the README to clarify what simp_options::clamav actually does + and to note that clamav was removed from the SIMP's default class list + in SIMP 6.5. +- Set the default for clamav::set_schedule::enable to lookup clamav::enable, + so that class will remove the clamav schedule if clamav is disabled. + * Tue Sep 24 2019 Trevor Vaughan - 6.4.0-0 - Disable rsync pulls by default - Update README.md diff --git a/README.md b/README.md index 3a4a80a..4a62fbd 100644 --- a/README.md +++ b/README.md @@ -54,18 +54,41 @@ it can be used independently: * If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review - the `simp-simp_options` module for details. + the `simp-simp_options` module for details. These catalysts are used by + SIMP to allow users to override default behavior of classes that are + included by default. +**NOTE:** + +* SIMP's `clamav` class was removed from the default class list in all SIMP + scenarios in SIMP 6.5. Users of SIMP 6.5 or later must manually add `clamav` + to the class list or include it via a manifest. + +* Because of the SIMP 6.5 clamav change, SIMP's `simp_options::clamav` catalyst + has been deprecated and will be removed in a future release. In the interim, + the catalyst is still used as a wrapper for this module for backwards + compatibility. Therefore, you must have `simp_options::clamav` undefined or set + to `true` for this module to do anything. + +* Setting the SIMP catalyst, `simp_options::clamav`, to `false` does *not* uninstall + ClamAV, it simply prevents this module from doing anything. See the + ``Using clamav`` section below for how to remove ClamAV from the system. ## Using clamav -To configure ClamAV to install and run: +This module can be used to add or remove clamav from a system. + +To manage ClamAV with this module: ```puppet include clamav ``` -To remove clamav from the system, set the following via Hiera: +By default this module will install ClamAV and set up a cron +to do a scan. + + +To remove ClamAV from the system set the following via Hiera: ```yaml --- diff --git a/manifests/init.pp b/manifests/init.pp index 7c4c085..66cbe21 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -70,7 +70,8 @@ simplib::assert_metadata($module_name) - # If the catalyst is disabled, don't manage anything + # Setting simp_options::clamav to false disables this module and it will do nothing. + # It will not remove clamav from a system. See README for more information. if simplib::lookup('simp_options::clamav', { 'default_value' => true }) { if $schedule_scan { diff --git a/manifests/set_schedule.pp b/manifests/set_schedule.pp index 3977646..37400d1 100644 --- a/manifests/set_schedule.pp +++ b/manifests/set_schedule.pp @@ -42,7 +42,7 @@ # @author Trevor Vaughan # class clamav::set_schedule ( - Boolean $enable = true, + Boolean $enable = simplib::lookup('clamav::enable', { 'default_value' => true}), Simplib::Cron::Minute $minute = '32', Simplib::Cron::Hour $hour = '5', Simplib::Cron::MonthDay $monthday = '*', diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 988c552..5e7a978 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -68,6 +68,11 @@ it { is_expected.to be_file } } + it 'should create a crontab entry' do + stdout = on(client, 'crontab -l' ).stdout + expect(stdout).to include('/usr/bin/clamscan -l /var/log/clamscan.log') + end + if on(client, '/usr/sbin/selinuxenabled', :accept_all_exit_codes => true).exit_code == 0 it 'should have the selinux boolean "antivirus_can_scan_system" set' do result = on(client, '/usr/sbin/getsebool antivirus_can_scan_system') @@ -98,6 +103,11 @@ it { is_expected.to_not be_file } } + it 'should not create a crontab entry' do + stdout = on(client, 'crontab -l' ).stdout + expect(stdout).not_to include('/usr/bin/clamscan -l /var/log/clamscan.log') + end + if on(client, '/usr/sbin/selinuxenabled', :accept_all_exit_codes => true).exit_code == 0 it 'should have the selinux boolean "antivirus_can_scan_system" set' do result = on(client, '/usr/sbin/getsebool antivirus_can_scan_system') diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 36248c9..553f6f2 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -10,35 +10,38 @@ let(:environment) {'production'} context "on #{os}" do - it { is_expected.to create_class('clamav') } - it { is_expected.to compile.with_all_deps } + context 'with default params' do + it { is_expected.to create_class('clamav') } + it { is_expected.to compile.with_all_deps } - it { is_expected.to create_group('clam').with_ensure('present') } - it { is_expected.to create_user('clam').with({ - :ensure => 'present', - :allowdupe => false, - :uid => '409', - :shell => '/sbin/nologin', - :gid => 'clam', - :home => '/var/lib/clamav', - :require => 'Group[clam]' - }) - } - it { is_expected.to contain_package('clamav').with({ - :ensure => 'installed', - :require => ['User[clam]', 'Group[clam]'] - }) - } - it { is_expected.to contain_package('clamav-lib.i386').with({ - :ensure => 'absent', - :notify => 'Package[clamav]' - }) - } - it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') } - it { is_expected.not_to contain_rsync('clamav').with({ - :source => 'clamav_production/' - }) - } + it { is_expected.to create_group('clam').with_ensure('present') } + it { is_expected.to create_user('clam').with({ + :ensure => 'present', + :allowdupe => false, + :uid => '409', + :shell => '/sbin/nologin', + :gid => 'clam', + :home => '/var/lib/clamav', + :require => 'Group[clam]' + }) + } + it { is_expected.to contain_package('clamav').with({ + :ensure => 'installed', + :require => ['User[clam]', 'Group[clam]'] + }) + } + it { is_expected.to contain_package('clamav-lib.i386').with({ + :ensure => 'absent', + :notify => 'Package[clamav]' + }) + } + it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') } + it { is_expected.not_to contain_rsync('clamav').with({ + :source => 'clamav_production/' + }) + } + it { is_expected.to contain_class('clamav::set_schedule')} + end context 'with manage_group_and_user => false' do let(:params) {{ @@ -98,6 +101,18 @@ it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') } it { is_expected.not_to contain_rsync('clamav') } end + + context 'with enable => false and manage user and group false' do + let(:params) {{ + :enable => false, + :schedule_scan => false, + :manage_group_and_user => false + }} + it { is_expected.to contain_package('clamav').with_ensure('absent') } + it { is_expected.to contain_file('/etc/cron.daily/freshclam').with_ensure('absent') } + it { is_expected.not_to contain_rsync('clamav') } + it { is_expected.to_not contain_class('clamav::set_schedule')} + end end end end