diff --git a/.github/workflows/clamav.yml b/.github/workflows/clamav.yml new file mode 100644 index 0000000000..58c3067cf3 --- /dev/null +++ b/.github/workflows/clamav.yml @@ -0,0 +1,46 @@ +name: ClamAV - Install/Upgrade/Remove +run-name: ClamAV - ${{ inputs.environment }} ClamAV in ${{ inputs.environment }} using ${{ inputs.gitRef }} + +on: + workflow_dispatch: + inputs: + environment: + description: "Environment" + required: true + type: environment + action: + description: "Action" + required: true + type: choice + options: + - install + - upgrade + - uninstall + clamavImageTag: + description: "ClamAV Image Tag" + required: true + default: "main" + gitRef: + description: "Git Ref" + required: true + default: "main" + +jobs: + manageClamav: + name: ${{ inputs.environment }} ClamAV in ${{ inputs.environment }} + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + env: + NAMESPACE: ${{ secrets.OPENSHIFT_ENV_NAMESPACE }} + steps: + - name: Checkout Target Branch + uses: actions/checkout@v4 + with: + ref: ${{ inputs.gitRef }} + - name: Log in to OpenShift + run: | + oc login --token=${{ secrets.SA_TOKEN }} --server=${{ vars.OPENSHIFT_CLUSTER_URL }} + - name: Manage ClamAV + working-directory: "./devops/helm/clamAV/main/" + run: | + make ${{ inputs.action }} NAMESPACE=${{ secrets.OPENSHIFT_ENV_NAMESPACE }} IMAGE_TAG=${{ inputs.clamavImageTag }} diff --git a/.gitignore b/.gitignore index 80dff693b8..9f0b2998c4 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,6 @@ testing/**/report/ videos/ cypress.env.json +charts/ +template.yaml +*.secret.yaml \ No newline at end of file diff --git a/devops/helm/clamAV/_clamav/.helmignore b/devops/helm/clamAV/_clamav/.helmignore new file mode 100755 index 0000000000..0e8a0eb36f --- /dev/null +++ b/devops/helm/clamAV/_clamav/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/devops/helm/clamAV/_clamav/Chart.yaml b/devops/helm/clamAV/_clamav/Chart.yaml new file mode 100755 index 0000000000..34cc931819 --- /dev/null +++ b/devops/helm/clamAV/_clamav/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: clamav +description: A Helm chart for ClamAV +type: application +version: 0.1.0 +appVersion: "0.1.0" diff --git a/devops/helm/clamAV/_clamav/README.md b/devops/helm/clamAV/_clamav/README.md new file mode 100755 index 0000000000..a97985390e --- /dev/null +++ b/devops/helm/clamAV/_clamav/README.md @@ -0,0 +1,15 @@ +# ClamAV + +## Test the image locally + +```sh +docker run -it --rm \ + --mount type=bind,source=/path/to/configurations,target=/etc/clamav \ + --env 'CLAMAV_NO_CLAMD=false' \ + --env 'CLAMAV_NO_FRESHCLAMD=false' \ + --env 'CLAMAV_NO_MILTERD=true' \ + --env 'CLAMD_STARTUP_TIMEOUT=1800' \ + --env 'FRESHCLAM_CHECKS=1' \ + -p 3310:3310 \ + ghcr.io/bcgov/clamav-unprivileged:main +``` diff --git a/devops/helm/clamAV/_clamav/configurations/1.0/clamav-milter.conf b/devops/helm/clamAV/_clamav/configurations/1.0/clamav-milter.conf new file mode 100755 index 0000000000..94ba1f9640 --- /dev/null +++ b/devops/helm/clamAV/_clamav/configurations/1.0/clamav-milter.conf @@ -0,0 +1,292 @@ +## +## Example config file for clamav-milter +## + +## +## Main options +## + +# Define the interface through which we communicate with sendmail +# This option is mandatory! Possible formats are: +# [[unix|local]:]/path/to/file - to specify a unix domain socket +# inet:port@[hostname|ip-address] - to specify an ipv4 socket +# inet6:port@[hostname|ip-address] - to specify an ipv6 socket +# +# Default: no default +#MilterSocket /tmp/clamav-milter.socket +#MilterSocket inet:7357 + +# Define the group ownership for the (unix) milter socket. +# Default: disabled (the primary group of the user running clamd) +#MilterSocketGroup virusgroup + +# Sets the permissions on the (unix) milter socket to the specified mode. +# Default: disabled (obey umask) +#MilterSocketMode 660 + +# Remove stale socket after unclean shutdown. +# +# Default: yes +#FixStaleSocket yes + +# Run as another user (clamav-milter must be started by root for this option +# to work) +# +# Default: unset (don't drop privileges) +#User clamav + +# Waiting for data from clamd will timeout after this time (seconds). +# Value of 0 disables the timeout. +# +# Default: 120 +#ReadTimeout 300 + +# Don't fork into background. +# +# Default: no +#Foreground yes + +# Chroot to the specified directory. +# Chrooting is performed just after reading the config file and before +# dropping privileges. +# +# Default: unset (don't chroot) +#Chroot /newroot + +# This option allows you to save a process identifier of the listening +# daemon. +# This file will be owned by root, as long as clamav-milter was started by +# root. It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# +# Default: disabled +#PidFile /var/run/clamav-milter.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +# +#TemporaryDirectory /var/tmp + +## +## Clamd options +## + +# Define the clamd socket to connect to for scanning. +# This option is mandatory! Syntax: +# ClamdSocket unix:path +# ClamdSocket tcp:host:port +# The first syntax specifies a local unix socket (needs an absolute path) e.g.: +# ClamdSocket unix:/var/run/clamd/clamd.socket +# The second syntax specifies a tcp local or remote tcp socket: the +# host can be a hostname or an ip address; the ":port" field is only required +# for IPv6 addresses, otherwise it defaults to 3310, e.g.: +# ClamdSocket tcp:192.168.0.1 +# +# This option can be repeated several times with different sockets or even +# with the same socket: clamd servers will be selected in a round-robin +# fashion. +# +# Default: no default +#ClamdSocket tcp:scanner.mydomain:7357 + + +## +## Exclusions +## + +# Messages originating from these hosts/networks will not be scanned +# This option takes a host(name)/mask pair in CIRD notation and can be +# repeated several times. If "/mask" is omitted, a host is assumed. +# To specify a locally originated, non-smtp, email use the keyword "local" +# +# Default: unset (scan everything regardless of the origin) +#LocalNet local +#LocalNet 192.168.0.0/24 +#LocalNet 1111:2222:3333::/48 + +# This option specifies a file which contains a list of basic POSIX regular +# expressions. Addresses (sent to or from - see below) matching these regexes +# will not be scanned. Optionally each line can start with the string "From:" +# or "To:" (note: no whitespace after the colon) indicating if it is, +# respectively, the sender or recipient that is to be allowed. +# If the field is missing, "To:" is assumed. +# Lines starting with #, : or ! are ignored. +# +# Default unset (no exclusion applied) +#AllowList /etc/allowed_addresses + +# Messages from authenticated SMTP users matching this extended POSIX +# regular expression (egrep-like) will not be scanned. +# As an alternative, a file containing a plain (not regex) list of names (one +# per line) can be specified using the prefix "file:". +# e.g. SkipAuthenticated file:/etc/good_guys +# +# Note: this is the AUTH login name! +# +# Default: unset (no allowing based on SMTP auth) +#SkipAuthenticated ^(tom|dick|henry)$ + +# Messages larger than this value won't be scanned. +# Make sure this value is lower or equal than StreamMaxLength in clamd.conf +# +# Default: 25M +#MaxFileSize 10M + + +## +## Actions +## + +# The following group of options controls the delivery process under +# different circumstances. +# The following actions are available: +# - Accept +# The message is accepted for delivery +# - Reject +# Immediately refuse delivery (a 5xx error is returned to the peer) +# - Defer +# Return a temporary failure message (4xx) to the peer +# - Blackhole (not available for OnFail) +# Like Accept but the message is sent to oblivion +# - Quarantine (not available for OnFail) +# Like Accept but message is quarantined instead of being delivered +# +# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ +# For Postfix this causes the message to be placed on hold +# +# Action to be performed on clean messages (mostly useful for testing) +# Default: Accept +#OnClean Accept + +# Action to be performed on infected messages +# Default: Quarantine +#OnInfected Quarantine + +# Action to be performed on error conditions (this includes failure to +# allocate data structures, no scanners available, network timeouts, +# unknown scanner replies and the like) +# Default: Defer +#OnFail Defer + +# This option allows to set a specific rejection reason for infected messages +# and it's therefore only useful together with "OnInfected Reject" +# The string "%v", if present, will be replaced with the virus name. +# Default: MTA specific +#RejectMsg + +# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an +# "X-Virus-Status" headers will be attached to each processed message, possibly +# replacing existing headers. +# If it is set to Add, the X-Virus headers are added possibly on top of the +# existing ones. +# Note that while "Replace" can potentially break DKIM signatures, "Add" may +# confuse procmail and similar filters. +# Default: no +#AddHeader Replace + +# When AddHeader is in use, this option allows to arbitrary set the reported +# hostname. This may be desirable in order to avoid leaking internal names. +# If unset the real machine name is used. +# Default: disabled +#ReportHostname my.mail.server.name + +# Execute a command (possibly searching PATH) when an infected message is +# found. +# The following parameters are passed to the invoked program in this order: +# virus name, queue id, sender, destination, subject, message id, message date. +# Note #1: this requires MTA macroes to be available (see LogInfected below) +# Note #2: the process is invoked in the context of clamav-milter +# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to +# avoid unnecessary delays in email delivery +# Default: disabled +#VirusAction /usr/local/bin/my_infected_message_handler + +## +## Logging options +## + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# +# Default: disabled +#LogFile /tmp/clamav-milter.log + +# By default the log file is locked for writing - the lock protects against +# running clamav-milter multiple times. +# This option disables log file locking. +# +# Default: no +#LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# +# Default: 1M +#LogFileMaxSize 2M + +# Log time with each message. +# +# Default: no +#LogTime yes + +# Use system logger (can work together with LogFile). +# +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# +# Default: no +#LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows to tune what is logged when a message is infected. +# Possible values are Off (the default - nothing is logged), +# Basic (minimal info logged), Full (verbose info logged) +# Note: +# For this to work properly in sendmail, make sure the msg_id, mail_addr, +# rcpt_addr and i macroes are available in eom. In other words add a line like: +# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i +# to your .cf file. Alternatively use the macro: +# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') +# Postfix should be working fine with the default settings. +# +# Default: disabled +#LogInfected Basic + +# This option allows to tune what is logged when no threat is found in +# a scanned message. +# See LogInfected for possible values and caveats. +# Useful in debugging but drastically increases the log size. +# Default: disabled +#LogClean Basic + +# This option affects the behaviour of LogInfected, LogClean and VirusAction +# when a message with multiple recipients is scanned: +# If SupportMultipleRecipients is off (the default) +# then one single log entry is generated for the message and, in case the +# message is determined to be malicious, the command indicated by VirusAction +# is executed just once. In both cases only the last recipient is reported. +# If SupportMultipleRecipients is on: +# then one line is logged for each recipient and the command indicated +# by VirusAction is also executed once for each recipient. +# +# Note: although it's probably a good idea to enable this option, the default +# value +# is currently set to off for legacy reasons. +# Default: no +#SupportMultipleRecipients yes diff --git a/devops/helm/clamAV/_clamav/configurations/1.0/clamd.conf b/devops/helm/clamAV/_clamav/configurations/1.0/clamd.conf new file mode 100755 index 0000000000..68e3b0f2db --- /dev/null +++ b/devops/helm/clamAV/_clamav/configurations/1.0/clamd.conf @@ -0,0 +1,813 @@ +## +## Example config file for the Clam AV daemon +## Please read the clamd.conf(5) manual before editing this file. +## + +# Uncomment this option to enable logging. +# LogFile must be writable for the user running daemon. +# A full path is required. +# Default: disabled +LogFile /var/log/clamd.log + +# By default the log file is locked for writing - the lock protects against +# running clamd multiple times (if want to run another clamd, please +# copy the configuration file, change the LogFile variable, and run +# the daemon with --config-file option). +# This option disables log file locking. +# Default: no +LogFileUnlock yes + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log +# rotation (the LogRotate option) will always be enabled. +# Default: 1M +LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Also log clean files. Useful in debugging but drastically increases the +# log size. +# Default: no +LogClean yes + +# Use system logger (can work together with LogFile). +# Default: no +LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable verbose logging. +# Default: no +LogVerbose yes + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +LogRotate yes + +# Enable Prelude output. +# Default: no +#PreludeEnable yes +# +# Set the name of the analyzer used by prelude-admin. +# Default: ClamAV +#PreludeAnalyzerName ClamAV + +# Log additional information about the infected file, such as its +# size and hash, together with the virus name. +#ExtendedDetectionInfo yes + +# This option allows you to save a process identifier of the listening +# daemon (main thread). +# This file will be owned by root, as long as clamd was started by root. +# It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# Default: disabled +# PidFile /var/run/clamd.pid + +# Optional path to the global temporary directory. +# Default: system specific (usually /tmp or /var/tmp). +TemporaryDirectory /var/lib/clamav/tmp + +# Path to the database directory. +# Default: hardcoded (depends on installation options) +# Important! +DatabaseDirectory /var/lib/clamav + +# Only load the official signatures published by the ClamAV project. +# Default: no +#OfficialDatabaseOnly no + +# Return with a nonzero error code if the virus database is older than +# the specified number of days. +# Default: -1 +#FailIfCvdOlderThan 7 + +# The daemon can work in local mode, network mode or both. +# Due to security reasons we recommend the local mode. + +# Path to a local socket file the daemon will listen on. +# Default: disabled (must be specified by a user) +# Important! +LocalSocket /tmp/clamd.sock + +# Sets the group ownership on the unix socket. +# Default: disabled (the primary group of the user running clamd) +#LocalSocketGroup virusgroup + +# Sets the permissions on the unix socket to the specified mode. +# Default: disabled (socket is world accessible) +#LocalSocketMode 660 + +# Remove stale socket after unclean shutdown. +# Default: yes +#FixStaleSocket yes + +# TCP port address. +# Default: no +# Important! +TCPSocket 3310 + +# TCP address. +# By default we bind to INADDR_ANY, probably not wise. +# Enable the following to provide some degree of protection +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. +# Default: no +# Important! 'localhost' won't work +TCPAddr 0.0.0.0 + +# Maximum length the queue of pending connections may grow to. +# Default: 200 +MaxConnectionQueueLength 200 + +# Clamd uses FTP-like protocol to receive data from remote clients. +# If you are using clamav-milter to balance load between remote clamd daemons +# on firewall servers you may need to tune the options below. + +# Close the connection when the data size limit is exceeded. +# The value should match your MTA's limit for a maximum attachment size. +# Default: 100M +StreamMaxLength 50M + +# Limit port range. +# Default: 1024 +#StreamMinPort 30000 +# Default: 2048 +#StreamMaxPort 32000 + +# Maximum number of threads running at the same time. +# Default: 10 +MaxThreads 10 + +# Waiting for data from a client socket will timeout after this time (seconds). +# Default: 120 +ReadTimeout 120 + +# This option specifies the time (in seconds) after which clamd should +# timeout if a client doesn't provide any initial command after connecting. +# Default: 30 +#CommandReadTimeout 30 + +# This option specifies how long to wait (in milliseconds) if the send buffer +# is full. +# Keep this value low to prevent clamd hanging. +# +# Default: 500 +SendBufTimeout 500 + +# Maximum number of queued items (including those being processed by +# MaxThreads threads). +# It is recommended to have this value at least twice MaxThreads if possible. +# WARNING: you shouldn't increase this too much to avoid running out of file +# descriptors, the following condition should hold: +# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual +# max is 1024). +# +# Default: 100 +# MaxQueue 200 + +# Waiting for a new job will timeout after this time (seconds). +# Default: 30 +#IdleTimeout 60 + +# Don't scan files and directories matching regex +# This directive can be used multiple times +# Default: scan all +#ExcludePath ^/proc/ +#ExcludePath ^/sys/ + +# Maximum depth directories are scanned at. +# Default: 15 +#MaxDirectoryRecursion 20 + +# Follow directory symlinks. +# Default: no +#FollowDirectorySymlinks yes + +# Follow regular file symlinks. +# Default: no +#FollowFileSymlinks yes + +# Scan files and directories on other filesystems. +# Default: yes +#CrossFilesystems yes + +# Perform a database check. +# Default: 600 (10 min) +#SelfCheck 600 + +# Enable non-blocking (multi-threaded/concurrent) database reloads. +# This feature will temporarily load a second scanning engine while scanning +# continues using the first engine. Once loaded, the new engine takes over. +# The old engine is removed as soon as all scans using the old engine have +# completed. +# This feature requires more RAM, so this option is provided in case users are +# willing to block scans during reload in exchange for lower RAM requirements. +# Default: yes +ConcurrentDatabaseReload no + +# Execute a command when virus is found. In the command string %v will +# be replaced with the virus name and %f will be replaced with the file name. +# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME +# and $CLAM_VIRUSEVENT_VIRUSNAME. +# Default: no +#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f" + +# Run as another user (clamd must be started by root for this option to work) +# Default: don't drop privileges +#User clamav + +# Stop daemon when libclamav reports out of memory condition. +#ExitOnOOM yes + +# Don't fork into background. +# Default: no +# Important! +Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Do not remove temporary files (for debug purposes). +# Default: no +#LeaveTemporaryFiles yes + +# Record metadata about the file being scanned. +# Scan metadata is useful for file analysis purposes and for debugging scan behavior. +# The JSON metadata will be printed after the scan is complete if Debug is enabled. +# A metadata.json file will be written to the scan temp directory if LeaveTemporaryFiles is enabled. +# Default: no +#GenerateMetadataJson yes + +# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject +# any ALLMATCHSCAN command as invalid. +# Default: yes +#AllowAllMatchScan no + +# Detect Possibly Unwanted Applications. +# Default: no +DetectPUA yes + +# Exclude a specific PUA category. This directive can be used multiple times. +# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for +# the complete list of PUA categories. +# Default: Load all categories (if DetectPUA is activated) +#ExcludePUA NetTool +ExcludePUA PWTool + +# Only include a specific PUA category. This directive can be used multiple +# times. +# Default: Load all categories (if DetectPUA is activated) +#IncludePUA Spy +#IncludePUA Scanner +#IncludePUA RAT + +# This option causes memory or nested map scans to dump the content to disk. +# If you turn on this option, more data is written to disk and is available +# when the LeaveTemporaryFiles option is enabled. +#ForceToDisk yes + +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes + +# This option allows you to set the number of entries the cache can store. +# The value should be a square number or will be rounded up to the nearest +# square number. +#CacheSize 65536 + +# In some cases (eg. complex malware, exploits in graphic files, and others), +# ClamAV uses special algorithms to detect abnormal patterns and behaviors that +# may be malicious. This option enables alerting on such heuristically +# detected potential threats. +# Default: yes +#HeuristicAlerts yes + +# Allow heuristic alerts to take precedence. +# When enabled, if a heuristic scan (such as phishingScan) detects +# a possible virus/phish it will stop scan immediately. Recommended, saves CPU +# scan-time. +# When disabled, virus/phish detected by heuristic scans will be reported only +# at the end of a scan. If an archive contains both a heuristically detected +# virus/phish, and a real malware, the real malware will be reported +# +# Keep this disabled if you intend to handle "Heuristics.*" viruses +# differently from "real" malware. +# If a non-heuristically-detected virus (signature-based) is found first, +# the scan is interrupted immediately, regardless of this config option. +# +# Default: no +#HeuristicScanPrecedence yes + + +## +## Heuristic Alerts +## + +# With this option clamav will try to detect broken executables (both PE and +# ELF) and alert on them with the Broken.Executable heuristic signature. +# Default: no +AlertBrokenExecutables yes + +# With this option clamav will try to detect broken media file (JPEG, +# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature. +# Default: no +#AlertBrokenMedia yes + +# Alert on encrypted archives _and_ documents with heuristic signature +# (encrypted .zip, .7zip, .rar, .pdf). +# Default: no +#AlertEncrypted yes + +# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip, +# .rar). +# Default: no +#AlertEncryptedArchive yes + +# Alert on encrypted archives with heuristic signature (encrypted .pdf). +# Default: no +#AlertEncryptedDoc yes + +# With this option enabled OLE2 files containing VBA macros, which were not +# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". +# Default: no +#AlertOLE2Macros yes + +# Alert on SSL mismatches in URLs, even if the URL isn't in the database. +# This can lead to false positives. +# Default: no +#AlertPhishingSSLMismatch yes + +# Alert on cloaked URLs, even if URL isn't in database. +# This can lead to false positives. +# Default: no +#AlertPhishingCloak yes + +# Alert on raw DMG image files containing partition intersections +# Default: no +#AlertPartitionIntersection yes + + +## +## Executable files +## + +# PE stands for Portable Executable - it's an executable file format used +# in all 32 and 64-bit versions of Windows operating systems. This option +# allows ClamAV to perform a deeper analysis of executable files and it's also +# required for decompression of popular executable packers such as UPX, FSG, +# and Petite. If you turn off this option, the original files will still be +# scanned, but without additional processing. +# Default: yes +ScanPE yes + +# Certain PE files contain an authenticode signature. By default, we check +# the signature chain in the PE file against a database of trusted and +# revoked certificates if the file being scanned is marked as a virus. +# If any certificate in the chain validates against any trusted root, but +# does not match any revoked certificate, the file is marked as trusted. +# If the file does match a revoked certificate, the file is marked as virus. +# The following setting completely turns off authenticode verification. +# Default: no +DisableCertCheck yes + +# Executable and Linking Format is a standard format for UN*X executables. +# This option allows you to control the scanning of ELF files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +ScanELF yes + + +## +## Documents +## + +# This option enables scanning of OLE2 files, such as Microsoft Office +# documents and .msi files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +ScanOLE2 yes + +# This option enables scanning within PDF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +ScanPDF yes + +# This option enables scanning within SWF files. +# If you turn off this option, the original files will still be scanned, but +# without decoding and additional processing. +# Default: yes +ScanSWF yes + +# This option enables scanning xml-based document files supported by libclamav. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanXMLDOCS yes + +# This option enables scanning of HWP3 files. +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +# Default: yes +#ScanHWP3 yes + + +## +## Mail files +## + +# Enable internal e-mail scanner. +# If you turn off this option, the original files will still be scanned, but +# without parsing individual messages/attachments. +# Default: yes +ScanMail yes + +# Scan RFC1341 messages split over many emails. +# You will need to periodically clean up $TemporaryDirectory/clamav-partial +# directory. +# WARNING: This option may open your system to a DoS attack. +# Never use it on loaded servers. +# Default: no +#ScanPartialMessages yes + +# With this option enabled ClamAV will try to detect phishing attempts by using +# HTML.Phishing and Email.Phishing NDB signatures. +# Default: yes +PhishingSignatures yes + +# With this option enabled ClamAV will try to detect phishing attempts by +# analyzing URLs found in emails using WDB and PDB signature databases. +# Default: yes +PhishingScanURLs yes + + +## +## Data Loss Prevention (DLP) +## + +# Enable the DLP module +# Default: No +#StructuredDataDetection yes + +# This option sets the lowest number of Credit Card numbers found in a file +# to generate a detect. +# Default: 3 +#StructuredMinCreditCardCount 5 + +# With this option enabled the DLP module will search for valid Credit Card +# numbers only. Debit and Private Label cards will not be searched. +# Default: no +#StructuredCCOnly yes + +# This option sets the lowest number of Social Security Numbers found +# in a file to generate a detect. +# Default: 3 +#StructuredMinSSNCount 5 + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxx-yy-zzzz +# Default: yes +#StructuredSSNFormatNormal yes + +# With this option enabled the DLP module will search for valid +# SSNs formatted as xxxyyzzzz +# Default: no +#StructuredSSNFormatStripped yes + + +## +## HTML +## + +# Perform HTML normalisation and decryption of MS Script Encoder code. +# Default: yes +# If you turn off this option, the original files will still be scanned, but +# without additional processing. +ScanHTML yes + + +## +## Archives +## + +# ClamAV can scan within archives and compressed files. +# If you turn off this option, the original files will still be scanned, but +# without unpacking and additional processing. +# Default: yes +ScanArchive yes + + +## +## Limits +## + +# The options below protect your system against Denial of Service attacks +# using archive bombs. + +# This option sets the maximum amount of time to a scan may take. +# In this version, this field only affects the scan time of ZIP archives. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result allow scanning +# of certain files to lock up the scanning process/threads resulting in a +# Denial of Service. +# Time is in milliseconds. +# Default: 120000 +MaxScanTime 120000 + +# This option sets the maximum amount of data to be scanned for each input +# file. Archives and other containers are recursively extracted and scanned +# up to this value. +# Value of 0 disables the limit +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 400M +MaxScanSize 150M + +# Files larger than this limit won't be scanned. Affects the input file itself +# as well as files contained inside it (when the input file is an archive, a +# document or some other kind of container). +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Technical design limitations prevent ClamAV from scanning files greater than +# 2 GB at this time. +# Default: 100M +MaxFileSize 30M + +# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR +# file, all files within it will also be scanned. This options specifies how +# deeply the process should be continued. +# Note: setting this limit too high may result in severe damage to the system. +# Default: 17 +MaxRecursion 10 + +# Number of files to be scanned within an archive, a document, or any other +# container file. +# Value of 0 disables the limit. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 10000 +MaxFiles 100 + +# Maximum size of a file to check for embedded PE. Files larger than this value +# will skip the additional analysis step. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 40M +MaxEmbeddedPE 10M + +# Maximum size of a HTML file to normalize. HTML files larger than this value +# will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 40M +MaxHTMLNormalize 10M + +# Maximum size of a normalized HTML file to scan. HTML files larger than this +# value after normalization will not be scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 8M +MaxHTMLNoTags 2M + +# Maximum size of a script file to normalize. Script content larger than this +# value will not be normalized or scanned. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 20M +MaxScriptNormalize 5M + +# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger +# than this value will skip the step to potentially reanalyze as PE. +# Note: disabling this limit or setting it too high may result in severe damage +# to the system. +# Default: 1M +MaxZipTypeRcg 1M + +# This option sets the maximum number of partitions of a raw disk image to be +# scanned. +# Raw disk images with more partitions than this value will have up to +# the value number partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact +# performance. +# Default: 50 +MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number +# icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 100 +MaxIconsPE 200 + +# This option sets the maximum recursive calls for HWP3 parsing during +# scanning. HWP3 files using more than this limit will be terminated and +# alert the user. +# Scans will be unable to scan any HWP3 attachments if the recursive limit +# is reached. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact +# performance. +# Default: 16 +#MaxRecHWP3 16 + +# This option sets the maximum calls to the PCRE match function during +# an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit, see the PCRE documentation. +# Negative values are not allowed. +# WARNING: setting this limit too high may severely impact performance. +# Default: 100000 +PCREMatchLimit 10000 + +# This option sets the maximum recursive calls to the PCRE match function +# during an instance of regex matching. +# Instances using more than this limit will be terminated and alert the user +# but the scan will continue. +# For more information on match_limit_recursion, see the PCRE documentation. +# Negative values are not allowed and values > PCREMatchLimit are superfluous. +# WARNING: setting this limit too high may severely impact performance. +# Default: 2000 +PCRERecMatchLimit 10000 + +# This option sets the maximum filesize for which PCRE subsigs will be +# executed. Files exceeding this limit will not have PCRE subsigs executed +# unless a subsig is encompassed to a smaller buffer. +# Negative values are not allowed. +# Setting this value to zero disables the limit. +# WARNING: setting this limit too high or disabling it may severely impact +# performance. +# Default: 100M +#PCREMaxFileSize 400M + +# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or +# MaxRecursion limit will be flagged with the virus name starting with +# "Heuristics.Limits.Exceeded". +# Default: no +#AlertExceedsMax yes + +## +## On-access Scan Settings +## + +# Don't scan files larger than OnAccessMaxFileSize +# Value of 0 disables the limit. +# Default: 5M +#OnAccessMaxFileSize 10M + +# Max number of scanning threads to allocate to the OnAccess thread pool at +# startup. These threads are the ones responsible for creating a connection +# with the daemon and kicking off scanning after an event has been processed. +# To prevent clamonacc from consuming all clamd's resources keep this lower +# than clamd's max threads. +# Default: 5 +#OnAccessMaxThreads 10 + +# Max amount of time (in milliseconds) that the OnAccess client should spend +# for every connect, send, and recieve attempt when communicating with clamd +# via curl. +# Default: 5000 (5 seconds) +# OnAccessCurlTimeout 10000 + +# Toggles dynamic directory determination. Allows for recursively watching +# include paths. +# Default: no +#OnAccessDisableDDD yes + +# Set the include paths (all files inside them will be scanned). You can have +# multiple OnAccessIncludePath directives but each directory must be added +# in a separate line. +# Default: disabled +#OnAccessIncludePath /home +#OnAccessIncludePath /students + +# Set the exclude paths. All subdirectories are also excluded. +# Default: disabled +#OnAccessExcludePath /home/user + +# Modifies fanotify blocking behaviour when handling permission events. +# If off, fanotify will only notify if the file scanned is a virus, +# and not perform any blocking. +# Default: no +#OnAccessPrevention yes + +# When using prevention, if this option is turned on, any errors that occur +# during scanning will result in the event attempt being denied. This could +# potentially lead to unwanted system behaviour with certain configurations, +# so the client defaults this to off and prefers allowing access events in +# case of scan or connection error. +# Default: no +#OnAccessDenyOnError yes + +# Toggles extra scanning and notifications when a file or directory is +# created or moved. +# Requires the DDD system to kick-off extra scans. +# Default: no +#OnAccessExtraScanning yes + +# Set the mount point to be scanned. The mount point specified, or the mount +# point containing the specified directory will be watched. If any directories +# are specified, this option will preempt (disable and ignore all options +# related to) the DDD system. This option will result in verdicts only. +# Note that prevention is explicitly disallowed to prevent common, fatal +# misconfigurations. (e.g. watching "/" with prevention on and no exclusions +# made on vital system directories) +# It can be used multiple times. +# Default: disabled +#OnAccessMountPath / +#OnAccessMountPath /home/user + +# With this option you can exclude the root UID (0). Processes run under +# root with be able to access all files without triggering scans or +# permission denied events. +# Note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the +# root user from triggering a scan (unless OnAccessPrevention is enabled). +# Default: no +#OnAccessExcludeRootUID no + +# With this option you can exclude specific UIDs. Processes with these UIDs +# will be able to access all files without triggering scans or permission +# denied events. +# This option can be used multiple times (one per line). +# Using a value of 0 on any line will disable this option entirely. +# To exclude the root UID (0) please enable the OnAccessExcludeRootUID +# option. +# Also note that if clamd cannot check the uid of the process that generated an +# on-access scan event (e.g., because OnAccessPrevention was not enabled, and +# the process already exited), clamd will perform a scan. Thus, setting +# OnAccessExcludeUID is not *guaranteed* to prevent every access by the +# specified uid from triggering a scan (unless OnAccessPrevention is enabled). +# Default: disabled +#OnAccessExcludeUID -1 + +# This option allows exclusions via user names when using the on-access +# scanning client. It can be used multiple times. +# It has the same potential race condition limitations of the +# OnAccessExcludeUID option. +# Default: disabled +#OnAccessExcludeUname clamav + +# Number of times the OnAccess client will retry a failed scan due to +# connection problems (or other issues). +# Default: 0 +#OnAccessRetryAttempts 3 + +## +## Bytecode +## + +# With this option enabled ClamAV will load bytecode from the database. +# It is highly recommended you keep this option on, otherwise you'll miss +# detections for many new viruses. +# Default: yes +# Important! +Bytecode yes + +# Set bytecode security level. +# Possible values: +# None - No security at all, meant for debugging. +# DO NOT USE THIS ON PRODUCTION SYSTEMS. +# This value is only available if clamav was built +# with --enable-debug! +# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert +# runtime safety checks for bytecode loaded from other sources. +# Paranoid - Don't trust any bytecode, insert runtime checks for all. +# Recommended: TrustSigned, because bytecode in .cvd files already has these +# checks. +# Note that by default only signed bytecode is loaded, currently you can only +# load unsigned bytecode in --enable-debug mode. +# +# Default: TrustSigned +#BytecodeSecurity TrustSigned + +# Allow loading bytecode from outside digitally signed .c[lv]d files. +# **Caution**: You should NEVER run bytecode signatures from untrusted sources. +# Doing so may result in arbitrary code execution. +# Default: no +#BytecodeUnsigned yes + +# Set bytecode timeout in milliseconds. +# +# Default: 10000 +# BytecodeTimeout 1000 diff --git a/devops/helm/clamAV/_clamav/configurations/1.0/freshclam.conf b/devops/helm/clamAV/_clamav/configurations/1.0/freshclam.conf new file mode 100755 index 0000000000..2c546dcba1 --- /dev/null +++ b/devops/helm/clamAV/_clamav/configurations/1.0/freshclam.conf @@ -0,0 +1,206 @@ +## +## Example config file for freshclam +## Please read the freshclam.conf(5) manual before editing this file. +## + +# Path to the database directory. +# WARNING: It must match clamd.conf's directive! +# Default: hardcoded (depends on installation options) +# Important! +DatabaseDirectory /var/lib/clamav + +# Path to the log file (make sure it has proper permissions) +# Default: disabled +UpdateLogFile /var/log/freshclam.log + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, +# log rotation (the LogRotate option) will always be enabled. +# Default: 1M +LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Enable verbose logging. +# Default: no +LogVerbose yes + +# Use system logger (can work together with UpdateLogFile). +# Default: no +LogSyslog no + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows you to save the process identifier of the daemon +# This file will be owned by root, as long as freshclam was started by root. +# It is recommended that the directory where this file is stored is +# also owned by root to keep other users from tampering with it. +# Default: disabled +# PidFile /var/run/freshclam.pid + +# By default when started freshclam drops privileges and switches to the +# "clamav" user. This directive allows you to change the database owner. +# Default: clamav (may depend on installation options) +#DatabaseOwner clamav + +# Use DNS to verify virus database version. FreshClam uses DNS TXT records +# to verify database and software versions. With this directive you can change +# the database verification domain. +# WARNING: Do not touch it unless you're configuring freshclam to use your +# own database verification domain. +# Default: current.cvd.clamav.net +#DNSDatabaseInfo current.cvd.clamav.net + +# database.clamav.net is now the primary domain name to be used world-wide. +# Now that CloudFlare is being used as our Content Delivery Network (CDN), +# this one domain name works world-wide to direct freshclam to the closest +# geographic endpoint. +# If the old db.XY.clamav.net domains are set, freshclam will automatically +# use database.clamav.net instead. +# DatabaseMirror https://clamav-mirror.apps.silver.devops.gov.bc.ca +DatabaseMirror database.clamav.net + +# How many attempts to make before giving up. +# Default: 3 (per mirror) +MaxAttempts 5 + +# With this option you can control scripted updates. It's highly recommended +# to keep it enabled. +# Default: yes +ScriptedUpdates yes + +# By default freshclam will keep the local databases (.cld) uncompressed to +# make their handling faster. With this option you can enable the compression; +# the change will take effect with the next database update. +# Default: no +#CompressLocalDatabase no + +# With this option you can provide custom sources for database files. +# This option can be used multiple times. Support for: +# http(s)://, ftp(s)://, or file:// +# Default: no custom URLs +#DatabaseCustomURL http://myserver.example.com/mysigs.ndb +#DatabaseCustomURL https://myserver.example.com/mysigs.ndb +#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb +#DatabaseCustomURL ftp://myserver.example.com/example.ldb +#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb +#DatabaseCustomURL file:///mnt/nfs/local.hdb + +# This option allows you to easily point freshclam to private mirrors. +# If PrivateMirror is set, freshclam does not attempt to use DNS +# to determine whether its databases are out-of-date, instead it will +# use the If-Modified-Since request or directly check the headers of the +# remote database files. For each database, freshclam first attempts +# to download the CLD file. If that fails, it tries to download the +# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo +# and ScriptedUpdates. It can be used multiple times to provide +# fall-back mirrors. +# Default: disabled +# Important! +PrivateMirror https://clamav-mirror.apps.silver.devops.gov.bc.ca +# PrivateMirror mirror2.example.com + +# Number of database checks per day. +# Default: 12 (every two hours) +#Checks 24 + +# Proxy settings +# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind +# of proxy is used. +# http:// HTTP Proxy. Default when no scheme or proxy type is specified. +# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS) +# socks4:// SOCKS4 Proxy. +# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname. +# socks5:// SOCKS5 Proxy. +# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname. +# Default: disabled +#HTTPProxyServer https://proxy.example.com +#HTTPProxyPort 1234 +#HTTPProxyUsername myusername +#HTTPProxyPassword mypass + +# If your servers are behind a firewall/proxy which applies User-Agent +# filtering you can use this option to force the use of a different +# User-Agent header. +# As of ClamAV 0.103.3, this setting may not be used when updating from the +# clamav.net CDN and can only be used when updating from a private mirror. +# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...) +#HTTPUserAgent SomeUserAgentIdString + +# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for +# multi-homed systems. +# Default: Use OS'es default outgoing IP address. +#LocalIPAddress aaa.bbb.ccc.ddd + +# Send the RELOAD command to clamd. +# Default: no +# Important! +NotifyClamd /etc/clamav/clamd.conf + +# Run command after successful database update. +# Use EXIT_1 to return 1 after successful database update. +# Default: disabled +#OnUpdateExecute command + +# Run command when database update process fails. +# Default: disabled +#OnErrorExecute command + +# Run command when freshclam reports outdated version. +# In the command string %v will be replaced by the new version number. +# Default: disabled +#OnOutdatedExecute command + +# Don't fork into background. +# Default: no +# Important! +Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Timeout in seconds when connecting to database server. +# Default: 30 +ConnectTimeout 60 + +# Timeout in seconds when reading from database server. 0 means no timeout. +# Default: 60 +#ReceiveTimeout 300 + +# With this option enabled, freshclam will attempt to load new databases into +# memory to make sure they are properly handled by libclamav before replacing +# the old ones. +# Tip: This feature uses a lot of RAM. If your system has limited RAM and you +# are actively running ClamD or ClamScan during the update, then you may need +# to set `TestDatabases no`. +# Default: yes +#TestDatabases no + +# This option enables downloading of bytecode.cvd, which includes additional +# detection mechanisms and improvements to the ClamAV engine. +# Default: yes +# Important! +Bytecode yes + +# Include an optional signature databases (opt-in). +# This option can be used multiple times. +#ExtraDatabase dbname1 +#ExtraDatabase dbname2 + +# Exclude a standard signature database (opt-out). +# This option can be used multiple times. +#ExcludeDatabase dbname1 +#ExcludeDatabase dbname2 diff --git a/devops/helm/clamAV/_clamav/templates/_helpers.tpl b/devops/helm/clamAV/_clamav/templates/_helpers.tpl new file mode 100755 index 0000000000..9c58c7312f --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "clamav.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "clamav.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "clamav.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "clamav.labels" -}} +app.kubernetes.io/name: {{ include "clamav.name" . }} +helm.sh/chart: {{ include "clamav.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "clamav.selectorLabels" -}} +app.kubernetes.io/name: {{ include "clamav.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/devops/helm/clamAV/_clamav/templates/configmap.yaml b/devops/helm/clamAV/_clamav/templates/configmap.yaml new file mode 100755 index 0000000000..8c89875027 --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "clamav.fullname" . }} + labels: + {{- include "clamav.labels" . | nindent 4 }} +data: + clamd.conf: |- +{{ .Files.Get (printf "configurations/%s/clamd.conf" .Values.configVersion) | indent 4 }} + freshclam.conf: |- +{{ .Files.Get (printf "configurations/%s/freshclam.conf" .Values.configVersion) | indent 4 }} diff --git a/devops/helm/clamAV/_clamav/templates/hpa.yaml b/devops/helm/clamAV/_clamav/templates/hpa.yaml new file mode 100755 index 0000000000..afc6874653 --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/hpa.yaml @@ -0,0 +1,39 @@ +{{- if .Values.hpa.enabled -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "clamav.fullname" . }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "clamav.fullname" . }} + minReplicas: {{ .Values.replicaCount }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + metrics: + {{- if .Values.hpa.cpu }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.hpa.cpu }} + {{- end }} + {{- if .Values.hpa.memory }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.hpa.memory }} + {{- end }} + {{- if .Values.hpa.requests }} + - type: Pods + pods: + metric: + name: http_requests + target: + type: AverageValue + averageValue: {{ .Values.hpa.requests }} + {{- end }} +{{- end }} diff --git a/devops/helm/clamAV/_clamav/templates/poddisruptionbudget.yaml b/devops/helm/clamAV/_clamav/templates/poddisruptionbudget.yaml new file mode 100755 index 0000000000..83327ddff3 --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "clamav.fullname" . }} + labels: + {{- include "clamav.labels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "clamav.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/devops/helm/clamAV/_clamav/templates/service.yaml b/devops/helm/clamAV/_clamav/templates/service.yaml new file mode 100755 index 0000000000..7ec6f63e4b --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "clamav.fullname" . }} + labels: + {{- include "clamav.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "clamav.selectorLabels" . | nindent 4 }} diff --git a/devops/helm/clamAV/_clamav/templates/statefulset.yaml b/devops/helm/clamAV/_clamav/templates/statefulset.yaml new file mode 100755 index 0000000000..0e1459de5f --- /dev/null +++ b/devops/helm/clamAV/_clamav/templates/statefulset.yaml @@ -0,0 +1,162 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "clamav.fullname" . }} + labels: + {{- include "clamav.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + serviceName: {{ include "clamav.fullname" . }} + selector: + matchLabels: + {{- include "clamav.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config1: {{ .Files.Get "configurations/clamd.conf" | sha256sum }} + checksum/config2: {{ .Files.Get "configurations/freshclam.conf" | sha256sum }} + labels: + {{- include "clamav.selectorLabels" . | nindent 8 }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- $imagePullSecrets := concat (.Values.imagePullSecrets | default list) (.Values.global.imagePullSecrets | default list) -}} + {{- with $imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + initContainers: + - name: init-database + image: alpine:3.18 + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c"] + args: + - | + mkdir -p /var/lib/clamav/tmp + wget -O /var/lib/clamav/main.cvd https://clamav-mirror.apps.silver.devops.gov.bc.ca/main.cvd; + wget -O /var/lib/clamav/daily.cvd https://clamav-mirror.apps.silver.devops.gov.bc.ca/daily.cvd; + wget -O /var/lib/clamav/bytecode.cvd https://clamav-mirror.apps.silver.devops.gov.bc.ca/bytecode.cvd; + volumeMounts: + - name: database + mountPath: /var/lib/clamav + containers: + - name: {{ include "clamav.fullname" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + env: + - name: CLAMAV_NO_CLAMD + value: 'false' + - name: CLAMAV_NO_FRESHCLAMD + value: 'false' + - name: CLAMAV_NO_MILTERD + value: 'true' + - name: CLAMD_STARTUP_TIMEOUT + value: '1800' + - name: FRESHCLAM_CHECKS + value: '1' + volumeMounts: + # clamd.conf file + - mountPath: /etc/clamav/clamd.conf + name: config-volume + readOnly: true + subPath: clamd.conf + # freshclam.conf file + - mountPath: /etc/clamav/freshclam.conf + name: config-volume + readOnly: true + subPath: freshclam.conf + - name: database + mountPath: /var/lib/clamav + - name: logs + mountPath: /var/log + ports: + - name: http + containerPort: 3310 + protocol: TCP + startupProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + livenessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /usr/local/bin/clamdcheck.sh + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ .Values.affinity | toYaml | nindent 8 }} + {{- else if .Values.affinityTemplate }} + affinity: {{ tpl .Values.affinityTemplate . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config-volume + configMap: + name: {{ include "clamav.fullname" . }} + {{- if not .Values.persistentVolume.enabled }} + - name: database + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: logs + labels: + {{- include "clamav.labels" . | nindent 10 }}-logs + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Mi + - metadata: + name: database + labels: + {{- include "clamav.labels" . | nindent 10 }} + {{- if .Values.persistentVolume.annotations }} + annotations: + {{- .Values.persistentVolume.annotations | toYaml | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistentVolume.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistentVolume.size | quote }} + {{- end }} diff --git a/devops/helm/clamAV/_clamav/values.yaml b/devops/helm/clamAV/_clamav/values.yaml new file mode 100755 index 0000000000..349faeb99a --- /dev/null +++ b/devops/helm/clamAV/_clamav/values.yaml @@ -0,0 +1,91 @@ +replicaCount: 1 + +image: + repository: ghcr.io/bcgov/clamav-unprivileged + tag: ca3d42f3dde3c5aa9bcab636f752119bbe6a67e8 # pragma: allowlist secret + pullPolicy: IfNotPresent + +priorityClassName: "" + +imagePullSecrets: [] + +nameOverride: clamav +fullnameOverride: clamav + +podSecurityContext: +securityContext: + +service: + type: ClusterIP + port: 3310 + +# Ensure to have the minimum resources to run clamd +resources: + limits: + cpu: 1000m + memory: 3Gi + requests: + cpu: 300m + memory: 2Gi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +affinityTemplate: | + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: "kubernetes.io/hostname" + labelSelector: + matchLabels: {{ include "clamav.selectorLabels" . | nindent 10 }} + +startupProbe: + initialDelaySeconds: 60 + periodSeconds: 30 + failureThreshold: 3 + timeoutSeconds: 600 + +livenessProbe: + initialDelaySeconds: 300 + periodSeconds: 10 + failureThreshold: 3 + timeoutSeconds: 600 + +readinessProbe: + initialDelaySeconds: 90 + periodSeconds: 10 + failureThreshold: 3 + timeoutSeconds: 600 + +hpa: + enabled: false + maxReplicas: 5 + # average CPU usage utilization percentage per pod (1-100) + cpu: 80 + # average Memory usage utilization percentage per pod (1-100) + # memory: 80 + # average http_requests utilization per pod (value as a string) + # requests: 1k + +podDisruptionBudget: + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + +## Clamav data dir persistence +persistentVolume: + ## If true, a Persistent Volume Claim is created, otherwise it uses an emptyDir + ## + enabled: true + + annotations: {} + accessModes: + - ReadWriteOnce + size: 1Gi + storageClass: netapp-block-standard + +configVersion: "1.0" diff --git a/devops/helm/clamAV/main/.helmignore b/devops/helm/clamAV/main/.helmignore new file mode 100755 index 0000000000..0e8a0eb36f --- /dev/null +++ b/devops/helm/clamAV/main/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/devops/helm/clamAV/main/Chart.lock b/devops/helm/clamAV/main/Chart.lock new file mode 100644 index 0000000000..2ab8ede9f1 --- /dev/null +++ b/devops/helm/clamAV/main/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: clamav + repository: file://../_clamav + version: 0.1.0 +digest: sha256:45e70d9bc8cbdec51ca28b98f01259e288e1028a8d291bd2721af23d466cbc09 +generated: "2023-11-07T00:02:51.71063681-08:00" diff --git a/devops/helm/clamAV/main/Chart.yaml b/devops/helm/clamAV/main/Chart.yaml new file mode 100755 index 0000000000..3621d1b4c1 --- /dev/null +++ b/devops/helm/clamAV/main/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: main +description: A Helm chart for ClamAV Service +type: application +version: 0.1.0 +appVersion: '0.1.0' +dependencies: + - name: clamav + version: '0.1.0' + repository: 'file://../_clamav' + condition: clamav.enabled diff --git a/devops/helm/clamAV/main/Makefile b/devops/helm/clamAV/main/Makefile new file mode 100755 index 0000000000..fea1d70070 --- /dev/null +++ b/devops/helm/clamAV/main/Makefile @@ -0,0 +1,51 @@ +SHELL := /usr/bin/env bash +NAME := clamav + +NAMESPACE= +IMAGE_TAG= + +ifndef NAMESPACE +$(error NAMESPACE is not set) +endif + +ifndef IMAGE_TAG +$(error IMAGE_TAG is not set) +endif + +define arguments + "${NAME}" . -n "${NAMESPACE}" -f values.yaml -f "values-${NAMESPACE}.yaml" \ + --set clamav.image.tag="${IMAGE_TAG}" +endef + +.PHONY: helm-dep +helm-dep: + helm dependency update + +.PHONY: install +install: helm-dep +install: + @helm install $(call arguments) + +.PHONY: upgrade +upgrade: helm-dep +upgrade: + @helm upgrade --install $(call arguments) + +.PHONY: lint +lint: helm-dep +lint: + @helm upgrade --dry-run --install $(call arguments) + +.PHONY: uninstall +uninstall: helm-dep +uninstall: + @helm uninstall ${NAME} -n ${NAMESPACE} + +.PHONY: template +template: helm-dep +template: + @helm template $(call arguments) > template.yaml + +.PHONY: force-install +force-install: uninstall +force-install: install diff --git a/devops/helm/clamAV/main/templates/_helpers.tpl b/devops/helm/clamAV/main/templates/_helpers.tpl new file mode 100755 index 0000000000..31f473c6be --- /dev/null +++ b/devops/helm/clamAV/main/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "main.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "main.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "main.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "main.labels" -}} +helm.sh/chart: {{ include "main.chart" . }} +{{ include "main.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "main.selectorLabels" -}} +app.kubernetes.io/name: {{ include "main.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/devops/helm/clamAV/main/templates/networkpolicy.yaml b/devops/helm/clamAV/main/templates/networkpolicy.yaml new file mode 100755 index 0000000000..a6cedcce17 --- /dev/null +++ b/devops/helm/clamAV/main/templates/networkpolicy.yaml @@ -0,0 +1,11 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-same-namespace +spec: + podSelector: {} + ingress: + - from: + - podSelector: {} + policyTypes: + - Ingress diff --git a/devops/helm/clamAV/main/values-0c27fb-dev.yaml b/devops/helm/clamAV/main/values-0c27fb-dev.yaml new file mode 100755 index 0000000000..e9fd92a86a --- /dev/null +++ b/devops/helm/clamAV/main/values-0c27fb-dev.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 800m + memory: 3Gi + requests: + cpu: 300m + memory: 1800Mi + + persistentVolume: + size: 1Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values-0c27fb-prod.yaml b/devops/helm/clamAV/main/values-0c27fb-prod.yaml new file mode 100755 index 0000000000..94174f99cb --- /dev/null +++ b/devops/helm/clamAV/main/values-0c27fb-prod.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 1000m + memory: 3Gi + requests: + cpu: 300m + memory: 2Gi + + persistentVolume: + size: 2Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values-0c27fb-test.yaml b/devops/helm/clamAV/main/values-0c27fb-test.yaml new file mode 100755 index 0000000000..94174f99cb --- /dev/null +++ b/devops/helm/clamAV/main/values-0c27fb-test.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 1000m + memory: 3Gi + requests: + cpu: 300m + memory: 2Gi + + persistentVolume: + size: 2Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values-a6ef19-dev.yaml b/devops/helm/clamAV/main/values-a6ef19-dev.yaml new file mode 100755 index 0000000000..e9fd92a86a --- /dev/null +++ b/devops/helm/clamAV/main/values-a6ef19-dev.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 800m + memory: 3Gi + requests: + cpu: 300m + memory: 1800Mi + + persistentVolume: + size: 1Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values-a6ef19-prod.yaml b/devops/helm/clamAV/main/values-a6ef19-prod.yaml new file mode 100755 index 0000000000..94174f99cb --- /dev/null +++ b/devops/helm/clamAV/main/values-a6ef19-prod.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 1000m + memory: 3Gi + requests: + cpu: 300m + memory: 2Gi + + persistentVolume: + size: 2Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values-a6ef19-test.yaml b/devops/helm/clamAV/main/values-a6ef19-test.yaml new file mode 100755 index 0000000000..94174f99cb --- /dev/null +++ b/devops/helm/clamAV/main/values-a6ef19-test.yaml @@ -0,0 +1,16 @@ +clamav: + enabled: true + replicaCount: 2 + + resources: + limits: + cpu: 1000m + memory: 3Gi + requests: + cpu: 300m + memory: 2Gi + + persistentVolume: + size: 2Gi + + configVersion: "1.0" diff --git a/devops/helm/clamAV/main/values.yaml b/devops/helm/clamAV/main/values.yaml new file mode 100755 index 0000000000..07d3700e0e --- /dev/null +++ b/devops/helm/clamAV/main/values.yaml @@ -0,0 +1,19 @@ +nameOverride: clamav +fullnameOverride: clamav + +clamav: + enabled: false + replicaCount: 1 + + resources: + limits: + cpu: 500m + memory: 3Gi + requests: + cpu: 100m + memory: 2Gi + + persistentVolume: + size: 2Gi + + configVersion: "1.0" diff --git a/sims.code-workspace b/sims.code-workspace index a7f0fa5402..e269307e0f 100644 --- a/sims.code-workspace +++ b/sims.code-workspace @@ -94,6 +94,7 @@ "BCSG", "bcsl", "bgpd", + "Clamav", "composables", "CSGD", "csgf",