Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden systemd services for freshclam and clamd #859

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Prev Previous commit
Next Next commit
Fix ClamOnAcc ExecPaths and ExecStart directives
This commit includes four changes:

1. Wait for clamd process using `--wait` and `--ping` switches instead
   of using a bash test for the presence of clamd.ctl socket
2. Use the PreStart directive to create log and quarantine directories
3. Add shared library path to ExecPaths allow-list
4. Add quarantine directory path to ReadWritePaths allow-list
eternaltyro committed Apr 30, 2023
commit e69b6114899725cae8519cdb7811e7a57f9c1e05
8 changes: 4 additions & 4 deletions clamonacc/clamav-clamonacc.service.in
Original file line number Diff line number Diff line change
@@ -10,8 +10,8 @@ After=clamav-daemon.service syslog.target network.target
[Service]
Type=simple
User=root
ExecStartPre=/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done"
ExecStart=@prefix@/sbin/clamonacc --foreground --log=/var/log/clamav/clamonacc.log
ExecStartPre=/usr/bin/install --owner=root --group=root --directory /var/log/clamav /var/local/quarantine
ExecStart=@prefix@/sbin/clamonacc --foreground --log=/var/log/clamav/clamonacc.log --move=/var/local/quarantine --ping 120 --wait
ExecReload=/bin/kill -SIGHUP $MAINPID
ExecStop=/bin/kill -SIGTERM $MAINPID

@@ -24,13 +24,13 @@ ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
NoExecPaths=/
ExecPaths=@prefix@/sbin/clamonacc /bin/kill
ExecPaths=@prefix@/sbin/clamonacc @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill

# Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths` if you
# want ClamAV to be able to quarantine or remove infected files.
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/log
ReadWritePaths=/var/log /var/local/quarantine

[Install]
WantedBy=multi-user.target