Harden service file for clamav-clamonacc.service\

Harden ClamAV OnAccess service systemd unit file. - Removed default move options to be consistent with the behaviour of the rest of the service files - Added hardening parameters for service - Added Reload and Stop signals for graceful reload and stop
Cisco-Talos · Apr 4, 2023 · 814f1e2 · 814f1e2
1 parent 9bdf02f
commit 814f1e2
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/clamonacc/clamav-clamonacc.service.in b/clamonacc/clamav-clamonacc.service.in
@@ -11,7 +11,26 @@ After=clamav-daemon.service syslog.target network.target
 Type=simple
 User=root
 ExecStartPre=/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done"
-ExecStart=@prefix@/sbin/clamonacc -F --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
+ExecStart=@prefix@/sbin/clamonacc --foreground --log=/var/log/clamav/clamonacc.log
+ExecReload=/bin/kill -SIGHUP $MAINPID
+ExecStop=/bin/kill -SIGTERM $MAINPID
+
+##
+## Security Hardening Options
+##
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+NoExecPaths=/
+ExecPaths=@prefix@/sbin/clamonacc /bin/kill
+
+# Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths` if you
+# want ClamAV to be able to quarantine or remove infected files.
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/var/log
 
 [Install]
 WantedBy=multi-user.target