Harden systemd services for freshclam and clamd

clamd/clamav-daemon.service.in

@@ -11,7 +11,35 @@ ExecStart=@prefix@/sbin/clamd --foreground=true
 # Reload the database
 ExecReload=/bin/kill -USR2 $MAINPID
 TimeoutStartSec=420
+LogsDirectory=clamav
+ConfigurationDirectory=clamav
+
+##
+## Security Hardening Options
+##
+
+# Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths`
+# if you want ClamAV to be able to remove infected files.
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/var/log/clamav /run /var/run
+
+NoExecPaths=/
+# If you want to run commands or execute binaries on event,
+# append the full path of the binary or executable to `ExecPaths`
+# Commonly, this is used for `VirusEvent` in clamd.conf or `VirusAction`
+# in clamav-milter.conf.The binaries must be space separated like so:
+;ExecPaths=@prefix@/sbin/clamd /bin/kill /usr/local/bin/send_sms /usr/local/bin/my_infected_message_handler
+ExecPaths=@prefix@/sbin/clamd @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill
+
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
 
 [Install]
 WantedBy=multi-user.target
 Also=clamav-daemon.socket
+Alias=clamd.service

clamonacc/clamav-clamonacc.service.in

@@ -10,8 +10,30 @@ After=clamav-daemon.service syslog.target network.target
 [Service]
 Type=simple
 User=root
-ExecStartPre=/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done"
-ExecStart=@prefix@/sbin/clamonacc -F --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
+ExecStartPre=/usr/bin/install --owner=root --group=root --directory /var/local/quarantine
+ExecStart=@prefix@/sbin/clamonacc --foreground --log=/var/log/clamav/clamonacc.log --move=/var/local/quarantine --ping 120 --wait
+ExecReload=/bin/kill -SIGHUP $MAINPID
+ExecStop=/bin/kill -SIGTERM $MAINPID
+LogsDirectory=clamav
+ConfigurationDirectory=clamav
+
+##
+## Security Hardening Options
+##
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+NoExecPaths=/
+ExecPaths=@prefix@/sbin/clamonacc @CMAKE_INSTALL_FULL_LIBDIR@ /bin/kill /usr/bin/install
+
+# Remove `ProtectSystem`, `ProtectHome`, and `ReadWritePaths` if you
+# want ClamAV to be able to quarantine or remove infected files.
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/var/log/clamav /var/local/quarantine
 
 [Install]
 WantedBy=multi-user.target
+Alias=clamonacc.service

etc/clamav-milter.conf.sample

@@ -202,6 +202,9 @@ Example
 # Note #2: the process is invoked in the context of clamav-milter
 # Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
 # avoid unnecessary delays in email delivery
+# Note #4: When using systemd to manage ClamAv daemon, ensure that the full path to
+#   the VirusAction target binary / executable is listed in ExecPaths in the service
+#   file clamav-daemon.service in order for the process to be able to execute it.
 # Default: disabled
 #VirusAction /usr/local/bin/my_infected_message_handler
 

etc/clamd.conf.sample

@@ -218,6 +218,9 @@ Example
 # be replaced with the virus name and %f will be replaced with the file name.
 # Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
 # and $CLAM_VIRUSEVENT_VIRUSNAME.
+# Note: When using systemd to manage ClamAV daemon, ensure that the full path to
+#   the VirusEvent target binary / executable is listed in ExecPaths in the service
+#   file clamav-daemon.service in order for the process to be able to execute it.
 # Default: no
 #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
 

etc/freshclam.conf.sample

@@ -151,15 +151,27 @@ DatabaseMirror database.clamav.net
 
 # Run command after successful database update.
 # Use EXIT_1 to return 1 after successful database update.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnUpdateExecute target command to `ExecPaths` in the
+#   service file clamav-freshclam.service in order for the  process to
+#   be able to execute it.
 # Default: disabled
 #OnUpdateExecute command
 
 # Run command when database update process fails.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnErrorExecute target command to `ExecPaths` in the
+#   service file clamav-freshclam.service in order for the process to
+#   be able to execute it.
 # Default: disabled
 #OnErrorExecute command
 
 # Run command when freshclam reports outdated version.
 # In the command string %v will be replaced by the new version number.
+# Note: When using systemd to manage FreshClam service, append the
+#   full path to the OnOutdatedExecute target command to `ExecPaths`
+#   in the service file clamav-freshclam.service in order for the process to
+#   be able to execute it.
 # Default: disabled
 #OnOutdatedExecute command
 

freshclam/clamav-freshclam.service.in

@@ -8,6 +8,28 @@ After=network-online.target
 
 [Service]
 ExecStart=@prefix@/bin/freshclam -d --foreground=true
+LogsDirectory=clamav
+ConfigurationDirectory=clamav
+
+##
+## Security Hardening Options
+##
+ProtectSystem=full
+ProtectHome=tmpfs
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+
+NoExecPaths=/
+# If you want to run commands on event, append the full path of the command or
+# executable to `ExecPaths`. Commonly, this is used for `OnUpdateExecute`,
+# `OnErrorExecute`, and `OnOutdatedExecute` options in freshclam.conf. Make sure
+# there is only one `ExecPaths` option. The binaries must be space separated like so:
+;ExecPaths=@prefix@/sbin/freshclam /usr/local/bin/OnOutdated.sh /usr/local/bin/OnErrorExecute.sh
+ExecPaths=@prefix@/bin/freshclam
+ReadWritePaths=@DATADIR@ /var/log/clamav
 
 [Install]
 WantedBy=multi-user.target