Make freshclam cron job enabled/disabled configurable

hartmantis · May 8, 2015 · ab27951 · ab27951
1 parent c3547bf
commit ab27951
Show file tree

Hide file tree

Showing 8 changed files with 67 additions and 2 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -30,6 +30,7 @@ suites:
           update_log_file: false
           log_syslog: yes
           log_facility: LOG_LOCAL7
+          rhel_cron_disable: false
         dev_package: true
         scan:
           script:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ ClamAV Cookbook CHANGELOG
 v?.?.? (????-??-??)
 -------------------
 * Add support for RHEL7
+* Add an attribute to control disabling/enabling of the Freshclam cron job
+  RHEL installs and disables by default
 
 v1.1.0 (2015-01-27)
 -------------------

diff --git a/attributes/freshclam.rb b/attributes/freshclam.rb
@@ -66,3 +66,4 @@
 default['clamav']['freshclam']['detection_stats_host_id'] = nil
 default['clamav']['freshclam']['safe_browsing'] = nil
 default['clamav']['freshclam']['extra_databases'] = []
+default['clamav']['freshclam']['rhel_cron_disable'] = true
diff --git a/recipes/install_rpm.rb b/recipes/install_rpm.rb
@@ -82,6 +82,17 @@
   )
 end
 
+template '/etc/sysconfig/freshclam' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+  source 'freshclam.sysconfig.erb'
+  action :create
+  variables(
+    rhel_cron_disable: node['clamav']['freshclam']['rhel_cron_disable']
+  )
+end
+
 user 'clam' do
   action :remove
   not_if { node['clamav']['user'] == 'clam' }

diff --git a/spec/recipes/install_rpm_spec.rb b/spec/recipes/install_rpm_spec.rb
@@ -46,6 +46,11 @@
           end
         end
       end
+
+      it 'leaves the freshclam cron job disabled' do
+        expect(chef_run).to render_file('/etc/sysconfig/freshclam')
+          .with_content(/^FRESHCLAM_DELAY=disabled/)
+      end
     end
 
     context 'the dev package enabled' do
@@ -88,6 +93,15 @@
     end
   end
 
+  context 'the freshclam cron job enabled' do
+    let(:attributes) { { clamav: { freshclam: { rhel_cron_disable: false } } } }
+
+    it 'enables the freshclam cron job' do
+      expect(chef_run).not_to render_file('/etc/sysconfig/freshclam')
+        .with_content(/^FRESHCLAM_DELAY=disabled/)
+    end
+  end
+
   context 'CentOS 6' do
     let(:platform) { { platform: 'centos', version: '6.4' } }
     let(:packages) { %w(clamav clamav-db clamd) }

diff --git a/templates/default/freshclam.sysconfig.erb b/templates/default/freshclam.sysconfig.erb
@@ -0,0 +1,24 @@
+## When changing the periodicity of freshclam runs in the crontab,
+## this value must be adjusted also. Its value is the timespan between
+## two subsequent freshclam runs in minutes. E.g. for the default
+##
+## | 0 */3 * * *  ...
+##
+## crontab line, the value is 180 (minutes).
+# FRESHCLAM_MOD=
+
+## A predefined value for the delay in seconds. By default, the value is
+## calculated by the 'hostid' program. This predefined value guarantees
+## constant timespans of 3 hours between two subsequent freshclam runs.
+##
+## This option accepts two special values:
+## 'disabled-warn'  ...  disables the automatic freshclam update and
+##                         gives out a warning
+## 'disabled'       ...  disables the automatic freshclam silently
+# FRESHCLAM_DELAY=
+
+
+### !!!!! REMOVE ME !!!!!!
+### REMOVE ME: By default, the freshclam update is disabled to avoid
+### REMOVE ME: network access without prior activation
+<%= @rhel_cron_disable ? "FRESHCLAM_DELAY=disabled" : "" %>
diff --git a/...d/serverspec/localhost/cron_scans_spec.rb → ...ed/serverspec/localhost/cron_jobs_spec.rb b/...d/serverspec/localhost/cron_scans_spec.rb → ...ed/serverspec/localhost/cron_jobs_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe 'clamav cron scans' do
+describe 'clamav cron jobs' do
   let(:script) { '/usr/local/bin/clamav-scan.sh' }
   let(:min_file) { '/etc/cron.d/clamav_minimal_scan' }
   let(:min_cmd) do
@@ -23,4 +23,10 @@
   it 'has the full scan cron job enabled' do
     expect(file(full_file).content).to include("42 0 * * 0 root #{full_cmd}")
   end
+
+  describe file('/etc/sysconfig/freshclam'), if: os[:family] == 'redhat' do
+    it 'enables the freshclam cron job' do
+      expect(subject.content).not_to match(/^FRESHCLAM_DELAY=disabled/)
+    end
+  end
 end
diff --git a/...t/serverspec/localhost/cron_scans_spec.rb → ...lt/serverspec/localhost/cron_jobs_spec.rb b/...t/serverspec/localhost/cron_scans_spec.rb → ...lt/serverspec/localhost/cron_jobs_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe 'clamav cron scans' do
+describe 'clamav cron jobs' do
   let(:script) { '/usr/local/bin/clamav-scan.sh' }
   let(:minimal_cmd) do
     "#{script} /bin /sbin /usr/bin /usr/sbin /usr/local/bin " \
@@ -21,4 +21,10 @@
   it 'does not have the full scan cron job enabled' do
     expect(cron).to_not have_entry("42 0 * * 0 #{full_cmd}")
   end
+
+  describe file('/etc/sysconfig/freshclam'), if: os[:family] == 'redhat' do
+    it 'leaves the freshclam cron job disabled' do
+      expect(subject.content).to match(/^FRESHCLAM_DELAY=disable/)
+    end
+  end
 end