Problem: virus scan fails on default centos installs

[scollazo]

In Centos environments, clamav listens on port 3310.

We need to add ARCHIVEMATICA_MCPCLIENT_MCPCLIENT_CLAMAV_SERVER=localhost:3310 to /etc/sysconfig/archivematica-mcp-client on Centos

As a workaround, adding

archivematica_src_am_mcpclient_environment:
  DJANGO_SETTINGS_MODULE: "settings.common"
  ARCHIVEMATICA_MCPCLIENT_MCPCLIENT_CLAMAV_SERVER: "localhost:3310"
  ARCHIVEMATICA_MCPCLIENT_MCPCLIENT_SEARCH_ENABLED: "{{ archivematica_src_search_enabled }}"

to the host vars, deploys the expected configurations.

[sevein]

@scollazo should we instead consider to tweak ansible-clamav so both Ubuntu and EL deployments of clamd listen on /var/run/clamav/clamd.ctl?

[scollazo]

As we have had problems with clamav unix permissions and selinux configuration in the past, we started using the tcp socket to workaround them.

The changes needed for the clamav role are explained here, but using it brought selinux problems ( antivirus_can_scan_system , but I think others are needed too), and other odd issues.

[mamedin]

Hi, I'm going to summarize all that Santi has said (and I'm going to complete it with additional info) about this issue to use the Clamav socket file on CentOS:

• The default /var/run/clamd.scan socket directory is created on every reboot
• The clamav-server rpm package installs the file /usr/lib/tmpfiles.d/clamd.scan.conf that the systemd-tmpfiles service uses to create the /var/run/clamd.scan directory on every boot.
• This issue does not depend on SELinux being in use.
• systemd-tmpfiles is required to create a different Clamav socket directory.
• The socket directory should have the 07x5 permissions to allow the archivematica user access to the socket file. (The default /var/run/clamd.scan has 0710 and it is insufficient). Example of custom systemd-tmpfiles file:

[artefactual@mamedin-centos-clamav ~]$ cat /etc/tmpfiles.d/clamd.scam.archivematica.conf
d /var/run/clamav 0755 clamscan clamscan

• To create this socket directory without rebooting the system, run: systemd-tmpfiles --create /etc/tmpfiles.d/clamd.scam.archivematica.conf (it can be useful on ansible playbook)

• If SELinux security policy is enforced, these directives have to be applied:
  - sudo setsebool -P antivirus_can_scan_system 1 (mandatory)
  - sudo setsebool -P clamd_use_jit 1 (optional, mandatory when running with "ByteCodeMode=ForceJIT")

• To check the SELinux antivirus policies, run: getsebool -a | grep antivirus

I tested some transfers with the SELinux security policy in enforced mode, and there are no Clamav error messages in the /var/log/audit/audit.log file.

The changes made on the default /etc/clamd.conf file are:

• Comment out the "Example" line
• Change the LocalSocket line to: "LocalSocket /var/run/clamav/clamd.ctl"

Two useful links:

https://www.hostinger.com/tutorials/how-to-install-clamav-centos7#Step-2-Configuring-SELinux
https://linux-audit.com/install-clamav-on-centos-7-using-freshclam/

[mamedin]

Once it seems the options of using the tcp socket and the file socket are both viable, we have to decide how we are going to update the archivematica-docs, the Ansible role and am-packaging:

If we are going to document and give the option to use both, or we are going to use only one of them (which is the one chosen?)

[sevein]

@mamedin can we close this issue or there's more work to do?

[mamedin]

I think we can close this issue. It is fixed in the Ansible installation and it is explained in the archivematica-docs:

https://github.com/artefactual/archivematica-docs/blob/1.7/admin-manual/installation-setup/installation/install-centos.rst