Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add always-on ClamAV server #2243

Closed
wants to merge 16 commits into from
Closed

Conversation

mojotalantikite
Copy link
Contributor

@mojotalantikite mojotalantikite commented Feb 7, 2024

Summary

This adds a server that runs clamavd and freshclam with a configuration that allows it to accept incoming clamdscan requests from connections coming from within it's security group. This sets us up to allow our lambda antivirus scanning function to call an always-on clamavd instance that will return results without incurring the startup cost that we've been living with in the lambda only version.

Related issues

https://jiraent.cms.gov/browse/MCR-3820

@haworku
Copy link
Contributor

haworku commented Feb 9, 2024

Appreciate you always writing docs early 🏅

@mojotalantikite mojotalantikite marked this pull request as ready for review February 9, 2024 17:45

#### SSH to the instances

You should now be able to ssh to the jump box.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these new EC2 instances have access to the database? Or are they just for clamAV?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's actually something I was wondering about as I was building this: we could conceivably roll the jumpbox into this server and forgo the jumpbox altogether.

As of now I have this VM in the default security group, which means yes, it can get to the Aurora instance. If we drop it from that security group it won't have access to Aurora. Maybe something to talk about in DTBM or RSP?

InstanceType: t3.medium
ImageId: ami-0c7217cdde317cfec # Ubuntu 22.04 LTS
IamInstanceProfile: !Ref ClamAVInstanceProfile
KeyName: mojo # for testing
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

keeping this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope! I'll drop it before the merge.

chmod 600 /home/ubuntu/.ssh/authorized_keys

# Install clamav 1.0.4
wget https://www.clamav.net/downloads/production/clamav-1.0.4.linux.x86_64.deb
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a way to just always grab latest here? Or will we need to keep updating this on the reg?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, they don't host an apt server for us to just grab latest from, we have to pull the package manually and install it like this if we want a recent version. For whatever reason the main apt repo has an older version of ClamAV and I thought it best to use the current LTS.

We'll definitely want to make sure we keep up with patches over time.


# Start clamd and get defs
systemctl enable clamav-freshclam
systemctl start clamav-freshclam
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will Freshclam keep auto-updating the definitions in the background? That would be nice we could get rid of the fresh clam deamon?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does! It looks every hour, for example:

Mon Feb 12 16:00:19 2024 -> --------------------------------------
Mon Feb 12 17:00:19 2024 -> Received signal: wake up
Mon Feb 12 17:00:19 2024 -> ClamAV update process started at Mon Feb 12 17:00:19 2024
Mon Feb 12 17:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 17:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 17:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 17:00:19 2024 -> --------------------------------------
Mon Feb 12 18:00:19 2024 -> Received signal: wake up
Mon Feb 12 18:00:19 2024 -> ClamAV update process started at Mon Feb 12 18:00:19 2024
Mon Feb 12 18:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 18:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 18:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 18:00:19 2024 -> --------------------------------------
Mon Feb 12 19:00:19 2024 -> Received signal: wake up
Mon Feb 12 19:00:19 2024 -> ClamAV update process started at Mon Feb 12 19:00:19 2024
Mon Feb 12 19:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 19:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 19:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 19:00:19 2024 -> --------------------------------------

Which means yeah, we can refactor and drop the lambda that does the whole AV download to s3 process.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

omg I love this all so much

@mojotalantikite
Copy link
Contributor Author

Merging these changes as part of #2256 . Closing.

@mojotalantikite mojotalantikite deleted the mt-build-clamav-server branch February 21, 2024 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants