-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add always-on ClamAV server #2243
Conversation
Appreciate you always writing docs early 🏅 |
|
||
#### SSH to the instances | ||
|
||
You should now be able to ssh to the jump box. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these new EC2 instances have access to the database? Or are they just for clamAV?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's actually something I was wondering about as I was building this: we could conceivably roll the jumpbox into this server and forgo the jumpbox altogether.
As of now I have this VM in the default security group, which means yes, it can get to the Aurora instance. If we drop it from that security group it won't have access to Aurora. Maybe something to talk about in DTBM or RSP?
services/uploads/serverless.yml
Outdated
InstanceType: t3.medium | ||
ImageId: ami-0c7217cdde317cfec # Ubuntu 22.04 LTS | ||
IamInstanceProfile: !Ref ClamAVInstanceProfile | ||
KeyName: mojo # for testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keeping this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope! I'll drop it before the merge.
chmod 600 /home/ubuntu/.ssh/authorized_keys | ||
|
||
# Install clamav 1.0.4 | ||
wget https://www.clamav.net/downloads/production/clamav-1.0.4.linux.x86_64.deb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to just always grab latest
here? Or will we need to keep updating this on the reg?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, they don't host an apt server for us to just grab latest
from, we have to pull the package manually and install it like this if we want a recent version. For whatever reason the main apt repo has an older version of ClamAV and I thought it best to use the current LTS.
We'll definitely want to make sure we keep up with patches over time.
|
||
# Start clamd and get defs | ||
systemctl enable clamav-freshclam | ||
systemctl start clamav-freshclam |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will Freshclam keep auto-updating the definitions in the background? That would be nice we could get rid of the fresh clam deamon?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does! It looks every hour, for example:
Mon Feb 12 16:00:19 2024 -> --------------------------------------
Mon Feb 12 17:00:19 2024 -> Received signal: wake up
Mon Feb 12 17:00:19 2024 -> ClamAV update process started at Mon Feb 12 17:00:19 2024
Mon Feb 12 17:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 17:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 17:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 17:00:19 2024 -> --------------------------------------
Mon Feb 12 18:00:19 2024 -> Received signal: wake up
Mon Feb 12 18:00:19 2024 -> ClamAV update process started at Mon Feb 12 18:00:19 2024
Mon Feb 12 18:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 18:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 18:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 18:00:19 2024 -> --------------------------------------
Mon Feb 12 19:00:19 2024 -> Received signal: wake up
Mon Feb 12 19:00:19 2024 -> ClamAV update process started at Mon Feb 12 19:00:19 2024
Mon Feb 12 19:00:19 2024 -> daily.cld database is up-to-date (version: 27183, sigs: 2053128, f-level: 90, builder: raynman)
Mon Feb 12 19:00:19 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Mon Feb 12 19:00:19 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Mon Feb 12 19:00:19 2024 -> --------------------------------------
Which means yeah, we can refactor and drop the lambda that does the whole AV download to s3 process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
omg I love this all so much
Merging these changes as part of #2256 . Closing. |
Summary
This adds a server that runs
clamavd
andfreshclam
with a configuration that allows it to accept incomingclamdscan
requests from connections coming from within it's security group. This sets us up to allow our lambda antivirus scanning function to call an always-onclamavd
instance that will return results without incurring the startup cost that we've been living with in the lambda only version.Related issues
https://jiraent.cms.gov/browse/MCR-3820