-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run av scanning from ClamD server #2256
Changes from 36 commits
1e81494
dc8058c
743bb45
aa3669c
9ec6aca
9459329
c2f09ac
5bb18de
9cf4a72
86fc9fc
2d61fc2
a818d41
6cee323
399e8a6
7beae94
58e3fec
3be571c
c2fa0c3
a639d25
63a308a
814d621
cec7e76
11d7551
53643c1
be82dfe
1742375
7ae55a4
9617094
68c231c
d57f3e1
ef91850
19d5057
fc51858
ccb8f09
8198b4b
2765110
cbe6c8d
a975a96
1f69719
0cf25c4
1990611
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -53,6 +53,7 @@ params: | |
- 'kms:*' | ||
- 'lambda:*' | ||
- 'logs:*' | ||
- 'route53:*' | ||
- 'rds:*' | ||
- 'secretsmanager:*' | ||
- 'ssm:*' | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -52,20 +52,19 @@ provider: | |
custom: | ||
region: ${aws:region} | ||
reactAppOtelCollectorUrl: ${env:REACT_APP_OTEL_COLLECTOR_URL, ssm:/configuration/react_app_otel_collector_url} | ||
authorizedKeys: ${file(../postgres/scripts/authorized_keys)} | ||
webpack: | ||
webpackConfig: webpack.config.js | ||
packager: yarn | ||
packagerOptions: | ||
lockFile: ../../yarn.lock | ||
scripts: | ||
hooks: | ||
# This script is run locally when running 'serverless deploy' | ||
package:initialize: | | ||
set -e | ||
curl -L --output lambda_layer.zip https://github.com/CMSgov/lambda-clamav-layer/releases/download/0.7/lambda_layer.zip | ||
deploy:finalize: | | ||
rm lambda_layer.zip | ||
serverless invoke --stage ${sls:stage} --function avDownloadDefinitions -t Event | ||
vpcId: ${ssm:/configuration/${sls:stage}/vpc/id, ssm:/configuration/default/vpc/id} | ||
sgId: ${ssm:/configuration/${sls:stage}/vpc/sg/id, ssm:/configuration/default/vpc/sg/id} | ||
privateSubnets: | ||
- ${ssm:/configuration/${sls:stage}/vpc/subnets/private/a/id, ssm:/configuration/default/vpc/subnets/private/a/id} | ||
- ${ssm:/configuration/${sls:stage}/vpc/subnets/private/b/id, ssm:/configuration/default/vpc/subnets/private/b/id} | ||
- ${ssm:/configuration/${sls:stage}/vpc/subnets/private/c/id, ssm:/configuration/default/vpc/subnets/private/c/id} | ||
publicSubnetA: ${ssm:/configuration/${sls:stage}/vpc/subnets/public/a/id, ssm:/configuration/default/vpc/subnets/public/a/id} | ||
serverless-offline-ssm: | ||
stages: | ||
- local | ||
|
@@ -96,8 +95,7 @@ custom: | |
|
||
layers: | ||
clamAv: | ||
package: | ||
artifact: lambda_layer.zip | ||
path: lambda-layers-clamav | ||
|
||
functions: | ||
avScan: | ||
|
@@ -109,6 +107,9 @@ functions: | |
layers: | ||
- !Ref ClamAvLambdaLayer | ||
- arn:aws:lambda:us-east-1:901920570463:layer:aws-otel-nodejs-amd64-ver-1-18-1:1 | ||
vpc: | ||
securityGroupIds: ${self:custom.sgId} | ||
subnetIds: ${self:custom.privateSubnets} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you can remove the avDownloadDefinitions lambda, too There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wrote a ticket to do this cleanup as follow on work: https://jiraent.cms.gov/browse/MCR-3954 I started deleting the now unneeded code paths and then realized that there's a decent amount in there and the tests are going to have to get fixed up a bit. Figured I'd land this and then go through and delete/cleanup the tests. |
||
environment: | ||
stage: ${sls:stage} | ||
CLAMAV_BUCKET_NAME: !Ref ClamDefsBucket | ||
|
@@ -171,6 +172,13 @@ functions: | |
REACT_APP_OTEL_COLLECTOR_URL: ${self:custom.reactAppOtelCollectorUrl} | ||
|
||
resources: | ||
Conditions: | ||
IsDevValProd: !Or | ||
- !Equals ['${sls:stage}', 'main'] | ||
- !Equals ['${sls:stage}', 'val'] | ||
- !Equals ['${sls:stage}', 'prod'] | ||
- !Equals ['${sls:stage}', 'mtscanfromlambda'] | ||
|
||
Resources: | ||
DocumentUploadsBucket: | ||
Type: AWS::S3::Bucket | ||
|
@@ -364,6 +372,125 @@ resources: | |
- !Sub ${QAUploadsBucket.Arn}/* | ||
Sid: DenyUnencryptedConnections | ||
|
||
ClamAVSecurityGroup: | ||
Type: AWS::EC2::SecurityGroup | ||
Properties: | ||
GroupDescription: Security group for ClamAV daemon | ||
VpcId: ${self:custom.vpcId} | ||
SecurityGroupIngress: | ||
- IpProtocol: tcp | ||
FromPort: 3310 | ||
ToPort: 3310 | ||
SourceSecurityGroupId: ${self:custom.sgId} | ||
|
||
ClamAVInstanceProfile: | ||
Type: AWS::IAM::InstanceProfile | ||
Properties: | ||
Path: '/delegatedadmin/developer/' | ||
Roles: | ||
- !Ref ClamAVInstanceRole | ||
|
||
ClamAVInstanceRole: | ||
Type: AWS::IAM::Role | ||
Properties: | ||
Path: '/delegatedadmin/developer/' | ||
PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/cms-cloud-admin/ct-ado-poweruser-permissions-boundary-policy' | ||
RoleName: !Sub 'clamavdVm-${sls:stage}-ServiceRole' | ||
AssumeRolePolicyDocument: | ||
Version: '2012-10-17' | ||
Statement: | ||
- Effect: Allow | ||
Principal: | ||
Service: ec2.amazonaws.com | ||
Action: sts:AssumeRole | ||
Policies: | ||
- PolicyName: ClamAVInstancePolicy | ||
PolicyDocument: | ||
Version: '2012-10-17' | ||
Statement: | ||
- Effect: Allow | ||
Action: | ||
- logs:CreateLogGroup | ||
- logs:CreateLogStream | ||
- logs:PutLogEvents | ||
Resource: '*' | ||
|
||
ClamAVInstance: | ||
Type: AWS::EC2::Instance | ||
Condition: IsDevValProd | ||
Properties: | ||
InstanceType: t3.medium | ||
ImageId: ami-0c7217cdde317cfec # Ubuntu 22.04 LTS | ||
IamInstanceProfile: !Ref ClamAVInstanceProfile | ||
NetworkInterfaces: | ||
- AssociatePublicIpAddress: true | ||
DeviceIndex: '0' | ||
GroupSet: | ||
- !Ref ClamAVSecurityGroup | ||
- ${self:custom.sgId} | ||
SubnetId: !Sub ${self:custom.publicSubnetA} | ||
Tags: | ||
- Key: Name | ||
Value: clamavd-${sls:stage} | ||
- Key: mcr-vmuse | ||
Value: clamavd | ||
UserData: | ||
Fn::Base64: !Sub | | ||
#!/bin/bash | ||
apt-get update | ||
apt-get install -y clamav clamav-daemon | ||
|
||
echo '${self:custom.authorizedKeys}' > /home/ubuntu/.ssh/authorized_keys | ||
chown ubuntu:ubuntu /home/ubuntu/.ssh/authorized_keys | ||
chmod 600 /home/ubuntu/.ssh/authorized_keys | ||
|
||
# Write to the clamd.conf | ||
echo "TCPSocket 3310" >> /etc/clamav/clamd.conf | ||
echo "TCPAddr 0.0.0.0" >> /etc/clamav/clamd.conf | ||
|
||
# Create a systemd service override to delay the start | ||
cat <<EOF > /etc/systemd/system/clamav-daemon.service.d/override.conf | ||
[Unit] | ||
After=network.target | ||
EOF | ||
|
||
# Fix the systemctl setting | ||
sed -i 's/^StandardOutput=syslog/StandardOutput=journal/' /lib/systemd/system/clamav-daemon.service | ||
|
||
# Reload systemd to apply the changes | ||
systemctl daemon-reload | ||
|
||
# Start clamd and get defs | ||
systemctl enable clamav-daemon | ||
systemctl enable clamav-freshclam | ||
systemctl start clamav-daemon | ||
systemctl start clamav-freshclam | ||
|
||
# Confirm we're up | ||
systemctl status clamav-daemon | ||
systemctl status clamav-freshclam | ||
|
||
MCRInternalZone: | ||
Type: AWS::Route53::HostedZone | ||
Condition: IsDevValProd | ||
Properties: | ||
Name: mc-review.local | ||
VPCs: | ||
- VPCId: ${self:custom.vpcId} | ||
VPCRegion: !Ref AWS::Region | ||
|
||
ClamAVRecordSet: | ||
Type: AWS::Route53::RecordSet | ||
Condition: IsDevValProd | ||
DependsOn: ClamAVInstance | ||
Properties: | ||
HostedZoneId: !Ref MCRInternalZone | ||
Name: clamav.mc-review.local | ||
Type: A | ||
ResourceRecords: | ||
- !GetAtt ClamAVInstance.PrivateIp | ||
TTL: '300' | ||
|
||
Outputs: | ||
DocumentUploadsBucketName: | ||
Value: !Ref DocumentUploadsBucket | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# hostname and port of the remote ClamAV daemon | ||
TCPAddr clamav.mc-review.local | ||
TCPSocket 3310 | ||
|
||
# Enable verbose logging | ||
LogVerbose yes | ||
|
||
# Path to the log file | ||
LogFile /var/log/clamd.log | ||
|
||
# Set the maximum number of concurrent threads for scanning | ||
MaxThreads 10 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the clamAV image inside our security group that can talk to the db for instance? I don't see why it would need to be?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You know, there were reasons when I was setting this up, but I can't recall. We can probably drop this as the av scanning lambda doesn't need to be in the VPC with our other lambdas and DB. I'll fix it up before merging!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh actually, I remember now. If the lambda is not in this VPC with the server, then all the communicating traffic with the server is going to route over the public internet, which means we have to pay that egress cost. We can use VPC gateway endpoints, but we don't have access to create VPC related things in our account (CMS Cloud team has to do it for us). So I just dropped it in our VPC.
I think we can drop the default security group though, which will keep it away from the Aurora instance.