-
Notifications
You must be signed in to change notification settings - Fork 9
/
index.html.md.erb
183 lines (137 loc) · 7.97 KB
/
index.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
---
title: ClamAV Add-on for PCF
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic describes how to add ClamAV to your Pivotal Cloud Foundry (PCF) deployment.
## <a id="about-clamav"></a>About ClamAV Add-on for PCF
This add-on may be necessary for regulatory purposes if your compliance auditor requires antivirus protection within the PCF environment.
For example, auditors sometimes expect that antivirus protection be present in an environment that must comply with standards such as
Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA).
ClamAV can be configured to scan on-access, on schedule, or both.
##<a id="prereqs"></a>Prerequisites
<p class="note"><strong>Note</strong>: ClamAV Add-on for PCF does not work on Windows.</p>
To complete the ClamAV Add-on installation:
* You must be a PCF operator with admin rights.
See the [Understanding Pivotal Cloud Foundry User Types](https://docs.pivotal.io/pivotalcf/customizing/user-types.html#operator) topic for more information.
* You must have Pivotal Operations Manager (Ops Manager) v1.7 or later.
* ClamAV Add-on uses 610 MB of memory. Ensure you have at least 1 GB of memory free on each VM before deploying ClamAV Add-on.
##<a id="create-mfest"></a>Create the ClamAV Manifest
The ClamAV manifest is a YML file that contains runtime configuration information for ClamAV Add-on.
Follow the steps below to create the ClamAV manifest for your deployment:
1. Create a file named `clamav.yml`, using the following code as a template.
<pre>releases:
\- name: clamav
version: 1.0.0
addons:
\- name: clamav
jobs:
\- name: clamav
release: clamav
properties:
clamav:
database\_mirror:
<%= vars.example_ip_1 %></pre>
2. (Optional) Provide the hostname or IP address of a private ClamAV update mirror.
Environments that cannot connect to the Internet normally use an update mirror.
If you do not specify a value, ClamAV defaults to `db.local.clamav.net` for updates. Mirror servers behind this address might be unreachable which may lead to a failed ClamAV Add-on deployment.
See the [Private Local Mirrors](https://www.clamav.net/documents/private-local-mirrors) topic of the ClamAV documentation for instructions on how to set up a local mirror.
##<a id="download-deploy"></a>Download and Deploy ClamAV Add-on
1. Download ClamAV Add-on software binary from the [Pivotal Network](https://network.pivotal.io/products/p-clamav-addon) to your local machine.
2. Copy the software binary to your Ops Manager virtual machine (VM).
<pre class="terminal">$ scp -i PATH/TO/PRIVATE/KEY clamav-release.tar.gz ubuntu@YOUR-OPS-MANAGER-VM-IP:</pre>
3. Copy the ClamAV manifest, `clamav.yml` file, to your Ops Manager instance.
<pre class="terminal">$ scp -i PATH/TO/PRIVATE/KEY clamav.yml ubuntu@YOUR-OPS-MANAGER-VM-IP:</pre>
4. SSH into Ops Manager.
<pre class="terminal">$ ssh -i PATH-TO-PRIVATE-KEY ubuntu@YOUR-OPS-MANAGER-VM-IP</pre>
5. On the Ops Manager VM, navigate to the software binary location.
<pre class="terminal">$ cd PATH-TO-BINARY</pre>
6. On the Ops Manager VM, target your BOSH director instance.
<pre class="terminal">
$ bosh target YOUR-OPS-MANAGER-DIRECTOR-IP
Target set to 'Ops Manager'
Your username: director
Enter password: ******************
Logged in as 'director'
</pre>
7. Upload your release.
<pre class="terminal">$ bosh upload release PATH-TO-BINARY/BINARY-NAME.tar</pre>
8. From the command line, confirm that the upload of the ClamAV
software binary completed. You should see the ClamAV release.
<pre class="terminal">$ bosh releases</pre>
9. <a name="update"></a>Update your runtime configuration to include ClamAV.
<p class="note"><strong>Note</strong>: If you installed other BOSH add-ons, you must merge the ClamAV manifest into your existing add-on manifest.
Append the contents of `clamav.yml` to your existing add-on YML file.</p>
<pre class="terminal">$ bosh update runtime-config PATH/YOUR-ADD-ON-YML.yml</pre>
10. Verify your runtime configuration changes match what you specified in the ClamAV manifest.
<pre class="terminal">
$ bosh runtime-config
Acting as user 'admin' on 'micro'
releases:
<span>-</span> name: clamav
version: 1.0.0
<br>
addons:
name: clamav
jobs:
<span>-</span> name: clamav
release: clamav
...
</pre>
11. Navigate to your Installation Dashboard in Ops Manager.
12. Click **Apply Changes**.
##<a id="alerts"></a> Configure Forwarding for ClamAV Alerts
The ClamAV BOSH release writes all alerts to the syslogs of the VMs in your deployment. You can use syslog forwarding to forward the alerts to a syslog aggregator.
* **Using the Elastic Runtime tile**: Follow the steps to [Configure System Logging](http://docs.pivotal.io/pivotalcf/customizing/cloudform-er-config.html#sys-logging)
in the Elastic Runtime tile.
The syslog aggregator that you specify receives all alerts generated on Elastic Runtime VMs, including the ClamAV alerts.
* **Using the BOSH syslog release**: You can use the syslog BOSH release to forward system logs.
See the [syslog-release](https://github.com/cloudfoundry/syslog-release) for instructions.
<p class="note"><strong>Note</strong>: When you configure syslog forwarding, ensure enough disk space for the logs.
Make sure that log rotation is frequent enough. If in doubt, rotate the logs hourly or when they reach a certain size.
Pivotal recommends forwarding logs to a remote syslog aggregation system. </p>
## <a id="verify"></a>Verify Your ClamAV Add-on Installation
1. [BOSH ssh](https://docs.pivotal.io/pivotalcf/customizing/trouble-advanced.html#bosh-ssh) into one of the VMs in your deployment.
1. Run `monit summary`. Look for the following processes in the output:
<pre class="terminal">The Monit daemon 5.2.4 uptime: 3d 0h 56m
Process 'clamd' running
Process 'freshclam' running</pre>
1. If `monit summary` does not list `freshclamd` and `clamd`, perform the following steps:
1. Try to start the ClamAV processes by running the following commands:
<pre class="terminal">
$ monit start clamd
$ monit start freshclam
</pre>
1. Run `monit summary` again. If you do not see the processes mentioned above, check `/var/vcap/sys/log/clamav` logs for errors.
1. If `monit summary` does list `freshclamd` and `clamd`, create a file on the VM with the following contents:
```
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
```
This is a virus signature used to test anti-virus software.
It may take up to an hour for ClamAV to locate the signature.
Check your syslog aggregator for the notification.
If the notification does not appear, check `/var/log/messages` on the VM.
If virus notifications appear in the VM syslog but not in the aggregator, verify your syslog forwarding settings.
##<a id="setup-on-access"></a>Enable On-Access Scan (Experimental)
ClamAV offers immediate file scanning upon file modification. This experimental feature might reduce the time it takes to detect and report malware.
Enable the feature through the `on_access` runtime config property, as follows.
1. In the `clamav.yml` file, add the `on_access` property under the `clamav` property:
<pre class="terminal">
releases:
<span>-</span> name: clamav
version: 1.0.0
<br>
addons:
name: clamav
jobs:
<span>-</span> name: clamav
release: clamav
properties:
clamav:
on\_access: yes
scheduled: yes
...
</pre>
1. Apply this configuration change by following the instructions from step 9, [Update your…](#update), in the [Download and Deploy ClamAV Add-on](#download-deploy) section above.
<p class="note"><strong>Note</strong>: The <code>scheduled</code> property is responsible for running ClamAV from cron and is set to <code>yes</code> by default.
Setting it to <code>no</code> and applying the changes disables cron runs.</p>