From 3c0cc4196914d84718203db98a84591e12f72fb8 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 9 Nov 2016 07:38:49 -0600
Subject: [PATCH] Enable virus scanner

The STIG requires that a virus scanner is installed and running. This
won't be popular on many hypervisors or OpenStack control plane servers,
so the tasks are disabled by default.

Implements: blueprint security-rhel7-stig
Change-Id: I3b4803139e63aae3b740e8e150cb552a298c4ece
---
 defaults/main.yml                     |  4 ++
 doc/metadata/rhel7/RHEL-07-030810.rst | 17 ++++-
 handlers/main.yml                     |  5 ++
 tasks/rhel7stig/main.yml              |  1 +
 tasks/rhel7stig/misc.yml              | 93 +++++++++++++++++++++++++++
 tasks/rhel7stig/packages.yml          |  1 +
 tests/test.yml                        |  1 +
 vars/redhat.yml                       | 13 ++++
 vars/ubuntu.yml                       |  7 ++
 9 files changed, 140 insertions(+), 2 deletions(-)
 create mode 100644 tasks/rhel7stig/misc.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 71d6d626..a8a1ef82 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -437,6 +437,10 @@ security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
 # Disable timed gdm logins for guests
 security_disable_gdm_timed_login: yes                        # RHEL-07-010431
 
+## Miscellaneous (misc)
+# Enable virus scanning with clamav
+security_enable_virus_scanner: no                            # RHEL-07-030810
+
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
 # to 'no' to skip their removal.
diff --git a/doc/metadata/rhel7/RHEL-07-030810.rst b/doc/metadata/rhel7/RHEL-07-030810.rst
index 5a82abd2..2e315a9c 100644
--- a/doc/metadata/rhel7/RHEL-07-030810.rst
+++ b/doc/metadata/rhel7/RHEL-07-030810.rst
@@ -1,7 +1,20 @@
 ---
 id: RHEL-07-030810
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that a virus scanner is installed and running, but the value
+of a virus scanner within an OpenStack control plane or on a hypervisor is
+negligible in many cases.  In addition, the disk I/O impact of a virus scanner
+can impact a production environment negatively.
+
+The security role has tasks to deploy ClamAV with automatic updates, but the
+tasks are disabled by default.
+
+Deployers can enable the ClamAV virus scanner by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_enable_virus_scanner: yes
diff --git a/handlers/main.yml b/handlers/main.yml
index 52f17b87..273c601d 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -57,6 +57,11 @@
     name: vsftpd
     state: restarted
 
+- name: restart clamav
+  service:
+    name: "{{ clamav_service }}"
+    state: restarted
+
 # Miscellaneous ##############################################################
 - name: generate auditd rules
   command: augenrules --load
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index 8b0ab534..a45cdf15 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -47,6 +47,7 @@
 - include: auth.yml
 - include: file_perms.yml
 - include: graphical.yml
+- include: misc.yml
 - include: sshd.yml
 
 - name: Remove the temporary directory
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
new file mode 100644
index 00000000..4a2e09e6
--- /dev/null
+++ b/tasks/rhel7stig/misc.yml
@@ -0,0 +1,93 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if ClamAV is installed
+  stat:
+    path: /usr/bin/clamdscan
+  register: clamav_install_check
+  changed_when: False
+  tags:
+    - always
+
+- name: Remove 'Example' line from ClamAV configuration files
+  lineinfile:
+    dest: "{{ item }}"
+    regexp: "^Example"
+    state: absent
+  with_items:
+    - /etc/freshclam.conf
+    - /etc/clamd.d/scan.conf
+  when:
+    - clamav_install_check.stat.exists
+    - security_enable_virus_scanner | bool
+    - ansible_os_family | lower == 'redhat'
+  notify:
+    - restart clamav
+  tags:
+    - misc
+    - RHEL-07-030810
+
+- name: Set ClamAV server type as socket
+  lineinfile:
+    dest: /etc/clamd.d/scan.conf
+    regexp: "^(#)?LocalSocket (.*)$"
+    line: 'LocalSocket \2'
+    backrefs: yes
+  when:
+    - clamav_install_check.stat.exists
+    - security_enable_virus_scanner | bool
+    - ansible_os_family | lower == 'redhat'
+  notify:
+    - restart clamav
+  tags:
+    - misc
+    - RHEL-07-030810
+
+- name: Allow automatic freshclam updates
+  lineinfile:
+    dest: /etc/sysconfig/freshclam
+    regexp: "^FRESHCLAM_DELAY"
+    state: absent
+  when:
+    - clamav_install_check.stat.exists
+    - security_enable_virus_scanner | bool
+    - ansible_os_family | lower == 'redhat'
+  notify:
+    - restart clamav
+  tags:
+    - misc
+    - RHEL-07-030810
+
+- name: Update ClamAV database
+  command: freshclam
+  changed_when: False
+  when:
+    - clamav_install_check.stat.exists
+    - security_enable_virus_scanner | bool
+  tags:
+    - misc
+    - RHEL-07-030810
+
+- name: Ensure ClamAV is running
+  service:
+    name: "{{ clamav_service }}"
+    state: started
+    enabled: yes
+  when:
+    - clamav_install_check.stat.exists
+    - security_enable_virus_scanner | bool
+  tags:
+    - misc
+    - RHEL-07-030810
diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml
index 71beb51d..c6b1e990 100644
--- a/tasks/rhel7stig/packages.yml
+++ b/tasks/rhel7stig/packages.yml
@@ -33,6 +33,7 @@
     - RHEL-07-021910
     - RHEL-07-020000
     - RHEL-08-020010
+    - RHEL-07-030810
     - RHEL-07-040260
     - RHEL-07-040500
     - RHEL-07-040560
diff --git a/tests/test.yml b/tests/test.yml
index b279f005..2deb4d6e 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -73,3 +73,4 @@
     security_package_clean_on_remove: yes
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true
+    security_enable_virus_scanner: yes
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 1e715428..4d2b1744 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -26,6 +26,7 @@ chrony_conf_file: /etc/chrony.conf
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
+clamav_service: 'clamd@scan'
 
 # Commands
 grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
@@ -52,6 +53,18 @@ stig_packages:
       - yum-cron
     state: "{{ security_package_state }}"
     enabled: "{{ security_unattended_upgrades_enabled }}"
+  - packages:
+      - clamav
+      - clamav-data
+      - clamav-devel
+      - clamav-filesystem
+      - clamav-lib
+      - clamav-scanner-systemd
+      - clamav-server-systemd
+      - clamav-server
+      - clamav-update
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_virus_scanner }}"
   - packages:
       - xinetd
     state: absent
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
index 1b738707..175bf678 100644
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@@ -29,6 +29,7 @@ chrony_conf_file: /etc/chrony/chrony.conf
 cron_service: cron
 ssh_service: ssh
 chrony_service: chrony
+clamav_service: clamd
 
 # Commands
 grub_update_cmd: "update-grub"
@@ -97,6 +98,12 @@ stig_packages_rhel7:
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - clamav
+      - clamav-daemon
+      - clamav-freshclam
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_virus_scanner }}"
   - packages:
       - rsh-server
     state: absent