a64c833a71
The current behavior of the hardening role is to install the epel-release package on all deployments. This patch changes the logic to only install the EPEL repository if the deployer has asked for ClamAV to be installed. The patch also provides an option to disable the installation of EPEL entirely using a variable. Closes-Bug: 1702167 Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
782 B
782 B
---id: V-72213 status: opt-in tag: misc ---
The STIG requires that a virus scanner is installed and running, but the value of a virus scanner within an OpenStack control plane or on a hypervisor is negligible in many cases. In addition, the disk I/O impact of a virus scanner can impact a production environment negatively.
The security role has tasks to deploy ClamAV with automatic updates, but the tasks are disabled by default.
Deployers can enable the ClamAV virus scanner by setting the following Ansible variable:
security_enable_virus_scanner: yesWarning
The ClamAV packages are provided in the EPEL repository. Setting the
security_enable_virus_scanner will also cause the EPEL
repository to be installed by the role.