a64c833a71
The current behavior of the hardening role is to install the epel-release package on all deployments. This patch changes the logic to only install the EPEL repository if the deployer has asked for ClamAV to be installed. The patch also provides an option to disable the installation of EPEL entirely using a variable. Closes-Bug: 1702167 Change-Id: I9c5e6048f95636faf2a6d71ac9217ba69ca41296
27 lines
782 B
ReStructuredText
27 lines
782 B
ReStructuredText
---
|
|
id: V-72213
|
|
status: opt-in
|
|
tag: misc
|
|
---
|
|
|
|
The STIG requires that a virus scanner is installed and running, but the value
|
|
of a virus scanner within an OpenStack control plane or on a hypervisor is
|
|
negligible in many cases. In addition, the disk I/O impact of a virus scanner
|
|
can impact a production environment negatively.
|
|
|
|
The security role has tasks to deploy ClamAV with automatic updates, but the
|
|
tasks are disabled by default.
|
|
|
|
Deployers can enable the ClamAV virus scanner by setting the following Ansible
|
|
variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_enable_virus_scanner: yes
|
|
|
|
.. warning::
|
|
|
|
The ClamAV packages are provided in the EPEL repository. Setting the
|
|
``security_enable_virus_scanner`` will also cause the EPEL repository to
|
|
be installed by the role.
|