From ac443b09b48c614283516864e3f75b0334ae0996 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Thu, 21 Nov 2024 16:58:07 -0500 Subject: [PATCH 1/7] Proxy patch for database signatures --- README.md | 7 ++++-- entrypoint.sh | 66 ++++++++++++++++++++++++++++++--------------------- 2 files changed, 44 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index b3f5ca0..7bcf6a0 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,20 @@ - [Status Codes](#status-codes) - [Configuration](#configuration) - [Environment Variables](#environment-variables) - - [Networking](#networking) + - [Networking](#networking) - [Maintenance / Monitoring](#maintenance--monitoring) - [Shell Access](#shell-access) -- [Developing](#developing) +- [Developing](#developing) - [References](#references) # Introduction This is a two in one docker image which runs the open source virus scanner ClamAV (https://www.clamav.net/), performs automatic virus definition updates as a background process and provides a REST API interface to interact with the ClamAV process. +# FAC Updates +An issue was found using `echo "RELOAD" | nc 127.0.0.1 3310` behind a proxy to force reload the sig database. Due to this, and with us rebuilding the image weekly to get a new sha256, on top of our terraform redeploying clamav during the week with new sha256's, force reloading the database like this makes it impossible to use the scanner, as `3310` gets soft locked on the database update, and causes any subsequent scans to fail. + # Updates As of October 21 2024, freshclam notifies the correct `.clamd.conf` so that `clamd` is notified about updates and the correct version is returned now. diff --git a/entrypoint.sh b/entrypoint.sh index 5e631d3..42f5d4c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,6 +4,7 @@ mkdir -p /clamav/etc mkdir -p /clamav/data mkdir -p /clamav/tmp cp /etc/clamav/* /clamav/etc/ +chmod 0700 /clamav/etc/freshclam.conf # Replace values in freshclam.conf sed -i 's/^#\?NotifyClamd .*$/NotifyClamd \/clamav\/etc\/clamd.conf/g' /clamav/etc/freshclam.conf @@ -13,6 +14,20 @@ sed -i 's/^#DatabaseDirectory .*$/DatabaseDirectory \/clamav\/data/g' /clamav/et # Replace values with environment variables in freshclam.conf sed -i 's/^#\?Checks .*$/Checks '"$SIGNATURE_CHECKS"'/g' /clamav/etc/freshclam.conf +if [ -n "$PROXY_SERVER" ]; then + sed -i 's~^#HTTPProxyServer .*~HTTPProxyServer '"$PROXY_SERVER"'~g' /clamav/etc/freshclam.conf + + # It's not required, but if they also provided a port, then configure it + if [ -n "$PROXY_PORT" ]; then + sed -i 's/^#HTTPProxyPort .*$/HTTPProxyPort '"$PROXY_PORT"'/g' /clamav/etc/freshclam.conf + fi + + # It's not required, but if they also provided a username, then configure both the username and password + if [ -n "$PROXY_USERNAME" ]; then + sed -i 's/^#HTTPProxyUsername .*$/HTTPProxyUsername '"$PROXY_USERNAME"'/g' /clamav/etc/freshclam.conf + sed -i 's~^#HTTPProxyPassword .*~HTTPProxyPassword '"$PROXY_PASSWORD"'~g' /clamav/etc/freshclam.conf + fi +fi # Replace values with environment variables in clamd.conf sed -i 's/^#MaxScanSize .*$/MaxScanSize '"$MAX_SCAN_SIZE"'/g' /clamav/etc/clamd.conf @@ -34,35 +49,32 @@ if [ -z "$(ls -A /clamav/data)" ]; then cp /var/lib/clamav/* /clamav/data/ fi -if [ -n "$PROXY_SERVER" ]; then - sed -i 's~^#HTTPProxyServer .*~HTTPProxyServer '"$PROXY_SERVER"'~g' /clamav/etc/freshclam.conf - - # It's not required, but if they also provided a port, then configure it - if [ -n "$PROXY_PORT" ]; then - sed -i 's/^#HTTPProxyPort .*$/HTTPProxyPort '"$PROXY_PORT"'/g' /clamav/etc/freshclam.conf - fi - - # It's not required, but if they also provided a username, then configure both the username and password - if [ -n "$PROXY_USERNAME" ]; then - sed -i 's/^#HTTPProxyUsername .*$/HTTPProxyUsername '"$PROXY_USERNAME"'/g' /clamav/etc/freshclam.conf - sed -i 's~^#HTTPProxyPassword .*~HTTPProxyPassword '"$PROXY_PASSWORD"'~g' /clamav/etc/freshclam.conf - fi +if [ -n "$PROXY_PORT" ]; then + echo "Proxy Detected" + ( + freshclam --config-file=/clamav/etc/freshclam.conf --daemon & + clamd --config-file=/clamav/etc/clamd.conf & + /usr/bin/clamav-rest & + ) 2>&1 | tee -a /var/log/clamav/clamav.log +else + echo "No Proxy Detected" + ( + freshclam --config-file=/clamav/etc/freshclam.conf --daemon & + clamd --config-file=/clamav/etc/clamd.conf & + /usr/bin/clamav-rest & + # Force reload the virus database through the clamd socket after 120s. + # Starting freshclam and clamd async ends up that a newer database version is loaded with + # freshclam, but the clamd still keep the old version existing before the update because + # the socket from clamd is not yet ready to inform, what is indicated in the log + # during the startup of the container (WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory). + # So only if a newer database version is available clamd will be notified next time, and this can take hours/days. + # Remarks: The socket port is configured in the .Dockerfile itself. + sleep 30s + echo "RELOAD" | nc 127.0.0.1 3310 & + ) 2>&1 | tee -a /var/log/clamav/clamav.log fi -( - freshclam --config-file=/clamav/etc/freshclam.conf --daemon & - clamd --config-file=/clamav/etc/clamd.conf & - /usr/bin/clamav-rest & - # Force reload the virus database through the clamd socket after 120s. - # Starting freshclam and clamd async ends up that a newer database version is loaded with - # freshclam, but the clamd still keep the old version existing before the update because - # the socket from clamd is not yet ready to inform, what is indicated in the log - # during the startup of the container (WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory). - # So only if a newer database version is available clamd will be notified next time, and this can take hours/days. - # Remarks: The socket port is configured in the .Dockerfile itself. - sleep 120s - echo RELOAD | nc 127.0.0.01 3310 & -) 2>&1 | tee -a /var/log/clamav/clamav.log + pids=`jobs -p` From 9c31eeaf6b1286d696cd7e3d612fe5dad15ad216 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Thu, 21 Nov 2024 17:03:07 -0500 Subject: [PATCH 2/7] Fix Casing --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e7ebeae..9c93a99 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:alpine3.19 as build +FROM golang:alpine3.19 AS build # Update libraries RUN apk update && apk upgrade From 0c88ecd9f7ec56e6538a6c80723e607e73438dac Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:01:41 -0500 Subject: [PATCH 3/7] Use $PROXY_SERVER instead of $PROXY_PORT --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 42f5d4c..aa56843 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -49,7 +49,7 @@ if [ -z "$(ls -A /clamav/data)" ]; then cp /var/lib/clamav/* /clamav/data/ fi -if [ -n "$PROXY_PORT" ]; then +if [ -n "$PROXY_SERVER" ]; then echo "Proxy Detected" ( freshclam --config-file=/clamav/etc/freshclam.conf --daemon & From 4af54ca0cf066342d6bf994cdb30f99a66d925f0 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:02:04 -0500 Subject: [PATCH 4/7] Go back to 2 minutes --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index aa56843..6e1568a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -69,7 +69,7 @@ else # during the startup of the container (WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory). # So only if a newer database version is available clamd will be notified next time, and this can take hours/days. # Remarks: The socket port is configured in the .Dockerfile itself. - sleep 30s + sleep 120s echo "RELOAD" | nc 127.0.0.1 3310 & ) 2>&1 | tee -a /var/log/clamav/clamav.log fi From 80d47c3acd5ddced20ae67923f6e13ea74db10f4 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:08:21 -0500 Subject: [PATCH 5/7] Add comment --- entrypoint.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 6e1568a..8d910f4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -55,6 +55,13 @@ if [ -n "$PROXY_SERVER" ]; then freshclam --config-file=/clamav/etc/freshclam.conf --daemon & clamd --config-file=/clamav/etc/clamd.conf & /usr/bin/clamav-rest & + # Despite not having the [echo "RELOAD" | nc 127.0.0.1 3310] force reload of the clamd database + # after checking the running instance behind the proxy a day later, it was succcessfully doing + # its own internal self check. + # 2024-11-22T08:49:47.37-0500 [APP/PROC/WEB/0] OUT Fri Nov 22 14:49:47 2024 -> SelfCheck: Database status OK. + # Since the nc command holds 3310 behind our proxy for some unknown reason, we are willing to not have immediate + # clamd database signature reload in favor of freshclam successfully going through the proxy + # and doing the clamd database reload on its own, validating that the SelfCheck is working as intended ) 2>&1 | tee -a /var/log/clamav/clamav.log else echo "No Proxy Detected" From 75c5482592a310eb3dd9e438030d44310e3f9d7c Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:08:39 -0500 Subject: [PATCH 6/7] Remove whitespace --- entrypoint.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 8d910f4..6cb1e66 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -81,8 +81,6 @@ else ) 2>&1 | tee -a /var/log/clamav/clamav.log fi - - pids=`jobs -p` exitcode=0 From 40f02c6763e14cf0d90d99d6cd987cfcce1e5632 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:14:26 -0500 Subject: [PATCH 7/7] verbiage change --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6cb1e66..8964e97 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -61,7 +61,7 @@ if [ -n "$PROXY_SERVER" ]; then # 2024-11-22T08:49:47.37-0500 [APP/PROC/WEB/0] OUT Fri Nov 22 14:49:47 2024 -> SelfCheck: Database status OK. # Since the nc command holds 3310 behind our proxy for some unknown reason, we are willing to not have immediate # clamd database signature reload in favor of freshclam successfully going through the proxy - # and doing the clamd database reload on its own, validating that the SelfCheck is working as intended + # and clamd doing the database reload on its own, validating that the SelfCheck is working as intended ) 2>&1 | tee -a /var/log/clamav/clamav.log else echo "No Proxy Detected"