|
cvsextras |
47272f4 |
To create individual clamd-instance take the following files and
|
|
cvsextras |
47272f4 |
modify/copy them in the suggested way:
|
|
cvsextras |
47272f4 |
|
|
|
6151a28 |
clamd.conf:
|
|
Enrico Scholz |
55b25f1 |
* set LocalSocket (or better: TCPSocket) and User to suitable values;
|
|
|
1763ecb |
avoid PidFile unless it is required by system monitoring or something
|
|
|
1763ecb |
else. Logging through syslog is usually better than an individual
|
|
Enrico Scholz |
55b25f1 |
Logfile.
|
|
|
69e78d8 |
* place this file into /etc/clamd.d with an unique service-name;
|
|
cvsextras |
47272f4 |
e.g. as /etc/clamd.d/<SERVICE>.conf
|
|
cvsextras |
47272f4 |
|
|
|
1763ecb |
When using TCPSocket, create iptables rules which are limiting the
|
|
Enrico Scholz |
55b25f1 |
access by source and/or by using '-m owner'.
|
|
Enrico Scholz |
55b25f1 |
|
|
Enrico Scholz |
55b25f1 |
When LogFile feature is wanted, it must be writable for the assigned
|
|
Enrico Scholz |
55b25f1 |
User. Recommended way to reach this, is to:
|
|
cvsextras |
47272f4 |
* make it owned by the User's *group*
|
|
cvsextras |
47272f4 |
* assign at least 0620 (u+rw,g+w) permissions
|
|
cvsextras |
47272f4 |
|
|
cvsextras |
47272f4 |
A suitable command might be
|
|
cvsextras |
47272f4 |
| # touch <logfile>
|
|
cvsextras |
47272f4 |
| # chgrp <user> <logfile>
|
|
cvsextras |
47272f4 |
| # chmod 0620 <logfile>
|
|
Enrico Scholz |
55b25f1 |
| # restorecon <logfile>
|
|
cvsextras |
47272f4 |
|
|
cvsextras |
47272f4 |
NEVER use 'clamav' as the user since he can modify the database.
|
|
cvsextras |
47272f4 |
This is the user who is running the application; e.g. for mimedefang
|
|
cvsextras |
47272f4 |
(http://www.roaringpenguin.com/mimedefang), the user might be
|
|
cvsextras |
47272f4 |
'defang'.Theoretically, distinct users could be used, but it must be
|
|
cvsextras |
47272f4 |
made sure that the application-user can write into the socket-file,
|
|
cvsextras |
47272f4 |
and that the clamd-user can access the files asked by the
|
|
cvsextras |
47272f4 |
application to be checked.
|
|
cvsextras |
47272f4 |
|
|
Enrico Scholz |
55b25f1 |
clamd.logrotate: (only when LogFile feature is used)
|
|
cvsextras |
47272f4 |
* set the correct value for the logfile
|
|
cvsextras |
47272f4 |
* place it into /etc/logrotate.d
|
|
cvsextras |
47272f4 |
|
|
Enrico Scholz |
55b25f1 |
clamd@<SERVICE>.service: (systemd instance)
|
|
Enrico Scholz |
55b25f1 |
* instance of clamd@.service
|
|
cvsextras |
47272f4 |
|
|
Enrico Scholz |
55b25f1 |
Additionally, when using LocalSocket instead of TCPSocket, the directory
|
|
Enrico Scholz |
55b25f1 |
for the socket file must be created. For tmpfiles based systems, you
|
|
Enrico Scholz |
55b25f1 |
might want to create a file /usr/lib/tmpfiles.d/clamd.<SERVICE>.conf
|
|
Enrico Scholz |
55b25f1 |
with a content of
|
|
cvsextras |
47272f4 |
|
|
Enrico Scholz |
55b25f1 |
| d /var/run/clamd.<SERVICE> <MODE> <USER> <GROUP>
|
|
cvsextras |
47272f4 |
|
|
Enrico Scholz |
55b25f1 |
Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP>
|
|
Enrico Scholz |
55b25f1 |
so that the socket can be accessed by clamd and by the applications
|
|
Enrico Scholz |
55b25f1 |
using clamd. Make sure that the socket is not world accessible; else,
|
|
Enrico Scholz |
55b25f1 |
DOS attacks or worse are trivial.
|
|
cvsextras |
47272f4 |
|
|
cvsextras |
47272f4 |
|
|
cvsextras |
47272f4 |
[Disclaimer:
|
|
cvsextras |
47272f4 |
this file and the script/configfiles are not part of the official
|
|
cvsextras |
47272f4 |
clamav package.
|
|
cvsextras |
47272f4 |
|
|
cvsextras |
47272f4 |
Please send complaints and comments to
|
|
cvsextras |
47272f4 |
mailto:enrico.scholz@informatik.tu-chemnitz.de!]
|