diff --git a/clamd/.dockerignore b/clamd/.dockerignore new file mode 100644 index 0000000000000000000000000000000000000000..9b15062c3adb7c532869044b86dee454f0d5d1ff --- /dev/null +++ b/clamd/.dockerignore @@ -0,0 +1,5 @@ +* +!entrypoint +!clamd.conf +!clamd-ping +!clamd-update diff --git a/clamd/Dockerfile b/clamd/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..e83b945f3c6813ab7dece0733e2ec77eb7f886cb --- /dev/null +++ b/clamd/Dockerfile @@ -0,0 +1,19 @@ +FROM debian:stretch-slim +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + clamav-daemon \ + clamav-freshclam \ + netcat-openbsd \ + procps \ + && \ + freshclam --verbose --stdout && \ + rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/* +COPY --chown=root:root clamd.conf /etc/clamav/ +RUN clamconf -n +COPY --chown=root:root entrypoint /entrypoint +COPY --chown=root:root clamd-ping clamd-update /usr/local/bin/ +EXPOSE 3310 +VOLUME /run/clamav +ENTRYPOINT [ "/entrypoint" ] +CMD [ "clamd" ] +HEALTHCHECK CMD clamd-ping diff --git a/clamd/README.md b/clamd/README.md new file mode 100644 index 0000000000000000000000000000000000000000..f2a83061f3122c3ce01ddacbbfb73f29b4dbff09 --- /dev/null +++ b/clamd/README.md @@ -0,0 +1,26 @@ +# clamd + +> ClamAV container image. + +## Exposed interfaces + +The daemon is accessible over TCP at port 3310 and over the `clamd.ctl` Unix +socket in the `/run/clamav` volume. + +## Updates + +The image comes with an updated virus database from the time the image was +built. To update the database run `clamd-update` from inside the container with +`docker exec` (there's no need to restart the container afterwards). For an +example see the [Cron image](../crond) inside this project. + +## License + +This software is licensed under the MIT license (see `LICENSE.txt`). + +## Author Information + +Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my [website]( +https://www.shore.co.il/). Patches are welcome via [`git send-email`]( +http://git-scm.com/book/en/v2/Git-Commands-Email). The repository is located +at: <https://www.shore.co.il/git/>. diff --git a/clamd/clamd-ping b/clamd/clamd-ping new file mode 100755 index 0000000000000000000000000000000000000000..0ec42364616be66e9cfa7ac664d895771c324d04 --- /dev/null +++ b/clamd/clamd-ping @@ -0,0 +1,6 @@ +#!/bin/sh +set -eux + +echo PING | nc -U /run/clamav/clamd.ctl || exit 1 +echo PING | nc -t localhost 3310 || exit 1 +exit 0 diff --git a/clamd/clamd-update b/clamd/clamd-update new file mode 100755 index 0000000000000000000000000000000000000000..b4997fd49cb1fe3f5dbe2cd59b96df1f3b165676 --- /dev/null +++ b/clamd/clamd-update @@ -0,0 +1,13 @@ +#!/bin/sh +set -eux + +i=0 +while ! clamd-ping +do + i=$(( i + 1 )) + [ "$i" -lt '5' ] || exit 1 + sleep 10 +done + +freshclam --verbose --stdout +#echo RELOAD | nc -U /run/clamav/clamd.ctl diff --git a/clamd/clamd.conf b/clamd/clamd.conf new file mode 100644 index 0000000000000000000000000000000000000000..71782128861020af761146bac69c0ec9a9941c3b --- /dev/null +++ b/clamd/clamd.conf @@ -0,0 +1,86 @@ +#Automatically Generated by clamav-daemon postinst +#To reconfigure clamd run #dpkg-reconfigure clamav-daemon +#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details +LocalSocket /var/run/clamav/clamd.ctl +FixStaleSocket true +LocalSocketGroup clamav +LocalSocketMode 666 +# TemporaryDirectory is not set to its default /tmp here to make overriding +# the default with environment variables TMPDIR/TMP/TEMP possible +User clamav +ScanMail true +ScanArchive true +ArchiveBlockEncrypted false +MaxDirectoryRecursion 15 +FollowDirectorySymlinks false +FollowFileSymlinks false +ReadTimeout 180 +MaxThreads 12 +MaxConnectionQueueLength 15 +LogFacility LOG_LOCAL6 +LogClean false +LogVerbose false +PreludeEnable no +PreludeAnalyzerName ClamAV +DatabaseDirectory /var/lib/clamav +OfficialDatabaseOnly false +SelfCheck 0 +Foreground true +Debug false +ScanPE true +MaxEmbeddedPE 10M +ScanOLE2 true +ScanPDF true +ScanHTML true +MaxHTMLNormalize 10M +MaxHTMLNoTags 2M +MaxScriptNormalize 5M +MaxZipTypeRcg 1M +ScanSWF true +DetectBrokenExecutables false +ExitOnOOM false +LeaveTemporaryFiles false +AlgorithmicDetection true +ScanELF true +IdleTimeout 30 +CrossFilesystems true +PhishingSignatures true +PhishingScanURLs true +PhishingAlwaysBlockSSLMismatch false +PhishingAlwaysBlockCloak false +PartitionIntersection false +DetectPUA false +ScanPartialMessages false +HeuristicScanPrecedence false +StructuredDataDetection false +CommandReadTimeout 5 +SendBufTimeout 200 +MaxQueue 100 +ExtendedDetectionInfo true +OLE2BlockMacros false +ScanOnAccess false +AllowAllMatchScan true +ForceToDisk false +DisableCertCheck false +DisableCache false +MaxScanSize 100M +MaxFileSize 25M +MaxRecursion 16 +MaxFiles 10000 +MaxPartitions 50 +MaxIconsPE 100 +PCREMatchLimit 10000 +PCRERecMatchLimit 5000 +PCREMaxFileSize 25M +ScanXMLDOCS true +ScanHWP3 true +MaxRecHWP3 16 +StreamMaxLength 25M +LogTime true +LogFileUnlock false +LogFileMaxSize 0 +Bytecode true +BytecodeSecurity TrustSigned +BytecodeTimeout 60000 +TCPSocket 3310 +TCPAddr 0.0.0.0 diff --git a/clamd/entrypoint b/clamd/entrypoint new file mode 100755 index 0000000000000000000000000000000000000000..3c77c8646fed6585505dc0117e0cd50a252ca0b4 --- /dev/null +++ b/clamd/entrypoint @@ -0,0 +1,6 @@ +#!/bin/sh +set -eux + +install -d -m 755 -o clamav -g clamav /run/clamav + +eval exec "$@"