From 754b3cea526a9ad8ad96ce93b9960b3719bcaf2b Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Mon, 17 Sep 2018 23:25:18 +0300
Subject: [PATCH] ClamAV daemon image.

---
 clamd/.dockerignore |  5 +++
 clamd/Dockerfile    | 19 ++++++++++
 clamd/README.md     | 26 ++++++++++++++
 clamd/clamd-ping    |  6 ++++
 clamd/clamd-update  | 13 +++++++
 clamd/clamd.conf    | 86 +++++++++++++++++++++++++++++++++++++++++++++
 clamd/entrypoint    |  6 ++++
 7 files changed, 161 insertions(+)
 create mode 100644 clamd/.dockerignore
 create mode 100644 clamd/Dockerfile
 create mode 100644 clamd/README.md
 create mode 100755 clamd/clamd-ping
 create mode 100755 clamd/clamd-update
 create mode 100644 clamd/clamd.conf
 create mode 100755 clamd/entrypoint

diff --git a/clamd/.dockerignore b/clamd/.dockerignore
new file mode 100644
index 0000000..9b15062
--- /dev/null
+++ b/clamd/.dockerignore
@@ -0,0 +1,5 @@
+*
+!entrypoint
+!clamd.conf
+!clamd-ping
+!clamd-update
diff --git a/clamd/Dockerfile b/clamd/Dockerfile
new file mode 100644
index 0000000..e83b945
--- /dev/null
+++ b/clamd/Dockerfile
@@ -0,0 +1,19 @@
+FROM debian:stretch-slim
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        clamav-daemon \
+        clamav-freshclam \
+        netcat-openbsd \
+        procps \
+    && \
+    freshclam --verbose --stdout && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
+COPY --chown=root:root clamd.conf /etc/clamav/
+RUN clamconf -n
+COPY --chown=root:root entrypoint /entrypoint
+COPY --chown=root:root clamd-ping clamd-update /usr/local/bin/
+EXPOSE 3310
+VOLUME /run/clamav
+ENTRYPOINT [ "/entrypoint" ]
+CMD [ "clamd" ]
+HEALTHCHECK CMD clamd-ping
diff --git a/clamd/README.md b/clamd/README.md
new file mode 100644
index 0000000..f2a8306
--- /dev/null
+++ b/clamd/README.md
@@ -0,0 +1,26 @@
+# clamd
+
+> ClamAV container image.
+
+## Exposed interfaces
+
+The daemon is accessible over TCP at port 3310 and over the `clamd.ctl` Unix
+socket in the `/run/clamav` volume.
+
+## Updates
+
+The image comes with an updated virus database from the time the image was
+built. To update the database run `clamd-update` from inside the container with
+`docker exec` (there's no need to restart the container afterwards). For an
+example see the [Cron image](../crond) inside this project.
+
+## License
+
+This software is licensed under the MIT license (see `LICENSE.txt`).
+
+## Author Information
+
+Nimrod Adar, [contact me](mailto:nimrod@shore.co.il) or visit my [website](
+https://www.shore.co.il/). Patches are welcome via [`git send-email`](
+http://git-scm.com/book/en/v2/Git-Commands-Email). The repository is located
+at: <https://www.shore.co.il/git/>.
diff --git a/clamd/clamd-ping b/clamd/clamd-ping
new file mode 100755
index 0000000..0ec4236
--- /dev/null
+++ b/clamd/clamd-ping
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eux
+
+echo PING | nc -U /run/clamav/clamd.ctl || exit 1
+echo PING | nc -t localhost 3310 || exit 1
+exit 0
diff --git a/clamd/clamd-update b/clamd/clamd-update
new file mode 100755
index 0000000..b4997fd
--- /dev/null
+++ b/clamd/clamd-update
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -eux
+
+i=0
+while ! clamd-ping
+do
+    i=$(( i + 1 ))
+    [ "$i" -lt '5' ] || exit 1
+    sleep 10
+done
+
+freshclam --verbose --stdout
+#echo RELOAD | nc -U /run/clamav/clamd.ctl
diff --git a/clamd/clamd.conf b/clamd/clamd.conf
new file mode 100644
index 0000000..7178212
--- /dev/null
+++ b/clamd/clamd.conf
@@ -0,0 +1,86 @@
+#Automatically Generated by clamav-daemon postinst
+#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
+#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
+LocalSocket /var/run/clamav/clamd.ctl
+FixStaleSocket true
+LocalSocketGroup clamav
+LocalSocketMode 666
+# TemporaryDirectory is not set to its default /tmp here to make overriding
+# the default with environment variables TMPDIR/TMP/TEMP possible
+User clamav
+ScanMail true
+ScanArchive true
+ArchiveBlockEncrypted false
+MaxDirectoryRecursion 15
+FollowDirectorySymlinks false
+FollowFileSymlinks false
+ReadTimeout 180
+MaxThreads 12
+MaxConnectionQueueLength 15
+LogFacility LOG_LOCAL6
+LogClean false
+LogVerbose false
+PreludeEnable no
+PreludeAnalyzerName ClamAV
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
+SelfCheck 0
+Foreground true
+Debug false
+ScanPE true
+MaxEmbeddedPE 10M
+ScanOLE2 true
+ScanPDF true
+ScanHTML true
+MaxHTMLNormalize 10M
+MaxHTMLNoTags 2M
+MaxScriptNormalize 5M
+MaxZipTypeRcg 1M
+ScanSWF true
+DetectBrokenExecutables false
+ExitOnOOM false
+LeaveTemporaryFiles false
+AlgorithmicDetection true
+ScanELF true
+IdleTimeout 30
+CrossFilesystems true
+PhishingSignatures true
+PhishingScanURLs true
+PhishingAlwaysBlockSSLMismatch false
+PhishingAlwaysBlockCloak false
+PartitionIntersection false
+DetectPUA false
+ScanPartialMessages false
+HeuristicScanPrecedence false
+StructuredDataDetection false
+CommandReadTimeout 5
+SendBufTimeout 200
+MaxQueue 100
+ExtendedDetectionInfo true
+OLE2BlockMacros false
+ScanOnAccess false
+AllowAllMatchScan true
+ForceToDisk false
+DisableCertCheck false
+DisableCache false
+MaxScanSize 100M
+MaxFileSize 25M
+MaxRecursion 16
+MaxFiles 10000
+MaxPartitions 50
+MaxIconsPE 100
+PCREMatchLimit 10000
+PCRERecMatchLimit 5000
+PCREMaxFileSize 25M
+ScanXMLDOCS true
+ScanHWP3 true
+MaxRecHWP3 16
+StreamMaxLength 25M
+LogTime true
+LogFileUnlock false
+LogFileMaxSize 0
+Bytecode true
+BytecodeSecurity TrustSigned
+BytecodeTimeout 60000
+TCPSocket 3310
+TCPAddr 0.0.0.0
diff --git a/clamd/entrypoint b/clamd/entrypoint
new file mode 100755
index 0000000..3c77c86
--- /dev/null
+++ b/clamd/entrypoint
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eux
+
+install -d -m 755 -o clamav -g clamav /run/clamav
+
+eval exec "$@"
-- 
GitLab