diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile index 0c69beaa8..5162cdbbd 100644 --- a/data/Dockerfiles/clamd/Dockerfile +++ b/data/Dockerfiles/clamd/Dockerfile @@ -1,18 +1,32 @@ -FROM alpine:3.8 +FROM debian:stretch-slim LABEL maintainer "André Peters " -# Add scripts -COPY dl_files.sh bootstrap.sh ./ - # Installation -ENV CLAMAV 0.100.2 +ENV CLAMAV 0.101.1 -RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib-dev bzip2-dev pcre-dev linux-headers fts-dev libxml2-dev libressl-dev \ - && apk add --no-cache curl bash tini libxml2 libbz2 pcre fts libressl tzdata \ +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + zlib1g-dev \ + libncurses5-dev \ + libzip-dev \ + libpcre2-dev \ + libxml2-dev \ + libssl-dev \ + build-essential \ + libjson-c-dev \ + curl \ + bash \ + wget \ + tzdata \ + dnsutils \ + rsync \ + dos2unix \ + netcat \ + && rm -rf /var/lib/apt/lists/* \ && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \ && cd clamav-${CLAMAV} \ - && LIBS=-lfts ./configure \ + && ./configure \ --prefix=/usr \ --libdir=/usr/lib \ --sysconfdir=/etc/clamav \ @@ -30,18 +44,22 @@ RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib- && make install \ && make clean \ && cd .. && rm -rf clamav-${CLAMAV} \ - && apk del build-dependencies \ - && addgroup -S clamav \ - && adduser -S -D -h /var/lib/clamav -s /sbin/nologin -G clamav -g clamav clamav \ - && adduser clamav tty \ + && apt-get -y --auto-remove purge build-essential \ + && apt-get -y purge zlib1g-dev \ + libncurses5-dev \ + libzip-dev \ + libpcre2-dev \ + libxml2-dev \ + libssl-dev \ + libjson-c-dev \ + && addgroup --system --gid 700 clamav \ + && adduser --system --home /var/lib/clamav --uid 700 --gid 700 --disabled-login clamav \ && mkdir -p /run/clamav \ && chown clamav:clamav /run/clamav \ - && chmod +x /dl_files.sh \ - && set -ex; /bin/bash /dl_files.sh \ - && chmod 750 /run/clamav + && chmod 750 /run/clamav \ + && rm -rf /tmp/* /var/tmp/* -# Port provision -EXPOSE 3310 +COPY bootstrap.sh ./ +COPY tini /sbin/tini -# AV daemon bootstrapping CMD ["/sbin/tini", "-g", "--", "/bootstrap.sh"] diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh index e12f2bc63..a82396500 100755 --- a/data/Dockerfiles/clamd/bootstrap.sh +++ b/data/Dockerfiles/clamd/bootstrap.sh @@ -10,7 +10,7 @@ fi mkdir -p /var/log/clamav touch /var/log/clamav/clamd.log /var/log/clamav/freshclam.log chown -R clamav:clamav /var/log/clamav/ -chown root:tty /dev/console +adduser clamav tty chmod g+rw /dev/console # Prepare whitelist @@ -37,6 +37,27 @@ done ) & BACKGROUND_TASKS+=($!) +( +while true; do + sleep 2m + SANE_MIRRORS="$(dig +ignore +short rsync.sanesecurity.net)" + for sane_mirror in ${SANE_MIRRORS}; do + rsync -avp --chown=clamav:clamav --timeout=5 rsync://${sane_mirror}/sanesecurity/ \ + --include 'blurl.ndb' \ + --include 'junk.ndb' \ + --include 'jurlbl.ndb' \ + --include 'phish.ndb' \ + --exclude='*' /var/lib/clamav/ + if [ $? -eq 0 ]; then + echo RELOAD | nc localhost 3310 + break + fi + done + sleep 30h +done +) & +BACKGROUND_TASKS+=($!) + clamd & BACKGROUND_TASKS+=($!) diff --git a/data/Dockerfiles/clamd/dl_files.sh b/data/Dockerfiles/clamd/dl_files.sh deleted file mode 100755 index 09d612410..000000000 --- a/data/Dockerfiles/clamd/dl_files.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -declare -a DB_MIRRORS=( - "switch.clamav.net" - "clamavdb.heanet.ie" - "clamav.iol.cz" - "clamav.univ-nantes.fr" - "clamav.easynet.fr" - "clamav.begi.net" -) -declare -a DB_MIRRORS=( $(shuf -e "${DB_MIRRORS[@]}") ) - -DB_FILES=( - "bytecode.cvd" - "daily.cvd" - "main.cvd" -) - -for i in "${DB_MIRRORS[@]}"; do - for j in "${DB_FILES[@]}"; do - [[ -f "/var/lib/clamav/${j}" && -s "/var/lib/clamav/${j}" ]] && continue; - if [[ $(curl -o /dev/null --connect-timeout 1 \ - --max-time 1 \ - --silent \ - --head \ - --write-out "%{http_code}\n" "${i}/${j}") == 200 ]]; then - curl "${i}/${j}" -o "/var/lib/clamav/${j}" -# - fi - done -done - -chown clamav:clamav /var/lib/clamav/*.cvd diff --git a/data/Dockerfiles/clamd/tini b/data/Dockerfiles/clamd/tini new file mode 100755 index 000000000..03af82f09 Binary files /dev/null and b/data/Dockerfiles/clamd/tini differ diff --git a/data/conf/clamav/clamd.conf b/data/conf/clamav/clamd.conf index f09510bd7..cf15e4b4f 100644 --- a/data/conf/clamav/clamd.conf +++ b/data/conf/clamav/clamd.conf @@ -1,3 +1,4 @@ +#Debug true LogFile /dev/console LogTime yes LogClean yes @@ -23,9 +24,9 @@ DetectPUA yes #IncludePUA Spy #IncludePUA Scanner #IncludePUA RAT -AlgorithmicDetection yes +HeuristicAlerts yes ScanOLE2 yes -OLE2BlockMacros yes +AlertOLE2Macros yes ScanPDF yes ScanSWF yes ScanXMLDOCS yes