Clamav and Centos 6: Part 2

In part 1 I explained the core clamav subsystems. In this part I will show my clamav configuration for CentOS 6.

I choose a simple approach. The clamav applications run via cron jobs at scheduled times, once daily. None run as demons. The output from the application runs is sent to syslog. I tried to change the default install as little possible.

In this configuration clamscan does not make any changes when it finds a virus. It only sends an alert to the log. You will have to use OSSEC or another log monitoring solution to check for the case when it does find a virus and then handle it manually.

Ansible Configuration

The script below is for Ansible. I created a clamav role and added it to all my servers. You must have the EPEL repository enabled.  clamav is found in EPEL and not in the default repository.

My Ansible clamav tasks/main.yml is the following:


- name: Install clamav packages
  yum: name={{ item }} state=installed
      - clamav
      - clamav-db
      - clamav-unofficial-sigs
    - Initialize antivirus database

- name: Disable clam user login
  user: name=clam shell=/sbin/nologin

- name: Disable clam-update user login
  user: name=clam-update shell=/sbin/nologin

- name: Set permissions on antivirus database directory
  file: path=/var/lib/clamav state=directory owner=clam group=clam

- name: Set permissions on freshclam configuration
  file: path=/etc/freshclam.conf owner=root group=root mode=0644

- name: Daily clamav database update
  cron: name="Daily Virus DB Update"

- name: Daily unofficial sig update
  cron: name="Daily Unofficial DB Update"
        job="/usr/bin/ 2>&1 | /usr/bin/logger -p -t clam-unofficial-sigs"

- name: Daily clamav scan
  cron: name="Daily Virus Scan"
        job="/usr/bin/clamscan -r /  --detect-pua --exclude-dir=/sys/ --exclude-dir=/proc/ --exclude-dir=/dev/ --infected 2>&1 | /usr/bin/logger -p -t clamscan"

- name: Remove default unofficial sig cron file
  file: path=/etc/cron.d/clamav-unofficial-sigs state=absent

  # Freshclam conf 
- name: Disable /var/log/clamav logs and use syslog only
  lineinfile: dest=/etc/freshclam.conf regexp=^UpdateLogFile state=absent

- name: Include the time in the log
  lineinfile: dest=/etc/freshclam.conf line='LogTime yes'

- name: Set the local web proxy host
  lineinfile: dest=/etc/freshclam.conf line='HTTPProxyServer {{ web_proxy_host }}'
  when: web_proxy_host is defined

- name: Set the local web proxy port
  lineinfile: dest=/etc/freshclam.conf line='HTTPProxyPort {{ web_proxy_port }}'
  when: web_proxy_port is defined

Note that I do not install the clamd package since I don’t run clamav in demon mode. I did add the unofficial signatures package for the extra security. I had problems with the default cron job that the unofficial signatures packages uses so I added a step to delete it and run it instead as a custom job.

If you use a web proxy then define the two variables, web_proxy_host and web_proxy_port in your group_vars/all file. If these are not set then Ansible will ignore this change.

The Ansible handlers/main.yml file is:


- name: Initialize antivirus database
  command: /usr/bin/
  notify: Update default signatures

- name: Update default signatures
  command: freshclam

This handler updates the antivirus database when clamav is first installed. It only runs once during installation.


This configuration should work fine for most situations. The clamscan job will take a lot of CPU time so schedule it at a time when that won’t be disruptive.

As I mentioned in the first part this is probably not the optimal configuration for real-time email scanning with milter. Everything I have read indicates that a demon mode is best in that situation.

Categories: Security, Software

Tags: ,

Share Your Ideas

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: