-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* use socket to reach clamd Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * check if the file is opened for read Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> * bitwise operation Signed-off-by: Amir Malka <amirm@armosec.io> * reverting image for tests Signed-off-by: Amir Malka <amirm@armosec.io> * updated docker image of clamav Signed-off-by: Amir Malka <amirm@armosec.io> * add malware detection test Signed-off-by: Amir Malka <amirm@armosec.io> --------- Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com> Signed-off-by: Amir Malka <amirm@armosec.io> Co-authored-by: Amir Malka <amirm@armosec.io>
- Loading branch information
Showing
18 changed files
with
519 additions
and
255 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
ARG CLAMAV_VERSION | ||
|
||
FROM ubuntu:23.10 as builder | ||
ARG SOCKS_PROXY | ||
ENV SOCKS_PROXY=$SOCKS_PROXY | ||
RUN apt-get update && apt-get install -y python3 python3-pip clamav | ||
COPY create-filtered-clam-db.sh / | ||
RUN /create-filtered-clam-db.sh | ||
|
||
FROM clamav/clamav-debian:${CLAMAV_VERSION} | ||
RUN apt-get update && apt-get install -y netcat | ||
COPY ./init.sh /init | ||
RUN mkdir -p /var/lib/clamav || true | ||
COPY --from=builder main.cud /var/lib/clamav/main.cud | ||
RUN chmod +x /init && chown clamav:clamav /var/lib/clamav | ||
ENV CLAMAV_NO_FRESHCLAMD=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
DOCKERFILE_PATH=./Dockerfile | ||
BINARY_NAME=klamav | ||
|
||
IMAGE?=quay.io/kubescape/$(BINARY_NAME) | ||
TAG?=1.2.0-6_base | ||
|
||
docker-build: | ||
docker buildx build --build-arg CLAMAV_VERSION=$(TAG) --platform linux/amd64 -t $(IMAGE):$(TAG) -f $(DOCKERFILE_PATH) . | ||
docker-push: | ||
docker push $(IMAGE):$(TAG) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# ClamAV |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
#!/bin/bash | ||
set -x | ||
|
||
# Create a temporary directory: | ||
mkdir -p tmp | ||
|
||
# Get into it | ||
pushd tmp | ||
|
||
# Check if main.cvd exists | ||
if [ -f ~/.cvdupdate/database/main.cvd ] | ||
then | ||
echo "main.cvd already exists" | ||
cp ~/.cvdupdate/database/main.cvd . | ||
else | ||
echo "main.cvd does not exist, downloading it" | ||
rm -rf ~/.cvdupdate | ||
python3 -m pip install --user cvdupdate --break-system-packages | ||
python3 -m cvdupdate update -V | ||
return_code=$? | ||
if [ $return_code -ne 0 ] | ||
then | ||
echo "Failed to download main.cvd (http code: $return_code)" | ||
exit 1 | ||
fi | ||
cp ~/.cvdupdate/database/main.cvd . | ||
fi | ||
|
||
|
||
# unpack the main.cvd | ||
sigtool --unpack main.cvd | ||
if [ $? -ne 0 ] | ||
then | ||
echo "Failed to unpack main.cvd" | ||
exit 1 | ||
fi | ||
rm main.cvd | ||
|
||
# Loop over all the files in the tmp directory | ||
for file in * | ||
do | ||
# If the file has one line, skip | ||
if [ $(wc -l < $file) -eq 1 ] | ||
then | ||
echo "Skipping $file" | ||
continue | ||
fi | ||
|
||
# If the file is the COPYING or main.cvd file, skip | ||
if [ $(basename $file) == "main.cvd" ] | ||
then | ||
echo "Skipping $file" | ||
continue | ||
fi | ||
if [ $(basename $file) == "COPYING" ] | ||
then | ||
echo "Skipping $file" | ||
continue | ||
fi | ||
|
||
# Filter out the lines that does not contain the word "Unix" or "Multios" | ||
grep -v -E "Win\.|Osx\." $file > $file.tmp | ||
mv $file.tmp $file | ||
# If the file is empty, delete it | ||
if [ $(wc -l < $file) -eq 0 ] | ||
then | ||
echo "Deleting $file" | ||
rm $file | ||
fi | ||
done | ||
|
||
|
||
sigtool --version | ||
printf "slashben\n" | sigtool --build=main.cud --unsigned | ||
if [ $? -ne 0 ] | ||
then | ||
echo "Failed to build main.cud" | ||
exit 1 | ||
fi | ||
|
||
|
||
# Get back | ||
popd | ||
|
||
cp tmp/main.cud main.cud | ||
|
||
# Clean up | ||
rm -rf tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
#!/usr/bin/env sh | ||
# SPDX-License-Identifier: GPL-2.0-or-later | ||
# | ||
# Copyright (C) 2021 Olliver Schinagl <oliver@schinagl.nl> | ||
# Copyright (C) 2021-2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved. | ||
# | ||
# A beginning user should be able to docker run image bash (or sh) without | ||
# needing to learn about --entrypoint | ||
# https://github.com/docker-library/official-images#consistency | ||
|
||
set -eu | ||
|
||
if [ ! -d "/run/clamav" ]; then | ||
install -d -g "clamav" -m 775 -o "clamav" "/run/clamav" | ||
fi | ||
|
||
# Assign ownership to the database directory, just in case it is a mounted volume | ||
chown -R clamav:clamav /var/lib/clamav | ||
|
||
# run command if it is not starting with a "-" and is an executable in PATH | ||
if [ "${#}" -gt 0 ] && \ | ||
[ "${1#-}" = "${1}" ] && \ | ||
command -v "${1}" > "/dev/null" 2>&1; then | ||
# Ensure healthcheck always passes | ||
CLAMAV_NO_CLAMD="true" exec "${@}" | ||
else | ||
if [ "${#}" -ge 1 ] && \ | ||
[ "${1#-}" != "${1}" ]; then | ||
# If an argument starts with "-" pass it to clamd specifically | ||
exec clamd "${@}" | ||
fi | ||
# else default to running clamav's servers | ||
|
||
# Help tiny-init a little | ||
mkdir -p "/run/lock" | ||
ln -f -s "/run/lock" "/var/lock" | ||
|
||
# Ensure we have some virus data, otherwise clamd refuses to start | ||
if [ "${CLAMAV_NO_FRESHCLAMD:-false}" != "true" ]; then | ||
if [ ! -f "/var/lib/clamav/main.cvd" ]; then | ||
echo "Updating initial database" | ||
freshclam --foreground --stdout | ||
fi | ||
fi | ||
|
||
# Start freshclamd if not disabled | ||
if [ "${CLAMAV_NO_FRESHCLAMD:-false}" != "true" ]; then | ||
echo "Starting Freshclamd" | ||
freshclam \ | ||
--checks="${FRESHCLAM_CHECKS:-1}" \ | ||
--daemon \ | ||
--foreground \ | ||
--stdout \ | ||
--user="clamav" \ | ||
& | ||
fi | ||
|
||
if [ "${CLAMAV_NO_CLAMD:-false}" != "true" ]; then | ||
echo "Starting ClamAV" | ||
if [ -S "/run/clamav/clamd.sock" ]; then | ||
unlink "/run/clamav/clamd.sock" | ||
fi | ||
if [ -S "/tmp/clamd.sock" ]; then | ||
unlink "/tmp/clamd.sock" | ||
fi | ||
clamd --foreground & | ||
while [ ! -S "/run/clamav/clamd.sock" ] && [ ! -S "/tmp/clamd.sock" ]; do | ||
if [ "${_timeout:=0}" -gt "${CLAMD_STARTUP_TIMEOUT:=1800}" ]; then | ||
echo | ||
echo "Failed to start clamd" | ||
exit 1 | ||
fi | ||
printf "\r%s" "Socket for clamd not found yet, retrying (${_timeout}/${CLAMD_STARTUP_TIMEOUT}) ..." | ||
sleep 1 | ||
_timeout="$((_timeout + 1))" | ||
done | ||
echo "socket found, clamd started." | ||
fi | ||
|
||
if [ "${CLAMAV_NO_MILTERD:-true}" != "true" ]; then | ||
echo "Starting clamav milterd" | ||
clamav-milter & | ||
fi | ||
|
||
# Wait forever (or until canceled) | ||
exec tail -f "/dev/null" | ||
fi | ||
|
||
exit 0 |
Oops, something went wrong.