Server : Apache System : Linux cs317.bluehost.com 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64 User : andertr9 ( 1047) PHP Version : 8.2.18 Disable Function : NONE Directory : /usr/share/doc/clamd-0.103.11/ |
Upload File : |
Update 2021: Log to syslog is obsolete, journalctl superseded it By default, clamd provides a general "scan" service that requires minimal configuration. To configure, edit /etc/clamd/scan.conf and: * set LocalSocket for localhost access or TCPSocket for network access. Default configuration will: * Log to syslog * Run as the user "clamscan" When LogFile feature is wanted, it must be writable for the assigned User. The recommended way is to: * make it owned by the User's *group* * assign at least 0620 (u+rw,g+w) permissions A suitable command might be | # touch <logfile> | # chgrp <user> <logfile> | # chmod 0620 <logfile> | # restorecon <logfile> NEVER use 'clamav' as the user since it can modify the database. This is the user who is running the application; e.g. for mimedefang (http://www.roaringpenguin.com/mimedefang), the user might be 'defang'. Theoretically, distinct users could be used, but it must be made sure that the application-user can write into the socket-file, and that the clamd-user can access the files asked by the application to be checked. The default service can be enabled and started with: systemctl enable clamd@scan.service systemctl start clamd@scan.service To create other individual clamd-instances take the following files in /usr/share/doc/clamd/ and modify/copy them in the suggested way: clamd.conf, copy to /etc/clamd.d/<SERVICE>.conf * Change <SERVICE> as to match name of config file * Any other changes as noted above clamd.logrotate: (only when LogFile feature is used) * set the correct value for the logfile * place it into /etc/logrotate.d Additionally, when using LocalSocket instead of TCPSocket, the directory for the socket file must be created. For tmpfiles based systems, you might want to create a file /etc/tmpfiles.d/clamd.<SERVICE>.conf with a content of | d /run/clamd.<SERVICE> <MODE> <USER> <GROUP> Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP> so that the socket can be accessed by clamd and by the applications using clamd. Make sure that the socket is not world accessible; else, DOS attacks or worse are trivial. After emulating these steps by hand (or else rebooting), you still need set SELinux: chcon -t clamd_var_run_t /run/clamd.<SERVICE> or restorecon -R -v "/run/clamd.<SERVICE>" More SELinux notes: you may need run: setsebool -P antivirus_can_scan_system 1 and also maybe this one (I need to confirm that is obsolete) setsebool -P antivirus_use_jit 1 The new service can be enabled and started with: systemctl enable clamd@<SERVICE>.service systemctl start clamd@<SERVICE>.service [Disclaimer: this file and the script/configfiles are not part of the official clamav package. Please send complaints and comments to https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=clamav]