Add virusfilter support for Samba homes and update configuration files.
This commit is contained in:
@@ -1776,6 +1776,9 @@ samba_server_min_protocol: {}
|
||||
#
|
||||
samba_allow_insecure_wide_links: !!str no
|
||||
|
||||
# include vfs object 'virusfilter' to (private) homes shares
|
||||
samba_homes_virusfilter: false
|
||||
|
||||
samba_groups: []
|
||||
|
||||
# samba_user:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
---
|
||||
|
||||
# ---
|
||||
# Samba Server
|
||||
# ---
|
||||
@@ -60,13 +59,73 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Ensure clamav-daemon and clamav-freshclam services are enabled
|
||||
- name: (samba-config-server.yml) Check if ClamAV virus databases are present
|
||||
find:
|
||||
paths: /var/lib/clamav
|
||||
patterns:
|
||||
- "*.cvd"
|
||||
- "*.cld"
|
||||
register: clamav_db_files
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Stop clamav-freshclam service before initial database download
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
name: clamav-freshclam
|
||||
state: stopped
|
||||
failed_when: false
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
- clamav_db_files.files | length == 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure clamav-daemon service is started before database update
|
||||
service:
|
||||
name: clamav-daemon
|
||||
state: started
|
||||
enabled: yes
|
||||
failed_when: false
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Download initial ClamAV virus databases via freshclam
|
||||
command: freshclam
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
- clamav_db_files.files | length == 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure clamav-daemon service is enabled and started
|
||||
service:
|
||||
name: clamav-daemon
|
||||
state: started
|
||||
enabled: yes
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure clamav-freshclam service is enabled and started
|
||||
service:
|
||||
name: clamav-freshclam
|
||||
state: started
|
||||
enabled: yes
|
||||
loop:
|
||||
- clamav-daemon
|
||||
- clamav-freshclam
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_shares | selectattr('vfs_object_virusfilter', 'defined') | selectattr('vfs_object_virusfilter', 'equalto', true) | list | length > 0
|
||||
@@ -91,17 +150,62 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Configure AppArmor local profile for clamd (data paths)
|
||||
blockinfile:
|
||||
path: /etc/apparmor.d/local/usr.sbin.clamd
|
||||
create: yes
|
||||
- name: (samba-config-server.yml) Ensure clamav user is member of all NIS user groups (homes virusfilter)
|
||||
user:
|
||||
name: clamav
|
||||
groups: "{{ item.name }}"
|
||||
append: yes
|
||||
loop: "{{ nis_user }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- nis_user | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Get home directories of samba users (NIS users) via getent (homes virusfilter)
|
||||
ansible.builtin.getent:
|
||||
database: passwd
|
||||
key: "{{ item.name }}"
|
||||
loop: "{{ nis_user }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
register: samba_user_getent
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- nis_user | length > 0
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-config-server.yml) Ensure home directories are group-traversable for clamd (homes virusfilter)
|
||||
file:
|
||||
path: "{{ item.ansible_facts.getent_passwd[item.item.name][4] }}"
|
||||
mode: "0750"
|
||||
state: directory
|
||||
loop: "{{ samba_user_getent.results | default([]) }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.name }}"
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
- samba_homes_virusfilter | default(false) | bool
|
||||
- item.ansible_facts is defined
|
||||
tags:
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
|
||||
- name: (samba-config-server.yml) Configure AppArmor local profile for clamd (data paths)
|
||||
template:
|
||||
src: etc/apparmor.d/local/usr.sbin.clamd.j2
|
||||
dest: /etc/apparmor.d/local/usr.sbin.clamd
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
marker: "# {mark} ANSIBLE MANAGED - smba virusfilter paths"
|
||||
block: |
|
||||
/data/** r,
|
||||
/data/samba/QUARANTINE/** rw,
|
||||
notify: Reload AppArmor profile clamd
|
||||
when:
|
||||
- inventory_hostname in groups['samba_server']
|
||||
@@ -111,7 +215,7 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
- name: (samba-install.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
|
||||
- name: (samba-config-server.yml) Ensure AllowAllMatchScan is enabled in clamd.conf
|
||||
lineinfile:
|
||||
path: /etc/clamav/clamd.conf
|
||||
regexp: "^#?\\s*AllowAllMatchScan\\s"
|
||||
@@ -126,7 +230,6 @@
|
||||
- samba-server
|
||||
- samba-virusfilter
|
||||
|
||||
|
||||
# ---
|
||||
# /etc/samba/smb.conf
|
||||
# ---
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
# {{ ansible_managed }}
|
||||
# see: roles/common/tasks/samba-config-server.yml
|
||||
|
||||
/data/** r,
|
||||
/data/samba/QUARANTINE/** rw,
|
||||
{% if samba_homes_virusfilter | default(false) | bool %}
|
||||
{{ nis_base_home }}/** r,
|
||||
{% if nis_base_home != '/home' %}
|
||||
/home/** r,
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
Reference in New Issue
Block a user