rpms
/
clamav
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated doc 

removed obsolete SysV related information; mentioned systemd + tmpfiles.d
This commit is contained in:
Enrico Scholz 2012-02-25 12:03:46 +01:00
parent 05b60da89e
commit 55b25f143b
1 changed files with 22 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
clamd-README
View File

@ -2,13 +2,18 @@ To create individual clamd-instance take the following files and
modify/copy them in the suggested way: modify/copy them in the suggested way:
clamd.conf: clamd.conf:
* set LogFile, PidFile, LocalSocket and User to suitable values * set LocalSocket (or better: TCPSocket) and User to suitable values;
avoid PidFile unless it required by system monitoring or something
else. Logging through syslog is usually better than an indidual
Logfile.
* place this file into /etc/clamd.d with an unique service-name; * place this file into /etc/clamd.d with an unique service-name;
e.g. as /etc/clamd.d/<SERVICE>.conf e.g. as /etc/clamd.d/<SERVICE>.conf
To make logfile rotation work properly, the LogFile should be When using TCPSocket, create iptables rules which are limitting the
writable for the assigned User. Recommended way to reach this, is access by source and/or by using '-m owner'.
to:
When LogFile feature is wanted, it must be writable for the assigned
User. Recommended way to reach this, is to:
* make it owned by the User's *group* * make it owned by the User's *group*
* assign at least 0620 (u+rw,g+w) permissions * assign at least 0620 (u+rw,g+w) permissions
@ -16,6 +21,7 @@ clamd.conf:
| # touch <logfile> | # touch <logfile>
| # chgrp <user> <logfile> | # chgrp <user> <logfile>
| # chmod 0620 <logfile> | # chmod 0620 <logfile>
| # restorecon <logfile>
NEVER use 'clamav' as the user since he can modify the database. NEVER use 'clamav' as the user since he can modify the database.
This is the user who is running the application; e.g. for mimedefang This is the user who is running the application; e.g. for mimedefang
@ -25,29 +31,24 @@ clamd.conf:
and that the clamd-user can access the files asked by the and that the clamd-user can access the files asked by the
application to be checked. application to be checked.
clamd.logrotate: (only when LogFile feature is used)
clamd.logrotate:
* set the correct value for the logfile * set the correct value for the logfile
* place it into /etc/logrotate.d * place it into /etc/logrotate.d
clamd.sysconfig: clamd@<SERVICE>.service: (systemd instance)
* set the name of the config-file and the local socket * instance of clamd@.service
* copy it to /etc/sysconfig/clamd.<SERVICE>
clamd.init: Additionally, when using LocalSocket instead of TCPSocket, the directory
* set the service-name for the socket file must be created. For tmpfiles based systems, you
* place it into /etc/init.d/ with an unique name and activate it might want to create a file /usr/lib/tmpfiles.d/clamd.<SERVICE>.conf
(e.g. with /sbin/chkconfig clamd.<SERVICE> on) with a content of
Additionally, a symlink must be set to clamd in a way like | d /var/run/clamd.<SERVICE> <MODE> <USER> <GROUP>
| # ln -s clamd /usr/sbin/clamd.<SERVICE>
and the directory for the socket file must be created (see 'LocalSocket'
in clamd.conf)
| # mkdir -p /var/run/clamd.<SERVICE>
This directory must be writable by the 'User' chosen in the config-file.
Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP>
so that the socket can be accessed by clamd and by the applications
using clamd. Make sure that the socket is not world accessible; else,
DOS attacks or worse are trivial.
[Disclaimer: [Disclaimer: