updated doc
removed obsolete SysV related information; mentioned systemd + tmpfiles.d
This commit is contained in:
parent
05b60da89e
commit
55b25f143b
43
clamd-README
43
clamd-README
|
@ -2,13 +2,18 @@ To create individual clamd-instance take the following files and
|
||||||
modify/copy them in the suggested way:
|
modify/copy them in the suggested way:
|
||||||
|
|
||||||
clamd.conf:
|
clamd.conf:
|
||||||
* set LogFile, PidFile, LocalSocket and User to suitable values
|
* set LocalSocket (or better: TCPSocket) and User to suitable values;
|
||||||
|
avoid PidFile unless it required by system monitoring or something
|
||||||
|
else. Logging through syslog is usually better than an indidual
|
||||||
|
Logfile.
|
||||||
* place this file into /etc/clamd.d with an unique service-name;
|
* place this file into /etc/clamd.d with an unique service-name;
|
||||||
e.g. as /etc/clamd.d/<SERVICE>.conf
|
e.g. as /etc/clamd.d/<SERVICE>.conf
|
||||||
|
|
||||||
To make logfile rotation work properly, the LogFile should be
|
When using TCPSocket, create iptables rules which are limitting the
|
||||||
writable for the assigned User. Recommended way to reach this, is
|
access by source and/or by using '-m owner'.
|
||||||
to:
|
|
||||||
|
When LogFile feature is wanted, it must be writable for the assigned
|
||||||
|
User. Recommended way to reach this, is to:
|
||||||
* make it owned by the User's *group*
|
* make it owned by the User's *group*
|
||||||
* assign at least 0620 (u+rw,g+w) permissions
|
* assign at least 0620 (u+rw,g+w) permissions
|
||||||
|
|
||||||
|
@ -16,6 +21,7 @@ clamd.conf:
|
||||||
| # touch <logfile>
|
| # touch <logfile>
|
||||||
| # chgrp <user> <logfile>
|
| # chgrp <user> <logfile>
|
||||||
| # chmod 0620 <logfile>
|
| # chmod 0620 <logfile>
|
||||||
|
| # restorecon <logfile>
|
||||||
|
|
||||||
NEVER use 'clamav' as the user since he can modify the database.
|
NEVER use 'clamav' as the user since he can modify the database.
|
||||||
This is the user who is running the application; e.g. for mimedefang
|
This is the user who is running the application; e.g. for mimedefang
|
||||||
|
@ -25,29 +31,24 @@ clamd.conf:
|
||||||
and that the clamd-user can access the files asked by the
|
and that the clamd-user can access the files asked by the
|
||||||
application to be checked.
|
application to be checked.
|
||||||
|
|
||||||
|
clamd.logrotate: (only when LogFile feature is used)
|
||||||
clamd.logrotate:
|
|
||||||
* set the correct value for the logfile
|
* set the correct value for the logfile
|
||||||
* place it into /etc/logrotate.d
|
* place it into /etc/logrotate.d
|
||||||
|
|
||||||
clamd.sysconfig:
|
clamd@<SERVICE>.service: (systemd instance)
|
||||||
* set the name of the config-file and the local socket
|
* instance of clamd@.service
|
||||||
* copy it to /etc/sysconfig/clamd.<SERVICE>
|
|
||||||
|
|
||||||
clamd.init:
|
Additionally, when using LocalSocket instead of TCPSocket, the directory
|
||||||
* set the service-name
|
for the socket file must be created. For tmpfiles based systems, you
|
||||||
* place it into /etc/init.d/ with an unique name and activate it
|
might want to create a file /usr/lib/tmpfiles.d/clamd.<SERVICE>.conf
|
||||||
(e.g. with /sbin/chkconfig clamd.<SERVICE> on)
|
with a content of
|
||||||
|
|
||||||
Additionally, a symlink must be set to clamd in a way like
|
| d /var/run/clamd.<SERVICE> <MODE> <USER> <GROUP>
|
||||||
| # ln -s clamd /usr/sbin/clamd.<SERVICE>
|
|
||||||
and the directory for the socket file must be created (see 'LocalSocket'
|
|
||||||
in clamd.conf)
|
|
||||||
| # mkdir -p /var/run/clamd.<SERVICE>
|
|
||||||
|
|
||||||
|
|
||||||
This directory must be writable by the 'User' chosen in the config-file.
|
|
||||||
|
|
||||||
|
Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP>
|
||||||
|
so that the socket can be accessed by clamd and by the applications
|
||||||
|
using clamd. Make sure that the socket is not world accessible; else,
|
||||||
|
DOS attacks or worse are trivial.
|
||||||
|
|
||||||
|
|
||||||
[Disclaimer:
|
[Disclaimer:
|
||||||
|
|
Loading…
Reference in New Issue