Puppet: System Administration Automated

Support

ClamAV Antivirus Recipe

Instead of using Freshclam to keep your systems running Clam updated, use Puppet.

My puppetmaster is the host running freshclam and downloading the clam updates to the fileserver directory. The recipe also ensures you are running the latest version of clamav found in your package provider.

The recipe: 

class clamav {
       file { "main_cvd":
       path => "/var/lib/clamav/main.cvd",
       source => "puppet://$puppet_server/files/clamav/main.cvd",
       ensure => present,
       mode   => 644,
       owner  => vscan,
       group  => vscan,
       before => SERVICE["clamd"],
       require => PACKAGE["clamav"]
    }

       file { "daily_cvd":
       path => "/var/lib/clamav/daily.cvd",
       source => "puppet://$puppet_server/files/clamav/daily.cvd",
       ensure => present,
       mode   => 644,
       owner  => vscan,
       group  => vscan,
       before => SERVICE["clamd"],
       require => PACKAGE["clamav"]
    }

       file { "clamd_conf":
       path => "/etc/clamd.conf",
       content => template("clamav/clamd.conf"),
       ensure => present,
       mode   => 644,
       owner  => root,
       group  => root,
       before => SERVICE["clamd"],
       require => PACKAGE["clamav"]
    }

       file { "freshclam_conf":
       path => "/etc/freshclam.conf",
       content => template("clamav/freshclam.conf"),
       ensure => present,
       mode   => 644,
       owner  => root,
       group  => root,
       before => SERVICE["clamd"],
       require => PACKAGE["clamav"]
    }

    service { "freshclam":
       ensure => false,
       enable => false,
       hasrestart => true,
       hasstatus => true,
       subscribe => FILE["freshclam_conf"]
    }

    service { "clamd":
       ensure => true,
       enable => true,
       hasrestart => true,
       hasstatus => true,
       subscribe => [ FILE["clamd_conf"], FILE["daily_cvd"], FILE["main_cvd"] ]
    }

    package {
       "clamav":
           ensure => latest
    }

}

The puppetmaster has the following class added to enable freshclam: 

class freshclam_enabled inherits clamav {
        SERVICE [ "freshclam" ] {
                ensure => true,
                enable => true,
        }
}

The freshclam.conf section to set where the updates are downloaded to (make sure the clam user is the owner and group of this directory - defaults to vscan): 

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
DatabaseDirectory /var/lib/puppet/files/clamav

One caveat - make sure you have "Scripted Updates" set to "no" in your freshclam.conf file: 

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
#ScriptedUpdates yes
ScriptedUpdates no

This will keep the old format of the updates to two files - main.cvd and daily.cvd.

Comments and Enhancements welcome!!