6 years ago · e42afa39a8
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -1,18 +1,32 @@
 
				-FROM alpine:3.8
			
 
				+FROM debian:stretch-slim
			
 
				 
			
 
				 LABEL maintainer "André Peters <andre.peters@servercow.de>"
			
 
				 
			
 
				-# Add scripts
			
 
				-COPY dl_files.sh bootstrap.sh ./
			
 
				-
			
 
				 # Installation
			
 
				-ENV CLAMAV 0.100.2
			
 
				+ENV CLAMAV 0.101.1
			
 
				 
			
 
				-RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib-dev bzip2-dev pcre-dev linux-headers fts-dev libxml2-dev libressl-dev \
			
 
				-  && apk add --no-cache curl bash tini libxml2 libbz2 pcre fts libressl tzdata \
			
 
				+RUN apt-get update && apt-get install -y --no-install-recommends \
			
 
				+  ca-certificates \
			
 
				+  zlib1g-dev \
			
 
				+  libncurses5-dev \
			
 
				+  libzip-dev \
			
 
				+  libpcre2-dev \
			
 
				+  libxml2-dev \
			
 
				+  libssl-dev \
			
 
				+  build-essential \
			
 
				+  libjson-c-dev \
			
 
				+  curl \
			
 
				+  bash \
			
 
				+  wget \
			
 
				+  tzdata \
			
 
				+  dnsutils \
			
 
				+  rsync \
			
 
				+  dos2unix \
			
 
				+  netcat \
			
 
				+  && rm -rf /var/lib/apt/lists/* \
			
 
				   && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \
			
 
				   && cd clamav-${CLAMAV} \
			
 
				-  && LIBS=-lfts ./configure \
			
 
				+  && ./configure \
			
 
				   --prefix=/usr \
			
 
				   --libdir=/usr/lib \
			
 
				   --sysconfdir=/etc/clamav \
			
@@ -30,18 +44,22 @@ RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib-
 
				   && make install \
			
 
				   && make clean \
			
 
				   && cd .. && rm -rf clamav-${CLAMAV} \
			
 
				-  && apk del build-dependencies \
			
 
				-  && addgroup -S clamav \
			
 
				-  && adduser -S -D -h /var/lib/clamav -s /sbin/nologin -G clamav -g clamav clamav \
			
 
				-  && adduser clamav tty \
			
 
				+  && apt-get -y --auto-remove purge build-essential \
			
 
				+  && apt-get -y purge zlib1g-dev \
			
 
				+  libncurses5-dev \
			
 
				+  libzip-dev \
			
 
				+  libpcre2-dev \
			
 
				+  libxml2-dev \
			
 
				+  libssl-dev \
			
 
				+  libjson-c-dev \
			
 
				+  && addgroup --system --gid 700 clamav \
			
 
				+  && adduser --system --home /var/lib/clamav --uid 700 --gid 700 --disabled-login clamav \
			
 
				   && mkdir -p /run/clamav \
			
 
				   && chown clamav:clamav /run/clamav \
			
 
				-  && chmod +x /dl_files.sh \
			
 
				-  && set -ex; /bin/bash /dl_files.sh \
			
 
				-  && chmod 750 /run/clamav
			
 
				+  && chmod 750 /run/clamav \
			
 
				+  && rm -rf /tmp/* /var/tmp/*
			
 
				 
			
 
				-# Port provision
			
 
				-EXPOSE 3310
			
 
				+COPY bootstrap.sh ./
			
 
				+COPY tini /sbin/tini
			
 
				 
			
 
				-# AV daemon bootstrapping
			
 
				 CMD ["/sbin/tini", "-g", "--", "/bootstrap.sh"]
			
--- a/data/Dockerfiles/clamd/bootstrap.sh
+++ b/data/Dockerfiles/clamd/bootstrap.sh
@@ -10,7 +10,7 @@ fi
 
				 mkdir -p /var/log/clamav
			
 
				 touch /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
			
 
				 chown -R clamav:clamav /var/log/clamav/
			
 
				-chown root:tty /dev/console
			
 
				+adduser clamav tty
			
 
				 chmod g+rw /dev/console
			
 
				 
			
 
				 # Prepare whitelist
			
@@ -37,6 +37,27 @@ done
 
				 ) &
			
 
				 BACKGROUND_TASKS+=($!)
			
 
				 
			
 
				+(
			
 
				+while true; do
			
 
				+  sleep 2m
			
 
				+  SANE_MIRRORS="$(dig +ignore +short rsync.sanesecurity.net)"
			
 
				+  for sane_mirror in ${SANE_MIRRORS}; do
			
 
				+    rsync -avp --chown=clamav:clamav --timeout=5 rsync://${sane_mirror}/sanesecurity/ \
			
 
				+      --include 'blurl.ndb' \
			
 
				+      --include 'junk.ndb' \
			
 
				+      --include 'jurlbl.ndb' \
			
 
				+      --include 'phish.ndb' \
			
 
				+      --exclude='*' /var/lib/clamav/
			
 
				+    if [ $? -eq 0 ]; then
			
 
				+      echo RELOAD | nc localhost 3310
			
 
				+      break
			
 
				+    fi
			
 
				+  done
			
 
				+  sleep 30h
			
 
				+done
			
 
				+) &
			
 
				+BACKGROUND_TASKS+=($!)
			
 
				+
			
 
				 clamd &
			
 
				 BACKGROUND_TASKS+=($!)
			
 
				 
			
--- a/data/Dockerfiles/clamd/dl_files.sh
+++ b/data/Dockerfiles/clamd/dl_files.sh
@@ -1,32 +0,0 @@
 
				-#!/bin/bash
			
 
				-
			
 
				-declare -a DB_MIRRORS=(
			
 
				-  "switch.clamav.net"
			
 
				-  "clamavdb.heanet.ie"
			
 
				-  "clamav.iol.cz"
			
 
				-  "clamav.univ-nantes.fr"
			
 
				-  "clamav.easynet.fr"
			
 
				-  "clamav.begi.net"
			
 
				-)
			
 
				-declare -a DB_MIRRORS=( $(shuf -e "${DB_MIRRORS[@]}") )
			
 
				-
			
 
				-DB_FILES=(
			
 
				-  "bytecode.cvd"
			
 
				-  "daily.cvd"
			
 
				-  "main.cvd"
			
 
				-)
			
 
				-
			
 
				-for i in "${DB_MIRRORS[@]}"; do
			
 
				-  for j in "${DB_FILES[@]}"; do
			
 
				-  [[ -f "/var/lib/clamav/${j}" && -s "/var/lib/clamav/${j}" ]] && continue;
			
 
				-  if [[ $(curl -o /dev/null --connect-timeout 1 \
			
 
				-    --max-time 1 \
			
 
				-    --silent \
			
 
				-    --head \
			
 
				-    --write-out "%{http_code}\n" "${i}/${j}") == 200 ]]; then
			
 
				-    curl "${i}/${j}" -o "/var/lib/clamav/${j}" -#
			
 
				-  fi
			
 
				-  done
			
 
				-done
			
 
				-
			
 
				-chown clamav:clamav /var/lib/clamav/*.cvd
			
--- a/data/Dockerfiles/clamd/tini
+++ b/data/Dockerfiles/clamd/tini
--- a/data/conf/clamav/clamd.conf
+++ b/data/conf/clamav/clamd.conf
@@ -1,3 +1,4 @@
 
				+#Debug true
			
 
				 LogFile /dev/console
			
 
				 LogTime yes
			
 
				 LogClean yes
			
@@ -23,9 +24,9 @@ DetectPUA yes
 
				 #IncludePUA Spy
			
 
				 #IncludePUA Scanner
			
 
				 #IncludePUA RAT
			
 
				-AlgorithmicDetection yes
			
 
				+HeuristicAlerts yes
			
 
				 ScanOLE2 yes
			
 
				-OLE2BlockMacros yes
			
 
				+AlertOLE2Macros yes
			
 
				 ScanPDF yes
			
 
				 ScanSWF yes
			
 
				 ScanXMLDOCS yes