meta-security: subtree update:b72cc7f87c..95fe86eb98

André Draszik (1):
      linux-yocto: update the bbappend to 5.x

Armin Kuster (36):
      README: add pull request option
      sssd: drop py2 support
      python3-fail2ban: update to latest
      Apparmor: fix some runtime depends
      linux-yocto-dev: remove "+"
      checksecurity: fix runtime issues
      buck-security: fix rdebends and minor style cleanup
      swtpm: fix configure error
      ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
      bastille: convert to py3
      tpm2-tools: update to 4.1.1
      tpm2-tcti-uefi: fix build issue for i386 machine
      tpm2-tss: update to 2.3.2
      ibmswtpm2: update to 1563
      python3-fail2ban: add 2-3 conversion changes
      google-authenticator-libpam: install module in pam location
      apparmor: update to tip
      clamav: add bison-native to depend
      meta-security-isafw: import layer from Intel
      isafw: fix to work against master
      layer.conf: add zeus
      README.md: update to new maintainer
      clamav-native: missed bison fix
      secuirty*-image: remove dead var and minor cleanup
      libtpm: fix build issue over pod2man
      sssd: python2 not supported
      libseccomp: update to 2.4.3
      lynis: add missing rdepends
      fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
      chkrootkit: add rootkit recipe
      clamav: move to recipes-scanners
      checksec: move to recipe-scanners
      checksecurity: move to recipes-scanners
      buck-security: move to recipes-scanners
      arpwatch: add new recipe
      buck-security: fix runtime issue with missing per module

Bartosz Golaszewski (3):
      linux: drop the bbappend for linux v4.x series
      classes: provide a class for generating dm-verity meta-data images
      dm-verity: add a working example for BeagleBone Black

Haseeb Ashraf (1):
      samhain: dnmalloc hash fix for aarch64 and mips64

Jan Luebbe (2):
      apparmor: fix wrong executable permission on service file
      apparmor: update to 2.13.4

Jonatan Pålsson (10):
      README: Add meta-python to list of layer deps
      sssd: Add PACKAGECONFIG for python2
      sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
      sssd: DEPEND on nss if nothing else is chosen
      sssd: Sort PACKAGECONFIG entries
      sssd: Add autofs PACKAGECONFIG
      sssd: Add sudo PACKAGECONFIG
      sssd: Add missing files to SYSTEMD_SERVICE
      sssd: Add missing DEPENDS on jansson
      sssd: Add infopipe PACKAGECONFIG

Kai Kang (1):
      sssd: fix for ldblibdir and systemd etc

Martin Jansa (1):
      layer.conf: update LAYERSERIES_COMPAT for dunfell

Mingli Yu (1):
      linux-yocto: update the bbappend to 5.x

Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
      google-authenticator-libpam: upgrade 1.07 -> 1.08

Yi Zhao (5):
      samhain: fix build with new version attr
      scap-security-guide: fix xml parsing error when build remediation files
      scap-security-guide: pass the correct schema file path to openscap-native
      openscap-daemon: add missing runtime dependencies
      samhain-server: add volatile file for systemd

Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
new file mode 100644
index 0000000..f4625b1
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -0,0 +1,169 @@
+SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface"
+DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats."
+HOMEPAGE = "http://www.clamav.net/index.html"
+SECTION = "security"
+LICENSE = "LGPL-2.1"
+
+DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack bison-native"
+DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native bison-native"
+ 
+LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
+
+SRCREV = "482fcd413b07e9fd3ef9850e6d01a45f4e187108"
+
+SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \
+    file://clamd.conf \
+    file://freshclam.conf \
+    file://volatiles.03_clamav \
+    file://tmpfiles.clamav \
+    file://${BPN}.service \
+    file://freshclam-native.conf \
+    "
+
+S = "${WORKDIR}/git"
+
+LEAD_SONAME = "libclamav.so"
+SO_VER = "9.0.2"
+
+inherit autotools pkgconfig useradd systemd
+
+CLAMAV_UID ?= "clamav"
+CLAMAV_GID ?= "clamav"
+INSTALL_CLAMAV_CVD ?= "1"
+
+CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr"
+CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr"
+
+PACKAGECONFIG_class-target ?= "ncurses bz2"
+PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
+PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+
+PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR},  --without-pcre, libpcre"
+PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json-c,"
+PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
+PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, bzip2"
+PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, "
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, "
+
+EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \
+            --disable-mempool \
+            --program-prefix="" \
+            --disable-zlib-vcheck \
+            --with-xml=${CLAMAV_USR_DIR} \
+            --with-zlib=${CLAMAV_USR_DIR} \
+            --with-openssl=${CLAMAV_USR_DIR} \
+            --with-libcurl=${CLAMAV_USR_DIR} \
+            --with-system-libmspack=${CLAMAV_USR_DIR} \
+            --with-iconv=no \
+            --enable-check=no \
+            "
+
+EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}"
+EXTRA_OECONF_class-target += "--with-user=${CLAMAV_UID}  --with-group=${CLAMAV_GID} ${EXTRA_OECONF_CLAMAV}"
+
+do_configure () {
+    ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
+}
+
+do_configure_class-native () {
+    ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
+}
+
+do_compile_append_class-target() {
+    if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
+        bbnote "CLAMAV creating cvd"
+        install -d ${S}/clamav_db
+        ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf
+    fi
+}
+
+do_install_append_class-target () {
+    install -d ${D}/${sysconfdir}
+    install -d ${D}/${localstatedir}/lib/clamav
+    install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
+
+    install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir}
+    install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir}
+    install -m 0644 ${WORKDIR}/volatiles.03_clamav  ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
+    sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
+    rm ${D}/${libdir}/libclamav.so
+    install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
+        install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
+    fi
+}
+
+pkg_postinst_ontarget_${PN} () {
+    if command -v systemd-tmpfiles >/dev/null; then
+        systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
+    elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+        ${sysconfdir}/init.d/populate-volatile.sh update
+    fi
+    mkdir -p ${localstatedir}/lib/clamav
+    chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
+}
+
+
+PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
+            ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
+
+FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \
+                ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
+                ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit*  \
+                ${docdir}/clamav/* "
+
+FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
+                        ${docdir}/clamdscan/* \
+                        ${mandir}/man1/clamdscan* \
+                        "
+
+FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
+                        ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \
+                        ${mandir}/man5/clamd*  ${mandir}/man8/clamd* \
+                        ${sysconfdir}/clamd.conf* \
+                        ${systemd_unitdir}/system/clamav-daemon/* \
+                        ${docdir}/clamav-daemon/*  ${sysconfdir}/clamav-daemon \
+                        ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon "
+
+FILES_${PN}-freshclam = "${bindir}/freshclam \
+                        ${sysconfdir}/freshclam.conf*  \
+                        ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
+                        ${sysconfdir}/tmpfiles.d/*.conf \
+                        ${localstatedir}/lib/clamav \
+                        ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
+                        ${mandir}/man5/freshclam.conf.* \
+                        ${systemd_unitdir}/system/clamav-freshclam.service"
+
+FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
+                    ${libdir}/pkgconfig/*.pc \
+                    ${mandir}/man1/clamav-config.* \
+                    ${includedir}/*.h ${docdir}/libclamav* "
+
+FILES_${PN}-staticdev = "${libdir}/*.a"
+
+FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so*\
+                          ${docdir}/libclamav/* "
+
+FILES_${PN}-doc = "${mandir}/man/* \
+                   ${datadir}/man/* \
+                   ${docdir}/* "
+
+FILES_${PN}-cvd =  "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat"
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
+USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir  \
+    ${localstatedir}/spool/${BPN} \
+    --no-create-home  --shell /bin/false ${BPN}"
+
+RPROVIDES_${PN} += "${PN}-systemd"
+RREPLACES_${PN} += "${PN}-systemd"
+RCONFLICTS_${PN} += "${PN}-systemd"
+SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+
+RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN}_class-native = ""
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-scanners/clamav/files/clamav-freshclam.service b/meta-security/recipes-scanners/clamav/files/clamav-freshclam.service
new file mode 100644
index 0000000..0c909fb
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/clamav-freshclam.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=ClamAV virus database updater
+Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/
+# If user wants it run from cron, don't start the daemon.
+ConditionPathExists=!/etc/cron.d/clamav-freshclam
+
+[Service]
+ExecStart=/usr/bin/freshclam -d --foreground=true
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample b/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample
new file mode 100644
index 0000000..ed0d519
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample
@@ -0,0 +1,293 @@
+##
+## Example config file for clamav-milter
+##
+
+# Comment or remove the line below.
+Example
+
+
+##
+## Main options
+##
+
+# Define the interface through which we communicate with sendmail
+# This option is mandatory! Possible formats are:
+# [[unix|local]:]/path/to/file - to specify a unix domain socket
+# inet:port@[hostname|ip-address] - to specify an ipv4 socket
+# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
+#
+# Default: no default
+#MilterSocket /tmp/clamav-milter.socket
+#MilterSocket inet:7357
+
+# Define the group ownership for the (unix) milter socket.
+# Default: disabled (the primary group of the user running clamd)
+#MilterSocketGroup virusgroup
+
+# Sets the permissions on the (unix) milter socket to the specified mode.
+# Default: disabled (obey umask)
+#MilterSocketMode 660
+
+# Remove stale socket after unclean shutdown.
+#
+# Default: yes
+#FixStaleSocket yes
+
+# Run as another user (clamav-milter must be started by root for this option to work)
+#
+# Default: unset (don't drop privileges)
+#User clamav
+
+# Initialize supplementary group access (clamav-milter must be started by root).
+#
+# Default: no
+#AllowSupplementaryGroups no
+
+# Waiting for data from clamd will timeout after this time (seconds).
+# Value of 0 disables the timeout.
+#
+# Default: 120
+#ReadTimeout 300
+
+# Don't fork into background.
+#
+# Default: no
+#Foreground yes
+
+# Chroot to the specified directory.
+# Chrooting is performed just after reading the config file and before dropping privileges.
+#
+# Default: unset (don't chroot)
+#Chroot /newroot
+
+# This option allows you to save a process identifier of the listening
+# daemon (main thread).
+#
+# Default: disabled
+#PidFile /var/run/clamav/clamav-milter.pid
+
+# Optional path to the global temporary directory.
+# Default: system specific (usually /tmp or /var/tmp).
+#
+#TemporaryDirectory /var/tmp
+
+##
+## Clamd options
+##
+
+# Define the clamd socket to connect to for scanning.
+# This option is mandatory! Syntax:
+# ClamdSocket unix:path
+# ClamdSocket tcp:host:port
+# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
+#     ClamdSocket unix:/var/run/clamd/clamd.socket
+# The second syntax specifies a tcp local or remote tcp socket: the
+# host can be a hostname or an ip address; the ":port" field is only required
+# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
+#     ClamdSocket tcp:192.168.0.1
+#
+# This option can be repeated several times with different sockets or even
+# with the same socket: clamd servers will be selected in a round-robin fashion.
+#
+# Default: no default
+ClamdSocket /var/run/clamav/clamd
+
+
+##
+## Exclusions
+##
+
+# Messages originating from these hosts/networks will not be scanned
+# This option takes a host(name)/mask pair in CIRD notation and can be
+# repeated several times. If "/mask" is omitted, a host is assumed.
+# To specify a locally orignated, non-smtp, email use the keyword "local"
+#
+# Default: unset (scan everything regardless of the origin)
+#LocalNet local
+#LocalNet 192.168.0.0/24
+#LocalNet 1111:2222:3333::/48
+
+# This option specifies a file which contains a list of basic POSIX regular
+# expressions. Addresses (sent to or from - see below) matching these regexes
+# will not be scanned.  Optionally each line can start with the string "From:"
+# or "To:" (note: no whitespace after the colon) indicating if it is, 
+# respectively, the sender or recipient that is to be whitelisted.
+# If the field is missing, "To:" is assumed.
+# Lines starting with #, : or ! are ignored.
+#
+# Default unset (no exclusion applied)
+#Whitelist /etc/whitelisted_addresses
+
+# Messages from authenticated SMTP users matching this extended POSIX
+# regular expression (egrep-like) will not be scanned.
+# As an alternative, a file containing a plain (not regex) list of names (one
+# per line) can be specified using the prefix "file:".
+# e.g. SkipAuthenticated file:/etc/good_guys
+#
+# Note: this is the AUTH login name!
+#
+# Default: unset (no whitelisting based on SMTP auth)
+#SkipAuthenticated ^(tom|dick|henry)$
+
+# Messages larger than this value won't be scanned.
+# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
+#
+# Default: 25M
+#MaxFileSize 10M
+
+
+##
+## Actions
+##
+
+# The following group of options controls the delievery process under
+# different circumstances.
+# The following actions are available:
+# - Accept
+#   The message is accepted for delievery
+# - Reject
+#   Immediately refuse delievery (a 5xx error is returned to the peer)
+# - Defer
+#   Return a temporary failure message (4xx) to the peer
+# - Blackhole (not available for OnFail)
+#   Like Accept but the message is sent to oblivion
+# - Quarantine (not available for OnFail)
+#   Like Accept but message is quarantined instead of being delivered
+#
+# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
+# For Postfix this causes the message to be placed on hold
+# 
+# Action to be performed on clean messages (mostly useful for testing)
+# Default: Accept
+#OnClean Accept
+
+# Action to be performed on infected messages
+# Default: Quarantine
+#OnInfected Quarantine
+
+# Action to be performed on error conditions (this includes failure to
+# allocate data structures, no scanners available, network timeouts,
+# unknown scanner replies and the like)
+# Default: Defer
+#OnFail Defer
+
+# This option allows to set a specific rejection reason for infected messages
+# and it's therefore only useful together with "OnInfected Reject"
+# The string "%v", if present, will be replaced with the virus name.
+# Default: MTA specific
+#RejectMsg 
+
+# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
+# "X-Virus-Status" headers will be attached to each processed message, possibly
+# replacing existing headers.
+# If it is set to Add, the X-Virus headers are added possibly on top of the
+# existing ones.
+# Note that while "Replace" can potentially break DKIM signatures, "Add" may
+# confuse procmail and similar filters.
+# Default: no
+#AddHeader Replace
+
+# When AddHeader is in use, this option allows to arbitrary set the reported
+# hostname. This may be desirable in order to avoid leaking internal names.
+# If unset the real machine name is used.
+# Default: disabled
+#ReportHostname my.mail.server.name
+
+# Execute a command (possibly searching PATH) when an infected message is found.
+# The following parameters are passed to the invoked program in this order:
+# virus name, queue id, sender, destination, subject, message id, message date.
+# Note #1: this requires MTA macroes to be available (see LogInfected below)
+# Note #2: the process is invoked in the context of clamav-milter
+# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
+# avoid unnecessary delays in email delievery
+# Default: disabled
+#VirusAction /usr/local/bin/my_infected_message_handler
+
+##
+## Logging options
+##
+
+# Uncomment this option to enable logging.
+# LogFile must be writable for the user running daemon.
+# A full path is required.
+#
+# Default: disabled
+#LogFile /var/log/clamav/clamav-milter.log
+
+# By default the log file is locked for writing - the lock protects against
+# running clamav-milter multiple times.
+# This option disables log file locking.
+#
+# Default: no
+#LogFileUnlock yes
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
+# rotation (the LogRotate option) will always be enabled.
+#
+# Default: 1M
+#LogFileMaxSize 2M
+
+# Log time with each message.
+#
+# Default: no
+#LogTime yes
+
+# Use system logger (can work together with LogFile).
+#
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+#
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable verbose logging.
+#
+# Default: no
+#LogVerbose yes
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows to tune what is logged when a message is infected.
+# Possible values are Off (the default - nothing is logged),
+# Basic (minimal info logged), Full (verbose info logged)
+# Note:
+# For this to work properly in sendmail, make sure the msg_id, mail_addr,
+# rcpt_addr and i macroes are available in eom. In other words add a line like:
+# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
+# to your .cf file. Alternatively use the macro:
+# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
+# Postfix should be working fine with the default settings.
+#
+# Default: disabled
+#LogInfected Basic
+
+# This option allows to tune what is logged when no threat is found in a scanned message.
+# See LogInfected for possible values and caveats.
+# Useful in debugging but drastically increases the log size.
+# Default: disabled
+#LogClean Basic
+
+# This option affects the behaviour of LogInfected, LogClean and VirusAction
+# when a message with multiple recipients is scanned:
+# If SupportMultipleRecipients is off (the default)
+# then one single log entry is generated for the message and, in case the
+# message is determined to be malicious, the command indicated by VirusAction
+# is executed just once. In both cases only the last recipient is reported.
+# If SupportMultipleRecipients is on:
+# then one line is logged for each recipient and the command indicated
+# by VirusAction is also executed once for each recipient.
+# 
+# Note: although it's probably a good idea to enable this option, the default value
+# is currently set to off for legacy reasons.
+# Default: no
+#SupportMultipleRecipients yes
+
diff --git a/meta-security/recipes-scanners/clamav/files/clamav.service b/meta-security/recipes-scanners/clamav/files/clamav.service
new file mode 100644
index 0000000..f13191f
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/clamav.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Clam AntiVirus userspace daemon
+Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/
+Requires=clamav-daemon.socket
+# Check for database existence
+ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc}
+ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc}
+
+[Service]
+ExecStart=/usr/sbin/clamd --foreground=true
+# Reload the database
+ExecReload=/bin/kill -USR2 $MAINPID
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
+Also=clamav-daemon.socket
diff --git a/meta-security/recipes-scanners/clamav/files/clamd.conf b/meta-security/recipes-scanners/clamav/files/clamd.conf
new file mode 100644
index 0000000..0457785
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/clamd.conf
@@ -0,0 +1,595 @@
+# Uncomment this option to enable logging.
+# LogFile must be writable for the user running daemon.
+# A full path is required.
+# Default: disabled
+LogFile /tmp/clamd.log
+
+# By default the log file is locked for writing - the lock protects against
+# running clamd multiple times (if want to run another clamd, please
+# copy the configuration file, change the LogFile variable, and run
+# the daemon with --config-file option).
+# This option disables log file locking.
+# Default: no
+LogFileUnlock yes
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
+# rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+LogTime yes
+
+# Also log clean files. Useful in debugging but drastically increases the
+# log size.
+# Default: no
+#LogClean yes
+
+# Use system logger (can work together with LogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# Log additional information about the infected file, such as its
+# size and hash, together with the virus name.
+ExtendedDetectionInfo yes
+
+# This option allows you to save a process identifier of the listening
+# daemon (main thread).
+# Default: disabled
+PidFile /var/run/clamd.pid
+
+# Optional path to the global temporary directory.
+# Default: system specific (usually /tmp or /var/tmp).
+TemporaryDirectory /var/tmp
+
+# Path to the database directory.
+# Default: hardcoded (depends on installation options)
+DatabaseDirectory /var/lib/clamav
+
+# Only load the official signatures published by the ClamAV project.
+# Default: no
+#OfficialDatabaseOnly no
+
+# The daemon can work in local mode, network mode or both. 
+# Due to security reasons we recommend the local mode.
+
+# Path to a local socket file the daemon will listen on.
+# Default: disabled (must be specified by a user)
+LocalSocket /tmp/clamd.socket
+
+# Sets the group ownership on the unix socket.
+# Default: disabled (the primary group of the user running clamd)
+#LocalSocketGroup virusgroup
+
+# Sets the permissions on the unix socket to the specified mode.
+# Default: disabled (socket is world accessible)
+#LocalSocketMode 660
+
+# Remove stale socket after unclean shutdown.
+# Default: yes
+#FixStaleSocket yes
+
+# TCP port address.
+# Default: no
+#TCPSocket 3310
+
+# TCP address.
+# By default we bind to INADDR_ANY, probably not wise.
+# Enable the following to provide some degree of protection
+# from the outside world. This option can be specified multiple
+# times if you want to listen on multiple IPs. IPv6 is now supported.
+# Default: no
+#TCPAddr 127.0.0.1
+
+# Maximum length the queue of pending connections may grow to.
+# Default: 200
+#MaxConnectionQueueLength 30
+
+# Clamd uses FTP-like protocol to receive data from remote clients.
+# If you are using clamav-milter to balance load between remote clamd daemons
+# on firewall servers you may need to tune the options below.
+
+# Close the connection when the data size limit is exceeded.
+# The value should match your MTA's limit for a maximum attachment size.
+# Default: 25M
+#StreamMaxLength 10M
+
+# Limit port range.
+# Default: 1024
+#StreamMinPort 30000
+# Default: 2048
+#StreamMaxPort 32000
+
+# Maximum number of threads running at the same time.
+# Default: 10
+#MaxThreads 20
+
+# Waiting for data from a client socket will timeout after this time (seconds).
+# Default: 120
+#ReadTimeout 300
+
+# This option specifies the time (in seconds) after which clamd should
+# timeout if a client doesn't provide any initial command after connecting.
+# Default: 5
+#CommandReadTimeout 5
+
+# This option specifies how long to wait (in miliseconds) if the send buffer is full.
+# Keep this value low to prevent clamd hanging
+#
+# Default: 500
+#SendBufTimeout 200
+
+# Maximum number of queued items (including those being processed by MaxThreads threads)
+# It is recommended to have this value at least twice MaxThreads if possible.
+# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
+# the following condition should hold:
+# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
+#
+# Default: 100
+#MaxQueue 200
+
+# Waiting for a new job will timeout after this time (seconds).
+# Default: 30
+#IdleTimeout 60
+
+# Don't scan files and directories matching regex
+# This directive can be used multiple times
+# Default: scan all
+#ExcludePath ^/proc/
+#ExcludePath ^/sys/
+
+# Maximum depth directories are scanned at.
+# Default: 15
+#MaxDirectoryRecursion 20
+
+# Follow directory symlinks.
+# Default: no
+#FollowDirectorySymlinks yes
+
+# Follow regular file symlinks.
+# Default: no
+#FollowFileSymlinks yes
+
+# Scan files and directories on other filesystems.
+# Default: yes
+#CrossFilesystems yes
+
+# Perform a database check.
+# Default: 600 (10 min)
+#SelfCheck 600
+
+# Execute a command when virus is found. In the command string %v will
+# be replaced with the virus name.
+# Default: no
+#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
+
+# Run as another user (clamd must be started by root for this option to work)
+# Default: don't drop privileges
+User clamav
+
+# Initialize supplementary group access (clamd must be started by root).
+# Default: no
+#AllowSupplementaryGroups no
+
+# Stop daemon when libclamav reports out of memory condition.
+#ExitOnOOM yes
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Do not remove temporary files (for debug purposes).
+# Default: no
+#LeaveTemporaryFiles yes
+
+# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
+# any ALLMATCHSCAN command as invalid.
+# Default: yes
+#AllowAllMatchScan no
+
+# Detect Possibly Unwanted Applications.
+# Default: no
+#DetectPUA yes
+
+# Exclude a specific PUA category. This directive can be used multiple times.
+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 
+# the complete list of PUA categories.
+# Default: Load all categories (if DetectPUA is activated)
+#ExcludePUA NetTool
+#ExcludePUA PWTool
+
+# Only include a specific PUA category. This directive can be used multiple
+# times.
+# Default: Load all categories (if DetectPUA is activated)
+#IncludePUA Spy
+#IncludePUA Scanner
+#IncludePUA RAT
+
+# In some cases (eg. complex malware, exploits in graphic files, and others),
+# ClamAV uses special algorithms to provide accurate detection. This option
+# controls the algorithmic detection.
+# Default: yes
+#AlgorithmicDetection yes
+
+# This option causes memory or nested map scans to dump the content to disk.
+# If you turn on this option, more data is written to disk and is available
+# when the LeaveTemporaryFiles option is enabled.
+#ForceToDisk yes
+
+# This option allows you to disable the caching feature of the engine. By
+# default, the engine will store an MD5 in a cache of any files that are
+# not flagged as virus or that hit limits checks. Disabling the cache will
+# have a negative performance impact on large scans.
+# Default: no
+#DisableCache yes
+
+##
+## Executable files
+##
+
+# PE stands for Portable Executable - it's an executable file format used
+# in all 32 and 64-bit versions of Windows operating systems. This option allows
+# ClamAV to perform a deeper analysis of executable files and it's also
+# required for decompression of popular executable packers such as UPX, FSG,
+# and Petite. If you turn off this option, the original files will still be
+# scanned, but without additional processing.
+# Default: yes
+#ScanPE yes
+
+# Certain PE files contain an authenticode signature. By default, we check
+# the signature chain in the PE file against a database of trusted and
+# revoked certificates if the file being scanned is marked as a virus.
+# If any certificate in the chain validates against any trusted root, but
+# does not match any revoked certificate, the file is marked as whitelisted.
+# If the file does match a revoked certificate, the file is marked as virus.
+# The following setting completely turns off authenticode verification.
+# Default: no
+#DisableCertCheck yes
+
+# Executable and Linking Format is a standard format for UN*X executables.
+# This option allows you to control the scanning of ELF files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanELF yes
+
+# With this option clamav will try to detect broken executables (both PE and
+# ELF) and mark them as Broken.Executable.
+# Default: no
+#DetectBrokenExecutables yes
+
+
+##
+## Documents
+##
+
+# This option enables scanning of OLE2 files, such as Microsoft Office
+# documents and .msi files.
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+# Default: yes
+#ScanOLE2 yes
+
+# With this option enabled OLE2 files with VBA macros, which were not
+# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
+# Default: no
+#OLE2BlockMacros no
+
+# This option enables scanning within PDF files.
+# If you turn off this option, the original files will still be scanned, but
+# without decoding and additional processing.
+# Default: yes
+#ScanPDF yes
+
+# This option enables scanning within SWF files.
+# If you turn off this option, the original files will still be scanned, but
+# without decoding and additional processing.
+# Default: yes
+#ScanSWF yes
+
+
+##
+## Mail files
+##
+
+# Enable internal e-mail scanner.
+# If you turn off this option, the original files will still be scanned, but
+# without parsing individual messages/attachments.
+# Default: yes
+#ScanMail yes
+
+# Scan RFC1341 messages split over many emails.
+# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
+# WARNING: This option may open your system to a DoS attack.
+#	   Never use it on loaded servers.
+# Default: no
+#ScanPartialMessages yes
+
+# With this option enabled ClamAV will try to detect phishing attempts by using
+# signatures.
+# Default: yes
+#PhishingSignatures yes
+
+# Scan URLs found in mails for phishing attempts using heuristics.
+# Default: yes
+#PhishingScanURLs yes
+
+# Always block SSL mismatches in URLs, even if the URL isn't in the database.
+# This can lead to false positives.
+#
+# Default: no
+#PhishingAlwaysBlockSSLMismatch no
+
+# Always block cloaked URLs, even if URL isn't in database.
+# This can lead to false positives.
+#
+# Default: no
+#PhishingAlwaysBlockCloak no
+
+# Detect partition intersections in raw disk images using heuristics.
+# Default: no
+#PartitionIntersection no
+
+# Allow heuristic match to take precedence.
+# When enabled, if a heuristic scan (such as phishingScan) detects
+# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
+# scan-time.
+# When disabled, virus/phish detected by heuristic scans will be reported only at
+# the end of a scan. If an archive contains both a heuristically detected
+# virus/phish, and a real malware, the real malware will be reported
+#
+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
+# differently from "real" malware.
+# If a non-heuristically-detected virus (signature-based) is found first, 
+# the scan is interrupted immediately, regardless of this config option.
+#
+# Default: no
+#HeuristicScanPrecedence yes
+
+
+##
+## Data Loss Prevention (DLP)
+##
+
+# Enable the DLP module
+# Default: No
+#StructuredDataDetection yes
+
+# This option sets the lowest number of Credit Card numbers found in a file
+# to generate a detect.
+# Default: 3
+#StructuredMinCreditCardCount 5
+
+# This option sets the lowest number of Social Security Numbers found
+# in a file to generate a detect.
+# Default: 3
+#StructuredMinSSNCount 5
+
+# With this option enabled the DLP module will search for valid
+# SSNs formatted as xxx-yy-zzzz
+# Default: yes
+#StructuredSSNFormatNormal yes
+
+# With this option enabled the DLP module will search for valid
+# SSNs formatted as xxxyyzzzz
+# Default: no
+#StructuredSSNFormatStripped yes
+
+
+##
+## HTML
+##
+
+# Perform HTML normalisation and decryption of MS Script Encoder code.
+# Default: yes
+# If you turn off this option, the original files will still be scanned, but
+# without additional processing.
+#ScanHTML yes
+
+
+##
+## Archives
+##
+
+# ClamAV can scan within archives and compressed files.
+# If you turn off this option, the original files will still be scanned, but
+# without unpacking and additional processing.
+# Default: yes
+#ScanArchive yes
+
+# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
+# Default: no
+#ArchiveBlockEncrypted no
+
+
+##
+## Limits
+##
+
+# The options below protect your system against Denial of Service attacks
+# using archive bombs.
+
+# This option sets the maximum amount of data to be scanned for each input file.
+# Archives and other containers are recursively extracted and scanned up to this
+# value.
+# Value of 0 disables the limit
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 100M
+#MaxScanSize 150M
+
+# Files larger than this limit won't be scanned. Affects the input file itself
+# as well as files contained inside it (when the input file is an archive, a
+# document or some other kind of container).
+# Value of 0 disables the limit.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 25M
+#MaxFileSize 30M
+
+# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
+# file, all files within it will also be scanned. This options specifies how
+# deeply the process should be continued.
+# Note: setting this limit too high may result in severe damage to the system.
+# Default: 16
+#MaxRecursion 10
+
+# Number of files to be scanned within an archive, a document, or any other
+# container file.
+# Value of 0 disables the limit.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10000
+#MaxFiles 15000
+
+# Maximum size of a file to check for embedded PE. Files larger than this value
+# will skip the additional analysis step.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10M
+#MaxEmbeddedPE 10M
+
+# Maximum size of a HTML file to normalize. HTML files larger than this value
+# will not be normalized or scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 10M
+#MaxHTMLNormalize 10M
+
+# Maximum size of a normalized HTML file to scan. HTML files larger than this
+# value after normalization will not be scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 2M
+#MaxHTMLNoTags 2M
+
+# Maximum size of a script file to normalize. Script content larger than this
+# value will not be normalized or scanned.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 5M
+#MaxScriptNormalize 5M
+
+# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
+# than this value will skip the step to potentially reanalyze as PE.
+# Note: disabling this limit or setting it too high may result in severe damage
+# to the system.
+# Default: 1M
+#MaxZipTypeRcg 1M
+
+# This option sets the maximum number of partitions of a raw disk image to be scanned.
+# Raw disk images with more partitions than this value will have up to the value number
+# partitions scanned. Negative values are not allowed.
+# Note: setting this limit too high may result in severe damage or impact performance.
+# Default: 50
+#MaxPartitions 128
+
+# This option sets the maximum number of icons within a PE to be scanned.
+# PE files with more icons than this value will have up to the value number icons scanned.
+# Negative values are not allowed.
+# WARNING: setting this limit too high may result in severe damage or impact performance.
+# Default: 100
+#MaxIconsPE 200
+
+##
+## On-access Scan Settings
+##
+
+# Enable on-access scanning. Currently, this is supported via fanotify.
+# Clamuko/Dazuko support has been deprecated.
+# Default: no
+#ScanOnAccess yes
+
+# Don't scan files larger than OnAccessMaxFileSize
+# Value of 0 disables the limit.
+# Default: 5M
+#OnAccessMaxFileSize 10M
+
+# Set the include paths (all files inside them will be scanned). You can have
+# multiple OnAccessIncludePath directives but each directory must be added
+# in a separate line. (On-access scan only)
+# Default: disabled
+#OnAccessIncludePath /home
+#OnAccessIncludePath /students
+
+# Set the exclude paths. All subdirectories are also excluded.
+# (On-access scan only)
+# Default: disabled
+#OnAccessExcludePath /home/bofh
+
+# With this option you can whitelist specific UIDs. Processes with these UIDs
+# will be able to access all files.
+# This option can be used multiple times (one per line).
+# Default: disabled
+#OnAccessExcludeUID 0
+
+
+##
+## Bytecode
+##
+
+# With this option enabled ClamAV will load bytecode from the database. 
+# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
+# Default: yes
+#Bytecode yes
+
+# Set bytecode security level.
+# Possible values:
+#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
+#         This value is only available if clamav was built with --enable-debug!
+#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
+#                insert runtime safety checks for bytecode loaded from other sources
+#       Paranoid - don't trust any bytecode, insert runtime checks for all
+# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
+# Note that by default only signed bytecode is loaded, currently you can only
+# load unsigned bytecode in --enable-debug mode.
+#
+# Default: TrustSigned
+#BytecodeSecurity TrustSigned
+
+# Set bytecode timeout in miliseconds.
+# 
+# Default: 5000
+# BytecodeTimeout 1000
+
+##
+## Statistics gathering and submitting
+##
+
+# Enable statistical reporting.
+# Default: no
+#StatsEnabled yes
+
+# Disable submission of individual PE sections for files flagged as malware.
+# Default: no
+#StatsPEDisabled yes
+
+# HostID in the form of an UUID to use when submitting statistical information.
+# Default: auto
+#StatsHostID auto
+
+# Time in seconds to wait for the stats server to come back with a response
+# Default: 10
+#StatsTimeout 10
diff --git a/meta-security/recipes-scanners/clamav/files/freshclam-native.conf b/meta-security/recipes-scanners/clamav/files/freshclam-native.conf
new file mode 100644
index 0000000..aaa8cf4
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/freshclam-native.conf
@@ -0,0 +1,224 @@
+# Path to the database directory.
+# WARNING: It must match clamd.conf's directive!
+# Default: hardcoded (depends on installation options)
+#DatabaseDirectory /var/lib/clamav
+
+# Path to the log file (make sure it has proper permissions)
+# Default: disabled
+#UpdateLogFile /var/log/clamav/freshclam.log
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
+# log rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+LogTime yes
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Use system logger (can work together with UpdateLogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows you to save the process identifier of the daemon
+# Default: disabled
+#PidFile /var/run/freshclam.pid
+
+# By default when started freshclam drops privileges and switches to the
+# "clamav" user. This directive allows you to change the database owner.
+# Default: clamav (may depend on installation options)
+DatabaseOwner clamav
+
+# Initialize supplementary group access (freshclam must be started by root).
+# Default: no
+#AllowSupplementaryGroups yes
+
+# Use DNS to verify virus database version. Freshclam uses DNS TXT records
+# to verify database and software versions. With this directive you can change
+# the database verification domain.
+# WARNING: Do not touch it unless you're configuring freshclam to use your
+# own database verification domain.
+# Default: current.cvd.clamav.net
+#DNSDatabaseInfo current.cvd.clamav.net
+
+# Uncomment the following line and replace XY with your country
+# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
+# You can use db.XY.ipv6.clamav.net for IPv6 connections.
+#DatabaseMirror db.XY.clamav.net
+
+# database.clamav.net is a round-robin record which points to our most 
+# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
+# not working. DO NOT TOUCH the following line unless you know what you
+# are doing.
+DatabaseMirror database.clamav.net
+
+# How many attempts to make before giving up.
+# Default: 3 (per mirror)
+#MaxAttempts 5
+
+# With this option you can control scripted updates. It's highly recommended
+# to keep it enabled.
+# Default: yes
+#ScriptedUpdates yes
+
+# By default freshclam will keep the local databases (.cld) uncompressed to
+# make their handling faster. With this option you can enable the compression;
+# the change will take effect with the next database update.
+# Default: no
+#CompressLocalDatabase no
+
+# With this option you can provide custom sources (http:// or file://) for
+# database files. This option can be used multiple times.
+# Default: no custom URLs
+#DatabaseCustomURL http://myserver.com/mysigs.ndb
+#DatabaseCustomURL file:///mnt/nfs/local.hdb
+
+# This option allows you to easily point freshclam to private mirrors.
+# If PrivateMirror is set, freshclam does not attempt to use DNS
+# to determine whether its databases are out-of-date, instead it will
+# use the If-Modified-Since request or directly check the headers of the
+# remote database files. For each database, freshclam first attempts
+# to download the CLD file. If that fails, it tries to download the
+# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
+# and ScriptedUpdates. It can be used multiple times to provide
+# fall-back mirrors.
+# Default: disabled
+#PrivateMirror mirror1.mynetwork.com
+#PrivateMirror mirror2.mynetwork.com
+
+# Number of database checks per day.
+# Default: 12 (every two hours)
+#Checks 24
+
+# Proxy settings
+# Default: disabled
+#HTTPProxyServer myproxy.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# If your servers are behind a firewall/proxy which applies User-Agent
+# filtering you can use this option to force the use of a different
+# User-Agent header.
+# Default: clamav/version_number
+#HTTPUserAgent SomeUserAgentIdString
+
+# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
+# multi-homed systems.
+# Default: Use OS'es default outgoing IP address.
+#LocalIPAddress aaa.bbb.ccc.ddd
+
+# Send the RELOAD command to clamd.
+# Default: no
+#NotifyClamd /path/to/clamd.conf
+
+# Run command after successful database update.
+# Default: disabled
+#OnUpdateExecute command
+
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Timeout in seconds when connecting to database server.
+# Default: 30
+#ConnectTimeout 60
+
+# Timeout in seconds when reading from database server.
+# Default: 30
+#ReceiveTimeout 60
+
+# With this option enabled, freshclam will attempt to load new
+# databases into memory to make sure they are properly handled
+# by libclamav before replacing the old ones.
+# Default: yes
+#TestDatabases yes
+
+# When enabled freshclam will submit statistics to the ClamAV Project about
+# the latest virus detections in your environment. The ClamAV maintainers
+# will then use this data to determine what types of malware are the most
+# detected in the field and in what geographic area they are.
+# Freshclam will connect to clamd in order to get recent statistics.
+# Default: no
+#SubmitDetectionStats /path/to/clamd.conf
+
+# Country of origin of malware/detection statistics (for statistical
+# purposes only). The statistics collector at ClamAV.net will look up
+# your IP address to determine the geographical origin of the malware
+# reported by your installation. If this installation is mainly used to
+# scan data which comes from a different location, please enable this
+# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
+# of the country of origin.
+# Default: disabled
+#DetectionStatsCountry country-code
+
+# This option enables support for our "Personal Statistics" service. 
+# When this option is enabled, the information on malware detected by
+# your clamd installation is made available to you through our website.
+# To get your HostID, log on http://www.stats.clamav.net and add a new
+# host to your host list. Once you have the HostID, uncomment this option
+# and paste the HostID here. As soon as your freshclam starts submitting
+# information to our stats collecting service, you will be able to view
+# the statistics of this clamd installation by logging into
+# http://www.stats.clamav.net with the same credentials you used to
+# generate the HostID. For more information refer to:
+# http://www.clamav.net/documentation.html#cctts 
+# This feature requires SubmitDetectionStats to be enabled.
+# Default: disabled
+#DetectionStatsHostID unique-id
+
+# This option enables support for Google Safe Browsing. When activated for
+# the first time, freshclam will download a new database file (safebrowsing.cvd)
+# which will be automatically loaded by clamd and clamscan during the next
+# reload, provided that the heuristic phishing detection is turned on. This
+# database includes information about websites that may be phishing sites or
+# possible sources of malware. When using this option, it's mandatory to run
+# freshclam at least every 30 minutes.
+# Freshclam uses the ClamAV's mirror infrastructure to distribute the
+# database and its updates but all the contents are provided under Google's
+# terms of use. See http://www.google.com/transparencyreport/safebrowsing
+# and http://www.clamav.net/documentation.html#safebrowsing 
+# for more information.
+# Default: disabled
+#SafeBrowsing yes
+
+# This option enables downloading of bytecode.cvd, which includes additional
+# detection mechanisms and improvements to the ClamAV engine.
+# Default: enabled
+#Bytecode yes
+
+# Download an additional 3rd party signature database distributed through
+# the ClamAV mirrors. 
+# This option can be used multiple times.
+#ExtraDatabase dbname1
+#ExtraDatabase dbname2
diff --git a/meta-security/recipes-scanners/clamav/files/freshclam.conf b/meta-security/recipes-scanners/clamav/files/freshclam.conf
new file mode 100644
index 0000000..100724f
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/freshclam.conf
@@ -0,0 +1,224 @@
+# Path to the database directory.
+# WARNING: It must match clamd.conf's directive!
+# Default: hardcoded (depends on installation options)
+DatabaseDirectory /var/lib/clamav
+
+# Path to the log file (make sure it has proper permissions)
+# Default: disabled
+UpdateLogFile /var/log/clamav/freshclam.log
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
+# log rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+LogTime yes
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Use system logger (can work together with UpdateLogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows you to save the process identifier of the daemon
+# Default: disabled
+PidFile /var/run/freshclam.pid
+
+# By default when started freshclam drops privileges and switches to the
+# "clamav" user. This directive allows you to change the database owner.
+# Default: clamav (may depend on installation options)
+DatabaseOwner clamav
+
+# Initialize supplementary group access (freshclam must be started by root).
+# Default: no
+#AllowSupplementaryGroups yes
+
+# Use DNS to verify virus database version. Freshclam uses DNS TXT records
+# to verify database and software versions. With this directive you can change
+# the database verification domain.
+# WARNING: Do not touch it unless you're configuring freshclam to use your
+# own database verification domain.
+# Default: current.cvd.clamav.net
+#DNSDatabaseInfo current.cvd.clamav.net
+
+# Uncomment the following line and replace XY with your country
+# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
+# You can use db.XY.ipv6.clamav.net for IPv6 connections.
+#DatabaseMirror db.XY.clamav.net
+
+# database.clamav.net is a round-robin record which points to our most 
+# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
+# not working. DO NOT TOUCH the following line unless you know what you
+# are doing.
+DatabaseMirror database.clamav.net
+
+# How many attempts to make before giving up.
+# Default: 3 (per mirror)
+#MaxAttempts 5
+
+# With this option you can control scripted updates. It's highly recommended
+# to keep it enabled.
+# Default: yes
+#ScriptedUpdates yes
+
+# By default freshclam will keep the local databases (.cld) uncompressed to
+# make their handling faster. With this option you can enable the compression;
+# the change will take effect with the next database update.
+# Default: no
+#CompressLocalDatabase no
+
+# With this option you can provide custom sources (http:// or file://) for
+# database files. This option can be used multiple times.
+# Default: no custom URLs
+#DatabaseCustomURL http://myserver.com/mysigs.ndb
+#DatabaseCustomURL file:///mnt/nfs/local.hdb
+
+# This option allows you to easily point freshclam to private mirrors.
+# If PrivateMirror is set, freshclam does not attempt to use DNS
+# to determine whether its databases are out-of-date, instead it will
+# use the If-Modified-Since request or directly check the headers of the
+# remote database files. For each database, freshclam first attempts
+# to download the CLD file. If that fails, it tries to download the
+# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
+# and ScriptedUpdates. It can be used multiple times to provide
+# fall-back mirrors.
+# Default: disabled
+#PrivateMirror mirror1.mynetwork.com
+#PrivateMirror mirror2.mynetwork.com
+
+# Number of database checks per day.
+# Default: 12 (every two hours)
+#Checks 24
+
+# Proxy settings
+# Default: disabled
+#HTTPProxyServer myproxy.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# If your servers are behind a firewall/proxy which applies User-Agent
+# filtering you can use this option to force the use of a different
+# User-Agent header.
+# Default: clamav/version_number
+#HTTPUserAgent SomeUserAgentIdString
+
+# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
+# multi-homed systems.
+# Default: Use OS'es default outgoing IP address.
+#LocalIPAddress aaa.bbb.ccc.ddd
+
+# Send the RELOAD command to clamd.
+# Default: no
+#NotifyClamd /path/to/clamd.conf
+
+# Run command after successful database update.
+# Default: disabled
+#OnUpdateExecute command
+
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Timeout in seconds when connecting to database server.
+# Default: 30
+#ConnectTimeout 60
+
+# Timeout in seconds when reading from database server.
+# Default: 30
+#ReceiveTimeout 60
+
+# With this option enabled, freshclam will attempt to load new
+# databases into memory to make sure they are properly handled
+# by libclamav before replacing the old ones.
+# Default: yes
+#TestDatabases yes
+
+# When enabled freshclam will submit statistics to the ClamAV Project about
+# the latest virus detections in your environment. The ClamAV maintainers
+# will then use this data to determine what types of malware are the most
+# detected in the field and in what geographic area they are.
+# Freshclam will connect to clamd in order to get recent statistics.
+# Default: no
+#SubmitDetectionStats /path/to/clamd.conf
+
+# Country of origin of malware/detection statistics (for statistical
+# purposes only). The statistics collector at ClamAV.net will look up
+# your IP address to determine the geographical origin of the malware
+# reported by your installation. If this installation is mainly used to
+# scan data which comes from a different location, please enable this
+# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
+# of the country of origin.
+# Default: disabled
+#DetectionStatsCountry country-code
+
+# This option enables support for our "Personal Statistics" service. 
+# When this option is enabled, the information on malware detected by
+# your clamd installation is made available to you through our website.
+# To get your HostID, log on http://www.stats.clamav.net and add a new
+# host to your host list. Once you have the HostID, uncomment this option
+# and paste the HostID here. As soon as your freshclam starts submitting
+# information to our stats collecting service, you will be able to view
+# the statistics of this clamd installation by logging into
+# http://www.stats.clamav.net with the same credentials you used to
+# generate the HostID. For more information refer to:
+# http://www.clamav.net/documentation.html#cctts 
+# This feature requires SubmitDetectionStats to be enabled.
+# Default: disabled
+#DetectionStatsHostID unique-id
+
+# This option enables support for Google Safe Browsing. When activated for
+# the first time, freshclam will download a new database file (safebrowsing.cvd)
+# which will be automatically loaded by clamd and clamscan during the next
+# reload, provided that the heuristic phishing detection is turned on. This
+# database includes information about websites that may be phishing sites or
+# possible sources of malware. When using this option, it's mandatory to run
+# freshclam at least every 30 minutes.
+# Freshclam uses the ClamAV's mirror infrastructure to distribute the
+# database and its updates but all the contents are provided under Google's
+# terms of use. See http://www.google.com/transparencyreport/safebrowsing
+# and http://www.clamav.net/documentation.html#safebrowsing 
+# for more information.
+# Default: disabled
+#SafeBrowsing yes
+
+# This option enables downloading of bytecode.cvd, which includes additional
+# detection mechanisms and improvements to the ClamAV engine.
+# Default: enabled
+#Bytecode yes
+
+# Download an additional 3rd party signature database distributed through
+# the ClamAV mirrors. 
+# This option can be used multiple times.
+#ExtraDatabase dbname1
+#ExtraDatabase dbname2
diff --git a/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav b/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav
new file mode 100644
index 0000000..fd5adfe
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav
@@ -0,0 +1,3 @@
+#Type Path        Mode UID  GID  Age Argument
+d /var/log/clamav 0755 clamav clamav -
+f /var/log/clamav/freshclam.log 0644 clamav clamav -
diff --git a/meta-security/recipes-scanners/clamav/files/volatiles.03_clamav b/meta-security/recipes-scanners/clamav/files/volatiles.03_clamav
new file mode 100644
index 0000000..ee2153c
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/volatiles.03_clamav
@@ -0,0 +1,3 @@
+# <type> <owner> <group> <mode> <path> <linksource>
+d clamav clamav 0755 /var/log/clamav none
+f clamav clamav 0655 /var/log/clamav/freshclam.log none