ClamAV: clamd.ctl file is not created

[jemrobinson]

:white_check_mark: Checklist

• [x] I have searched open and closed issues for duplicates.
• [x] This is a problem observed when managing a Data Safe Haven.
• [x] I can reproduce this with the latest version.
• [x] I have read through the documentation.
• [x] This isn't an open-ended question (open a discussion if it is).

:computer: System information

• Operating System:
• Data Safe Haven version:

:package: Packages

List of packages

```none Paste list of packages here ```

:no_entry_sign: Describe the problem

The clamav-daemon service is not creating /var/run/clamav/clamd.ctl. This causes the clamav-clamonacc service to timeout waiting for this file to exist.

:steam_locomotive: Workarounds or solutions

See this StackOverflow thread

[craddm]

Note that this stops subsequent steps from running, and desired-state.sh needs to be run manually complete the process. On our deployments for pentesting, this meant that smoke tests were not copied to the appropriate locations.

[jemrobinson]

What's the best fix for this? My first guesses would be either:

• disable on-access virus scanning (I'm not sure this is a requirement of DSPT and it does add a lot of compute overhead)
• allow this ansible task to fail with ignore_errors: true

What do you think @JimMadge @craddm?

[JimMadge]

I think we should be able to wait until the file is created.

[JimMadge]

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/wait_for_module.html

[craddm]

What's the best fix for this? My first guesses would be either:

• disable on-access virus scanning (I'm not sure this is a requirement of DSPT and it does add a lot of compute overhead)
• allow this ansible task to fail with ignore_errors: true

What do you think @JimMadge @craddm?

On-access virus scanning is a DSPT requirement -

"Antivirus/anti-malware software scans files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder."

[JimMadge]

But in Linux, everything is a file :scream:.

[JimMadge]

I wonder what happens if you try to on access scan /dev/random 🤔.

[JimMadge]

Waiting for the file times out.

I think the actual problem might be clamd.ctl is the default socket file, but we have changed that. clamd might need reloading/restarting after we write the config file.

[jemrobinson]

Is there any problem with just using the default socket file?

[JimMadge]

Is there any problem with just using the default socket file?

Sort of, the local socket is disabled by default so we would need to specify it and ensure clamd has been reloaded/restarted whatever it is called. I'm not really sure where clamd.ctl comes from but I think clamd.socket is a better name.

[JimMadge]

I see where it is coming from

https://github.com/jemrobinson/data-safe-haven/blob/3f285eacf957ffd512925c9b242a55ce99f66307/data_safe_haven/resources/workspace/ansible/files/etc/systemd/system/clamav-clamonacc.service#L9

:smile:

[jemrobinson]

Closed by #2108