add antivirus scan on ecommerce servers

8941a468 · nadeemshahzad · 8a1c7c4f · 8941a468 · 8941a468 · 8941a468
Commit 8941a468 authored Feb 22, 2018 by nadeemshahzad
6 changed files
--- a/playbooks/roles/antivirus/defaults/main.yml
+++ b/playbooks/roles/antivirus/defaults/main.yml
@@ -24,9 +24,11 @@ antivirus_debian_pkgs: [clamav]
 antivirus_redhat_pkgs: []
 antivirus_pip_pkgs: []

-antivirus_app_dir: /edx/app/antivirus
+antivirus_app_dir: "{{ COMMON_APP_DIR }}/antivirus"
+antivirus_log_dir: "{{ COMMON_LOG_DIR }}/antivirus"
 antivirus_user: "antivirus"

+ANTIVIRUS_S3_BUCKETS_SCAN: false
 ANTIVIRUS_BUCKETS: !!null
 ANTIVIRUS_MAILTO: "{{ EDXAPP_TECH_SUPPORT_EMAIL  }}"
 ANTIVIRUS_MAILFROM: "{{ EDXAPP_DEFAULT_FROM_EMAIL }}"
@@ -37,3 +39,7 @@ ANTIVIRUS_SES_AWS_KEY: "{{ ANTIVIRUS_AWS_KEY }}"
 ANTIVIRUS_S3_AWS_SECRET: "{{ ANTIVIRUS_AWS_SECRET}}"
 ANTIVIRUS_SES_AWS_SECRET: "{{ ANTIVIRUS_AWS_SECRET}}"
 ANTIVIRUS_SNITCH_URL: !!null
+
+
+ANTIVIRUS_SERVER_SCAN: true
+ANTIVIRUS_SCAN_DIRECTORY: ""
--- a/playbooks/roles/antivirus/meta/main.yml
+++ b/playbooks/roles/antivirus/meta/main.yml
@@ -11,4 +11,4 @@
 # Role includes for role antivirus
 # 
 dependencies:
-  - common
\ No newline at end of file
+  - common
--- a/playbooks/roles/antivirus/tasks/main.yml
+++ b/playbooks/roles/antivirus/tasks/main.yml
@@ -32,7 +32,7 @@
    createhome: no
    shell: /bin/false

- name: create antivirus app and data dirs
+- name: create antivirus edx directories
  file:
    path: "{{ item }}"
    state: directory
@@ -41,6 +41,7 @@
  with_items:
    - "{{ antivirus_app_dir }}"
    - "{{ antivirus_app_dir }}/data"
+    - "{{ antivirus_log_dir }}"

 - name: install antivirus s3 scanner script
  template:
@@ -49,6 +50,7 @@
    mode: "0555"
    owner: "{{ antivirus_user }}"
    group: "{{ antivirus_user }}"
+  when: ANTIVIRUS_S3_BUCKETS_SCAN

 - name: install antivirus s3 scanner cronjob
  cron:
@@ -61,3 +63,25 @@
    minute: "0"
    day: "*"
  with_items: "{{ ANTIVIRUS_BUCKETS }}"
+  when: ANTIVIRUS_S3_BUCKETS_SCAN
+
+- name: install antivirus server scanner script
+  template:
+    src: server_virus_scan.sh.j2
+    dest: "{{ antivirus_app_dir }}/server_virus_scan.sh"
+    mode: "0555"
+    owner: "{{ antivirus_user }}"
+    group: "{{ antivirus_user }}"
+  when: ANTIVIRUS_SERVER_SCAN
+
+- name: install antivirus server scanner cronjob
+  cron:
+    name: "antivirus"
+    job: "{{ antivirus_app_dir }}/server_virus_scan.sh"
+    backup: yes
+    cron_file: "antivirus"
+    user: "{{ antivirus_user }}"
+    hour: "*"
+    minute: "0"
+    day: "*"
+  when: ANTIVIRUS_SERVER_SCAN
--- a/playbooks/roles/antivirus/templates/server_virus_scan.sh.j2
+++ b/playbooks/roles/antivirus/templates/server_virus_scan.sh.j2
+#!/usr/bin/env bash
+
+{% if ANTIVIRUS_SCAN_DIRECTORY is defined %}
+dir_to_scan="{{ ANTIVIRUS_SCAN_DIRECTORY }}"
+{% endif %}
+
+log_dir={{ antivirus_log_dir }}
+
+clamout=$(clamscan -ri $dir_to_scan);
+malware=$(echo "$clamout" | grep -i 'Infected' | cut -d ' ' -f3)
+
+if [[ "$malware" -ne 0 ]]; then
+   echo -e "Malware Found\n$clamout" >> "$log_dir/clamav.log"
+fi
--- a/playbooks/roles/ecommerce/defaults/main.yml
+++ b/playbooks/roles/ecommerce/defaults/main.yml
@@ -206,6 +206,10 @@ ecommerce_environment:

 ecommerce_create_demo_data: false

+# Antivirus
+ECOMMERCE_ENABLE_ANTIVIRUS: false
+ECOMMERCE_ANTIVIRUS_SCAN_DIRECTORY: "{{ ecommerce_code_dir }}"
+
 #
 # OS packages
 #

--- a/playbooks/roles/ecommerce/meta/main.yml
+++ b/playbooks/roles/ecommerce/meta/main.yml
@@ -44,4 +44,6 @@ dependencies:
    edx_django_service_basic_auth_exempted_paths_extra:
      - payment
      - \.well-known/apple-developer-merchantid-domain-association
-
+  - role: antivirus
+    ANTIVIRUS_SCAN_DIRECTORY: "{{ ECOMMERCE_ANTIVIRUS_SCAN_DIRECTORY }}"
+    when: ECOMMERCE_ENABLE_ANTIVIRUS