BSDHowTo.ch
| How To... | Why not..? | Scripts | Patches | |
Last update: 2020-05-16
Recently, I got the task to build a malware scan server which supports ICAP at work. Actually we use RedHat Enterprise Linux as OS. But c-icap isn't available as package in one of the trustworthy repositories, so I decided to use OpenBSD for the task.
The malware scan server uses ClamAV as malware scanner and c-icap as ICAP server, providing an interface for other products that support ICAP such as Squid.
This is a very simple task, one package to rule them all:
$ doas pkg_add -i c-icap-clamav
This package contains the c-icap module for ClamAV which installs c-icap and clamav as dependencies.
Two of the three daemons installed by ClamAV are of interest:
freshclam
and clamd. First you
configure freshclam to make sure the malware database of ClamAV stays up
to date. The file /etc/freshclam.conf contains the following settings:
LogTime yes
LogSyslog yes
LogFacility LOG_DAEMON
DatabaseMirror db.ch.clamav.net
DatabaseMirror database.clamav.net
NotifyClamd /etc/clamd.conf
Enable and start freshclam now so it has time to update the signature database for ClamAV:
$ doas rcctl enable freshclam
$ doas rcctl start freshclam
Next you configure clamd. In /etc/clamd.conf the following lines are
set:
LogTime yes
LogSyslog yes
LogFacility LOG_DAEMON
TemporaryDirectory /tmp
LocalSocket /var/clamav/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1
User _clamav
DetectPUA yes
AlertEncrypted yes
AlertEncryptedArchive yes
AlertEncryptedDoc yes
AlertOLE2Macros yes
AlertPhishingSSLMismatch yes
AlertPhishingCloak yes
MaxRecursion 12
The last configuration part is about c-icap. There are two config files
which need modifications in order to let c-icap use ClamAV as malware
scanner. The first one is /etc/c-icap/c-icap.conf. Append the following
lines to the file:
Include /etc/c-icap/clamd_mod.conf
Include /etc/c-icap/virus_scan.conf
You may want to change the following values in this file to something meaningful/different:
ServerAdmin admin@example.org
ServerName scanner.example.org
TmpDir /tmp
There is flaw in the config file regarding to logging. The option Logger
is set to sys_logger. But the required module sys_logger is only
loaded later in the configuration file. If you want to use sys_loger
you have to load the module in the config file before you set the option
Logger. This will prevent c-icap from starting, although rcctl(8)
will return OK.
Either change the option Logger to file_logger or move around the
blocks in the config file to use sys_logger.
In the file /etc/c-icap/clamd_scan.conf make the following settings:
clamd_mod.ClamdHost 127.0.0.1
clamd_mod.ClamdPort 3310
All the configuration is done. Now it is time to enable and start the services:
$ for s in clamd c_icap ; do
> rcctl enable $s
> rcctl start $s
> done
Be patient with clamd. It takes its time to start because it checks the signature database.
Testing your setup is easy because c-icap comes along with an ICAP client for this task: c-icap-client. Calling it without arguments will perform simple OPTIONS call to check if the server is running:
$ c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344
OPTIONS:
Allow 204: Yes
Preview: 1024
Keep alive: Yes
ICAP HEADERS:
ICAP/1.0 200 OK
Methods: RESPMOD, REQMOD
Service: C-ICAP/0.5.6 server - Echo demo service
ISTag: CI0001-XXXXXXXXX
Transfer-Preview: *
Options-TTL: 3600
Date: Sat, 16 May 2020 10:02:03 GMT
Preview: 1024
Allow: 204
X-Include: X-Authenticated-User, X-Authenticated-Groups
Encapsulated: null-body=0