feat(IMPORT): import role from legacy provisioner project

.ansible-lint

@@ -1,2 +1,3 @@
+---
 # .ansible-lint
 skip_list: []

.github/workflows/push.yml

@@ -10,6 +10,7 @@ on:
 
 jobs:
 
+
   build:
 
     runs-on: ubuntu-latest
@@ -32,6 +33,9 @@ jobs:
           source ./.github/scripts/setup.sh
         env:
           WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+      - name: Create Results File
+        run: |
+          touch /tmp/results.yml
 
       - name: Build -- Install Requirements
         run: |
@@ -40,9 +44,6 @@ jobs:
       - name: Build -- Run Linter
         run: |
           poetry run molecule lint
-      - name: Build -- Run docker1 Scenario
-        run: |
-          poetry run molecule test -s docker1
 
       - name: Build -- Report Job Status (Success)
         run: |
@@ -53,7 +54,7 @@ jobs:
           ./.github/scripts/notifications.sh "${NOTIFICATION}" "build has failed!"
 
   documentation_test:
-  
+
     runs-on: ubuntu-latest
 
     steps:
@@ -75,35 +76,55 @@ jobs:
   security_test:
 
     runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 4
+      matrix:
+        python-version: [3.7]
 
     steps:
+      - name: Security Test -- Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v1
+        with:
+          python-version: ${{ matrix.python-version }}
+
       - name: Security Test -- Checkout Repository
         uses: actions/checkout@v1
+
+      - name: Security Test -- Check Dependencies
+        run: |
+          pip install safety poetry
+          pip install --upgrade pip
+          poetry install
+          safety check
+
+      # There is no substitute for the feedback from another human.
+
       - name: Security Test -- Run Gitleaks
         uses: zricethezav/gitleaks-action@master
 
-      - name: Security Test -- Report Success
+      - name: Shellcheck -- Report Job Status on Success
         run: |
-          ./.github/scripts/notifications.sh "${NOTIFICATION}" "security test has passed!"
-      - name: Security Test -- Report Failure
+          ./.github/scripts/notifications.sh "${NOTIFICATION}" "security checks succeeded!"
+      - name: Shellcheck -- Report Job Status on Failure
+        if: failure()
         run: |
-          ./.github/scripts/notifications.sh "${NOTIFICATION}" "security test has failed!"
-  
+          ./.github/scripts/notifications.sh "${NOTIFICATION}" "security checks failed!"
+
   release:
-    needs: [build, documentation_test, security_test]
-  
+    needs: [documentation_test, security_test]
+
     runs-on: ubuntu-latest
 
     steps:
       - name: Release -- Checkout
         uses: actions/checkout@v1
-  
+
       - name: Release -- Setup Environment
         run: |
           source ./.github/scripts/setup.sh
         env:
           WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
-      
+
       - name: Release -- Prepare Content
         if: contains(github.ref, '/tags/v')
         run: |
@@ -128,7 +149,7 @@ jobs:
             ${{ steps.Changelog.outputs.changelog }}
           draft: true
           prerelease: false
-  
+
       - name: Release -- Report Job Status (Success)
         if: contains(github.ref, '/tags/v')
         run: |
@@ -138,4 +159,4 @@ jobs:
       - name: Release -- Report Job Status (Failure)
         if: failure() && contains(github.ref, '/tags/v')
         run: |
-          ./.github/scripts/notifications.sh "${NOTIFICATION}" "automated release generation failed!"     
+          ./.github/scripts/notifications.sh "${NOTIFICATION}" "automated release generation failed!"

.travis.yml

@@ -1,15 +1,23 @@
+---
 sudo: required
 language: bash
 jobs:
   include:
-  - os: osx
-    osx_image: xcode12.5
-    env:
-      - SCENARIO=hostmachine1
+    - os: osx
+      osx_image: xcode12.5
+      env:
+        - SCENARIO=no_clamwatch
+    - os: osx
+      osx_image: xcode12.5
+      env:
+        - SCENARIO=clamwatch
 before_install: []
 install:
-- sudo python3 -m pip install poetry
-- poetry install
+  - sudo python3 -m pip install poetry
+  - poetry install
 script:
-- poetry run molecule lint
-- poetry run molecule test -s "${SCENARIO}"
+  - poetry run molecule lint
+  - travis_wait 30 poetry run molecule test -s "${SCENARIO}"
+notifications:
+  slack:
+    secure: Xs0i+ZZRLngRMMmjeCoj9XI7A+ffePR+TMLeLZPUgowTOEOHHIpCB7Sic5fpR+NfN6RnbmV2n3QFlYpG/ItWNxvLJWUeYTK7IUFQHfMqPGV4je72gCMCDPVUwrhi535IcN1oBjVcwtE5SIxJ1bhtB18HW82dMnhPyN4TmIgxsCeZvQHejR7DJAJLJVUkeUGyzNudezrIhxAiAohx07ze5IMbp/RVUxhmMLLd6Sfh33RGoYEaLWdTPEzyjhVEGK4lJrTuhfddtwO9yx1Ws/hmcEHfV6X5WkLlWMc7MUU1QJ/NThi3oWv2X2IT6j2321GmlRA2UlUSHscTswq+JPs5I/hm9iCDu+Doz9ROuMj31MMGL5FbrEQ8NueaW6ytqXo8A6zi0SCD6KWQqG53i6eiYn/jt6LxHwJ0cWZuBaWR+c2SKgBgB7a3koxc4hBz5Q/G1MGUuctPvVHkADLkk1pFfud55qMLtc51pbAOBWLF0pNEsZ6LXUOoT+zmwt9VJZrrIB4J/Bz+euVqJ+/AbOZcI43CQ8+l1m4B2cL28RR2fVFHLXJonHW+MzoESbxfSQ7q2pQRRkijg6IogvIGsapleBMCB+eaC7YMioNW3mV3lI4uYfl5gM9YCAsGHQtUelZrxG+BN9xJJV0DORITpA+OiFG1+PMhl5fPw3l8SY78+2o=

.yamllint

@@ -2,32 +2,37 @@
 # Based on ansible-lint config
 extends: default
 
+ignore: |
+  .cache
+
 rules:
   braces:
-    max-spaces-inside: 1
+    max-spaces-inside: 0
     level: error
   brackets:
-    max-spaces-inside: 1
+    max-spaces-inside: 0
     level: error
   colons:
     max-spaces-after: -1
     level: error
   commas:
     max-spaces-after: -1
     level: error
+  indentation:
+    spaces: consistent
+    indent-sequences: true
   comments: disable
   comments-indentation: disable
-  document-start: disable
+  document-start: enable
   empty-lines:
     max: 3
     level: error
   hyphens:
     level: error
-  indentation: disable
   key-duplicates: enable
   line-length: disable
-  new-line-at-end-of-file: disable
+  new-line-at-end-of-file: enable
   new-lines:
     type: unix
-  trailing-spaces: disable
+  trailing-spaces: enable
   truthy: disable

README.md

@@ -2,38 +2,81 @@
 
 ### Master:
 - Travis CI: ![TravisCI](https://travis-ci.com/osx-provisioner/role-clamav.svg?branch=master)
-- Github Actions: [![role-homebrew-retry](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml/badge.svg?branch=master)](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml)
+- Github Actions: [![role-clamav](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml/badge.svg?branch=master)](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml)
 
 ### Production:
 - Travis CI: ![TravisCI](https://travis-ci.com/osx-provisioner/role-clamav.svg?branch=production)
-- Github Actions: [![role-homebrew-retry](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml/badge.svg?branch=production)](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml)
+- Github Actions: [![role-clamav](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml/badge.svg?branch=production)](https://github.com/osx-provisioner/role-clamav/actions/workflows/push.yml)
 
-Install ClamAV antivirus on OSX. Includes a simple realtime scan implementation that watches a configured folder.
+Ansible role that installs ClamAV antivirus on OSX machines.
+
+### Notes:
+- See the [ClamAV Github Repository](https://github.com/Cisco-Talos/clamav) for further details about this tool.
+
+### Catalina and Big Sur:
+
+On OSX versions >= 10.15, there's a manual post installation step that should be done to maximize protection.  (This is required to monitor the `Downloads` folder.)
+
+ClamAV should be granted `Full Disk Access`.  This requires making the appropriate selection inside `System Preferences --> Security`:
+
+![SystemPreferences](.documentation/SystemPreferences.png)
 
 Requirements
 ------------
 
 None
 
-
 Role Variables
 --------------
 
-None   
+- `clamav_clamwatch` 
+  - A boolean that indicates whether the ClamWatch daemon should be installed.
+- `clamav_clamwatch_target_folder:` 
+  - The folder the ClamWatch daemon will monitor.
+- `clamav_clamwatch_quarantine_folder` 
+  - The folder the ClamWatch daemon will move infected files to.
+- `clamav_clamwatch_log_file` 
+  - The ClamWatch daemon log file.
+- `clamav_clamwatch_stderr_log_file` 
+  - The ClamWatch daemon error log file.
+- `clamav_freshclam_log_file` 
+  - The FreshClam daemon log file.
+- `clamav_freshclam_stderr_log_file` 
+  - The FreshClam daemon error log file.
+- `clamav_clamd_log_file` 
+  - The ClamD daemon log file.
+- `clamav_clamd_stderr_log_file` 
+  - The ClamD daemon error log file. 
+- `clamav_database_location` 
+  - The location of the virus definition database.
+- `clamav_homebrew_retries`:
+  - Sets the number of attempts homebrew will make to install dependencies. (For flaky network connections.)
+
+[See The Default Values](defaults/main.yml)
 
 Dependencies
 ------------
 
-None
+- geerlingguy.homebrew
 
 Example Playbook
 ----------------
 
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: all
-      roles:
-         - { role: osx-provisioner.role-clamav }
+```yaml
+- hosts: email
+  roles:
+  - role: osx_provisioner.clamav
+    clamav_clamwatch: true
+    clamav_clamwatch_target_folder: "{{ lookup('env','HOME') }}/Downloads"
+    clamav_clamwatch_quarantine_folder: "{{ lookup('env','HOME') }}/Quarantine"
+    clamav_clamwatch_log_file: /var/log/clamav.clamwatch.log
+    clamav_clamwatch_stderr_log_file: /var/log/clamav.clamwatch.error.log
+    clamav_freshclam_log_file: /var/log/clamav.freshclam.log
+    clamav_freshclam_stderr_log_file: /var/log/clamav.freshclam.error.log
+    clamav_clamd_log_file: /var/log/clamav.clamd.log
+    clamav_clamd_stderr_log_file: /var/log/clamav.clamd.error.log
+    clamav_database_location: /usr/local/var/lib/clamav
+```
 
 License
 -------

defaults/main.yml

@@ -1,2 +1,19 @@
 ---
-# defaults file for role-clamav
+# defaults file for clamav
+
+clamav_clamwatch: true
+
+clamav_clamwatch_target_folder: "{{ lookup('env','HOME') }}/Downloads"
+clamav_clamwatch_quarantine_folder: "{{ lookup('env','HOME') }}/Quarantine"
+clamav_clamwatch_log_file: /var/log/clamav.clamwatch.log
+clamav_clamwatch_stderr_log_file: /var/log/clamav.clamwatch.error.log
+
+clamav_freshclam_log_file: /var/log/clamav.freshclam.log
+clamav_freshclam_stderr_log_file: /var/log/clamav.freshclam.error.log
+
+clamav_clamd_log_file: /var/log/clamav.clamd.log
+clamav_clamd_stderr_log_file: /var/log/clamav.clamd.error.log
+
+clamav_database_location: /usr/local/var/lib/clamav
+
+clamav_homebrew_retries: 3

files/clamwatch.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# $1 - The folder to watch
+# $2 - The quarantine folder to move items to
+# $3 - The log file location
+
+/usr/local/bin/fswatch "${1}" | while read -r FILE
+do
+   if [[ -f ${FILE} ]]; then
+     /usr/local/bin/clamdscan --no-summary --move="${2}" "${FILE}" >> "${3}"
+   fi
+done

handlers/main.yml

@@ -1,2 +1,33 @@
 ---
-# handlers file for role-clamav
+# handlers file for clamav
+
+- name: Update Virus Definitions
+  become: true
+  ansible.builtin.command: /usr/local/bin/freshclam
+  changed_when: true
+  listen: "Update Virus Definitions"
+
+- name: Restart Clamd
+  become: true
+  community.general.launchd:
+    name: "clamav.clamd"
+    enabled: true
+    state: restarted
+  listen: "Restart Clamd"
+
+- name: Restart Freshclam
+  become: true
+  community.general.launchd:
+    name: "clamav.freshclam"
+    enabled: true
+    state: restarted
+  listen: "Restart Freshclam"
+
+- name: Restart Clamwatch
+  become: true
+  community.general.launchd:
+    name: "clamav.clamwatch"
+    enabled: true
+    state: restarted
+    force_stop: yes
+  listen: "Restart Clamwatch"

meta/main.yml

@@ -3,16 +3,21 @@ galaxy_info:
   role_name: clamav
   namespace: osx_provisioner
   author: Niall Byrne
-  description: Install ClamAV antivirus on OSX. Includes a simple realtime scan implementation that watches a configured folder.
+  description: Installs and configures ClamAV, with a simple realtime scan daemon.
   company: Shared Vision Solutions
   license: MPL-2
   platforms:
     - name: MacOSX
       versions:
+        - '11.3'
         - '10.15'
         - '10.14'
   min_ansible_version: 3.3.0
   galaxy_tags:
     - osx
+    - mac
+    - antivirus
+    - clamav
 
-dependencies: []
+dependencies:
+  - geerlingguy.homebrew

molecule/docker1/converge.yml → molecule/clamwatch/converge.yml

@@ -3,8 +3,8 @@
   hosts: all
   connection: local
   vars:
-    test: true
+    clamav_clamwatch: true
   tasks:
-    - name: "Include osx_provisioner.clamav"
+    - name: "Include ClamAV"
       ansible.builtin.include_role:
         name: "osx_provisioner.clamav"