Merge branch 'master' into dev/texasaggie97/log-progress

Author: texasaggie97

docs/CHANGELOG.md

@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 * Add support for `/etc/snac/snac.conf` to control which modules are configured
+* Add `ClamAV` antivirus verification support (#77)
+  * When ClamAV packages are installed, `nilrt-snac verify` validates configuration files (`clamd.conf`, `freshclam.conf`) and virus signature databases (`.cvd`, `.cld` files)
 * Add logging of all output to `/var/log/nilrt-snac`
 
 ## [3.0.0] - 2025-09-18

nilrt_snac/_configs/__init__.py

@@ -2,6 +2,7 @@
 
 from nilrt_snac._configs._auditd_config import _AuditdConfig
 from nilrt_snac._configs._base_config import _BaseConfig
+from nilrt_snac._configs._clamav_config import _ClamAVConfig
 from nilrt_snac._configs._console_config import _ConsoleConfig
 from nilrt_snac._configs._cryptsetup_config import _CryptSetupConfig
 from nilrt_snac._configs._faillock_config import _FaillockConfig
@@ -39,4 +40,5 @@
     _AuditdConfig(),
     _SyslogConfig(),
     _USBGuardConfig(),
+    _ClamAVConfig(),
 ]

nilrt_snac/_configs/_clamav_config.py

@@ -0,0 +1,82 @@
+import argparse
+import pathlib
+
+from nilrt_snac._configs._base_config import _BaseConfig
+from nilrt_snac._configs._config_file import _ConfigFile
+
+from nilrt_snac import logger
+from nilrt_snac.opkg import opkg_helper
+
+
+class _ClamAVConfig(_BaseConfig):
+    """ClamAV configuration handler."""
+
+    def __init__(self):
+        super().__init__("clamav")
+        self.clamd_config_path = "/etc/clamav/clamd.conf"
+        self.freshclam_config_path = "/etc/clamav/freshclam.conf"
+        self.virus_db_path = "/var/lib/clamav/"
+        self.package_names = ["clamav", "clamav-daemon", "clamav-freshclam"]
+        self._opkg_helper = opkg_helper
+
+    def configure(self, args: argparse.Namespace) -> None:
+        """ClamAV must be installed manually by the user."""
+        # Check if any ClamAV package is installed
+        installed_packages = [pkg for pkg in self.package_names if self._opkg_helper.is_installed(pkg)]
+        if not installed_packages:
+            print("ClamAV configuration: Manual installation required")
+
+    def verify(self, args: argparse.Namespace) -> bool:
+        """Verify ClamAV configuration if any ClamAV package is installed."""
+        # Check if any ClamAV package is installed
+        installed_packages = [pkg for pkg in self.package_names if self._opkg_helper.is_installed(pkg)]
+        
+        if installed_packages:
+            print("Verifying clamav configuration...")
+            valid = True
+
+            # Check clamd configuration file
+            clamd_config = _ConfigFile(self.clamd_config_path)
+            if not clamd_config.exists():
+                logger.error(f"ClamAV daemon config file missing: {self.clamd_config_path}")
+                valid = False
+            elif pathlib.Path(self.clamd_config_path).stat().st_size == 0:
+                logger.error(f"ClamAV daemon config file is empty: {self.clamd_config_path}")
+                valid = False
+
+            # Check freshclam configuration file
+            freshclam_config = _ConfigFile(self.freshclam_config_path)
+            if not freshclam_config.exists():
+                logger.error(f"ClamAV freshclam config file missing: {self.freshclam_config_path}")
+                valid = False
+            elif pathlib.Path(self.freshclam_config_path).stat().st_size == 0:
+                logger.error(f"ClamAV freshclam config file is empty: {self.freshclam_config_path}")
+                valid = False
+
+            # Check virus database directory and that signatures have been downloaded
+            virus_db_dir = pathlib.Path(self.virus_db_path)
+            if not virus_db_dir.exists():
+                logger.error(f"ClamAV virus database directory missing: {self.virus_db_path}")
+                valid = False
+            else:
+                # Check for signature files (typically .cvd or .cld files)
+                signature_files = list(virus_db_dir.glob("*.cvd")) + list(virus_db_dir.glob("*.cld"))
+                if not signature_files:
+                    logger.error(f"No ClamAV signature files found in {self.virus_db_path}")
+                    logger.error("Run 'freshclam' to download virus signatures")
+                    valid = False
+                else:
+                    # Check that at least one signature file is not empty
+                    valid_signatures = [f for f in signature_files if f.stat().st_size > 0]
+                    if not valid_signatures:
+                        logger.error("All ClamAV signature files are empty")
+                        logger.error("Run 'freshclam' to download virus signatures")
+                        valid = False
+
+            if valid:
+                logger.info(f"ClamAV verification passed. Found packages: {', '.join(installed_packages)}")
+
+            return valid
+        else:
+            print("ClamAV is not installed; skipping verification.")
+            return True

src/snac.conf

@@ -6,6 +6,7 @@
 # Example: To disable a module, uncomment the line and set to 'disabled'.
 #
 # auditd = disabled      # Auditd system auditing
+# clamav = disabled      # ClamAV antivirus (verification only)
 # console = disabled     # Console access
 # cryptsetup = disabled  # Disk encryption (cryptsetup)
 # faillock = disabled    # PAM faillock for login security

tests/integration/test_clamav_config.py

@@ -0,0 +1,165 @@
+"""Test ClamAV configuration verification."""
+
+import argparse
+import io
+import pathlib
+import tempfile
+from contextlib import redirect_stdout
+from unittest.mock import patch
+
+from nilrt_snac._configs._clamav_config import _ClamAVConfig
+
+
+class TestClamAVConfig:
+    """Test cases for ClamAV configuration verification."""
+
+    def test_configure_not_installed(self):
+        """Test configure method when ClamAV is not installed."""
+        config = _ClamAVConfig()
+
+        # Mock opkg_helper to return False for all packages
+        with patch.object(config._opkg_helper, "is_installed", return_value=False):
+            args = argparse.Namespace(dry_run=False)
+
+            # This should not raise an exception
+            config.configure(args)
+
+    def test_verify_not_installed(self):
+        """Test verify method when ClamAV is not installed - should pass."""
+        config = _ClamAVConfig()
+
+        # Mock opkg_helper to return False for all packages
+        with patch.object(config._opkg_helper, "is_installed", return_value=False):
+            # Capture stdout to verify the skip message
+            captured_output = io.StringIO()
+            args = argparse.Namespace()
+            
+            with redirect_stdout(captured_output):
+                result = config.verify(args)
+            
+            # Verify it returns True for the right reason
+            assert result is True
+            output = captured_output.getvalue()
+            assert "ClamAV is not installed; skipping verification." in output
+
+    def test_verify_installed_missing_config_files(self):
+        """Test verify when ClamAV is installed but config files missing."""
+        config = _ClamAVConfig()
+
+        # Mock opkg_helper to return True for one ClamAV package
+        with patch.object(config._opkg_helper, "is_installed") as mock_installed:
+            mock_installed.side_effect = lambda pkg: pkg == "clamav"
+
+            args = argparse.Namespace()
+            result = config.verify(args)
+
+            # Should fail because config files don't exist
+            assert result is False
+
+    def test_verify_installed_with_valid_config(self):
+        """Test verify method when ClamAV installed with valid config."""
+        config = _ClamAVConfig()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # Create temporary config files and database directory
+            clamd_config = pathlib.Path(tmpdir) / "clamd.conf"
+            freshclam_config = pathlib.Path(tmpdir) / "freshclam.conf"
+            virus_db_dir = pathlib.Path(tmpdir) / "db"
+            virus_db_dir.mkdir()
+
+            # Create non-empty config files
+            clamd_config.write_text(
+                "# ClamAV daemon config\n" "LogFile /var/log/clamav/clamd.log\n"
+            )
+            freshclam_config.write_text(
+                "# FreshClam config\n" "UpdateLogFile /var/log/clamav/freshclam.log\n"
+            )
+
+            # Create a signature file
+            signature_file = virus_db_dir / "main.cvd"
+            signature_file.write_bytes(b"fake signature data")
+
+            # Update config paths to use temporary files
+            config.clamd_config_path = str(clamd_config)
+            config.freshclam_config_path = str(freshclam_config)
+            config.virus_db_path = str(virus_db_dir)
+
+            # Mock opkg_helper to return True for one ClamAV package
+            with patch.object(config._opkg_helper, "is_installed") as mock_installed:
+                mock_installed.side_effect = lambda pkg: pkg == "clamav"
+
+                args = argparse.Namespace()
+                result = config.verify(args)
+
+                # Should pass because all required files exist and not empty
+                assert result is True
+
+    def test_verify_installed_empty_config_files(self):
+        """Test verify method when ClamAV config files exist but empty."""
+        config = _ClamAVConfig()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # Create temporary empty config files
+            clamd_config = pathlib.Path(tmpdir) / "clamd.conf"
+            freshclam_config = pathlib.Path(tmpdir) / "freshclam.conf"
+            virus_db_dir = pathlib.Path(tmpdir) / "db"
+            virus_db_dir.mkdir()
+
+            # Create empty config files
+            clamd_config.write_text("")
+            freshclam_config.write_text("")
+
+            # Create a signature file
+            signature_file = virus_db_dir / "main.cvd"
+            signature_file.write_bytes(b"fake signature data")
+
+            # Update config paths to use temporary files
+            config.clamd_config_path = str(clamd_config)
+            config.freshclam_config_path = str(freshclam_config)
+            config.virus_db_path = str(virus_db_dir)
+
+            # Mock opkg_helper to return True for one ClamAV package
+            with patch.object(config._opkg_helper, "is_installed") as mock_installed:
+                mock_installed.side_effect = lambda pkg: pkg == "clamav"
+
+                args = argparse.Namespace()
+                result = config.verify(args)
+
+                # Should fail because config files are empty
+                assert result is False
+
+    def test_verify_installed_no_signatures(self):
+        """Test verify when ClamAV installed but no signature files exist."""
+        config = _ClamAVConfig()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # Create temporary config files and database directory
+            clamd_config = pathlib.Path(tmpdir) / "clamd.conf"
+            freshclam_config = pathlib.Path(tmpdir) / "freshclam.conf"
+            virus_db_dir = pathlib.Path(tmpdir) / "db"
+            virus_db_dir.mkdir()
+
+            # Create non-empty config files
+            clamd_config.write_text(
+                "# ClamAV daemon config\n" "LogFile /var/log/clamav/clamd.log\n"
+            )
+            freshclam_config.write_text(
+                "# FreshClam config\n" "UpdateLogFile /var/log/clamav/freshclam.log\n"
+            )
+
+            # Don't create any signature files
+
+            # Update config paths to use temporary files
+            config.clamd_config_path = str(clamd_config)
+            config.freshclam_config_path = str(freshclam_config)
+            config.virus_db_path = str(virus_db_dir)
+
+            # Mock opkg_helper to return True for one ClamAV package
+            with patch.object(config._opkg_helper, "is_installed") as mock_installed:
+                mock_installed.side_effect = lambda pkg: pkg == "clamav"
+
+                args = argparse.Namespace()
+                result = config.verify(args)
+
+                # Should fail because no signature files exist
+                assert result is False