50 lines
2.4 KiB
Bash
Executable File
50 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# One-shot installer for ClamAV with on-access scanning (clamonacc).
|
|
# Run as a regular user — individual commands use sudo where root is required.
|
|
# Requires: clamav package, and files in this directory (./clamav-sudoer etc.).
|
|
|
|
# Install the clamav package (provides clamd, clamonacc, freshclam, clamdscan).
|
|
sudo pacman -S clamav
|
|
|
|
# Deploy the sudoers drop-in that allows the clamav user to run freshclam
|
|
# without a password — needed for automated signature updates.
|
|
# -fr: force-overwrite + recursive (safe for single files too).
|
|
sudo cp -fr ./clamav-sudoer /etc/sudoers.d/clamav
|
|
|
|
# Deploy the custom daemon config (see clamd.conf in this directory for details
|
|
# on on-access mount path, scan settings, and VirusEvent hook).
|
|
sudo cp -fr ./clamd.conf /etc/clamav/clamd.conf
|
|
|
|
# Deploy the virus-event script that clamd calls when a threat is detected;
|
|
# typically sends a desktop notification or logs the event.
|
|
sudo cp -fr ./virus-event.bash /etc/clamav/virus-event.bash
|
|
|
|
# Deploy the custom systemd service unit for clamonacc (the on-access daemon).
|
|
# Placed in /usr/lib/systemd/system/ so it survives package upgrades without
|
|
# manual intervention (unit files in /etc/systemd/ take precedence but are
|
|
# overwritten by the package on reinstall).
|
|
sudo cp -fr ./clamav-clamonacc.service /usr/lib/systemd/system/clamav-clamonacc.service
|
|
|
|
# aa-complain clamd
|
|
# (AppArmor complain-mode left commented out — uncomment if AppArmor is active
|
|
# and clamonacc is blocked; complain mode logs denials without enforcing them.)
|
|
|
|
# Enable all four related units at boot:
|
|
# clamav-clamonacc : on-access real-time scanner (requires clamd to be up first)
|
|
# clamav-daemon : the clamd background scan service
|
|
# clamav-freshclam : daily signature update service
|
|
# clamav-freshclam-once.timer : one-shot timer that fires freshclam at boot
|
|
sudo systemctl enable clamav-clamonacc.service
|
|
sudo systemctl enable clamav-daemon.service
|
|
sudo systemctl enable clamav-freshclam.service
|
|
sudo systemctl enable clamav-freshclam-once.timer
|
|
|
|
# Perform an initial signature database download before the first boot into clamd.
|
|
# Without this, clamd will refuse to start because /var/lib/clamav is empty.
|
|
freshclam
|
|
|
|
# A reboot is required for on-access scanning to take full effect — the fanotify
|
|
# kernel API used by clamonacc needs a clean mount namespace with the watcher
|
|
# registered from the start.
|
|
reboot
|