Misc

Author: hupe1980

examples/s3-antivurs-example/src/s3-antivirus-stack.ts

@@ -15,7 +15,7 @@ export class S3AntivirusStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    const topic = new Topic(this, 'Topic', {});
+    const topic = new Topic(this, 'Topic');
     topic.addSubscription(new EmailSubscription(process.env.DEVSECOPS_TEAM_EMAIL as string));
 
     const scanner = new Scanner(this, 'Scanner', {

packages/cdk-s3-antivirus/README.md

@@ -42,7 +42,7 @@ export class S3AntivirusStack extends Stack {
       removalPolicy: RemovalPolicy.DESTROY,
     });
 
-    const topic = new Topic(this, 'Topic', {});
+    const topic = new Topic(this, 'Topic');
     topic.addSubscription(new EmailSubscription(process.env.DEVSECOPS_TEAM_EMAIL as string));
 
     const scanner = new Scanner(this, 'Scanner', {

packages/cdk-s3-antivirus/lambda-file-sizes.json

@@ -1 +1 @@
-[{"timestamp":1622414583614,"files":[{"filename":"scan/index.js","previous":80402,"size":80409,"diff":7},{"filename":"update/index.js","previous":80108,"size":80116,"diff":8}]},{"timestamp":1622413457296,"files":[{"filename":"scan/index.js","previous":80399,"size":80402,"diff":3},{"filename":"update/index.js","previous":80105,"size":80108,"diff":3}]},{"timestamp":1622412958546,"files":[{"filename":"scan/index.js","previous":80391,"size":80399,"diff":8},{"filename":"update/index.js","previous":80098,"size":80105,"diff":7}]},{"timestamp":1622412248030,"files":[{"filename":"scan/index.js","previous":80407,"size":80391,"diff":-16},{"filename":"update/index.js","previous":80114,"size":80098,"diff":-16}]},{"timestamp":1622411844731,"files":[{"filename":"scan/index.js","previous":80407,"size":80407,"diff":0},{"filename":"update/index.js","previous":80099,"size":80114,"diff":15}]},{"timestamp":1622401380707,"files":[{"filename":"scan/index.js","previous":80395,"size":80407,"diff":12},{"filename":"update/index.js","previous":80087,"size":80099,"diff":12}]},{"timestamp":1622400877967,"files":[{"filename":"scan/index.js","previous":34900,"size":80395,"diff":45495},{"filename":"update/index.js","previous":34571,"size":80087,"diff":45516}]},{"timestamp":1622396775879,"files":[{"filename":"scan/index.js","previous":34893,"size":34900,"diff":7},{"filename":"update/index.js","previous":34563,"size":34571,"diff":8}]},{"timestamp":1622396681245,"files":[{"filename":"scan/index.js","previous":34893,"size":34893,"diff":0},{"filename":"update/index.js","previous":34854,"size":34563,"diff":-291}]},{"timestamp":1622396649924,"files":[{"filename":"scan/index.js","previous":34893,"size":34893,"diff":0},{"filename":"update/index.js","previous":34853,"size":34854,"diff":1}]},{"timestamp":1622366115062,"files":[{"filename":"scan/index.js","previous":34891,"size":34893,"diff":2},{"filename":"update/index.js","previous":34852,"size":34853,"diff":1}]},{"timestamp":1622363715555,"files":[{"filename":"clamscan/index.js","previous":1084,"size":0,"diff":-1084},{"filename":"freshclam/index.js","previous":1090,"size":0,"diff":-1090},{"filename":"scan/index.js","previous":0,"size":34891,"diff":34891},{"filename":"update/index.js","previous":0,"size":34852,"diff":34852}]},{"timestamp":1622288885756,"files":[{"filename":"clamscan/index.js","previous":0,"size":1084,"diff":1084},{"filename":"freshclam/index.js","previous":0,"size":1090,"diff":1090}]}]
+[{"timestamp":1622437372220,"files":[{"filename":"scan/index.js","previous":80409,"size":80411,"diff":2},{"filename":"update/index.js","previous":80116,"size":80116,"diff":0}]},{"timestamp":1622414583614,"files":[{"filename":"scan/index.js","previous":80402,"size":80409,"diff":7},{"filename":"update/index.js","previous":80108,"size":80116,"diff":8}]},{"timestamp":1622413457296,"files":[{"filename":"scan/index.js","previous":80399,"size":80402,"diff":3},{"filename":"update/index.js","previous":80105,"size":80108,"diff":3}]},{"timestamp":1622412958546,"files":[{"filename":"scan/index.js","previous":80391,"size":80399,"diff":8},{"filename":"update/index.js","previous":80098,"size":80105,"diff":7}]},{"timestamp":1622412248030,"files":[{"filename":"scan/index.js","previous":80407,"size":80391,"diff":-16},{"filename":"update/index.js","previous":80114,"size":80098,"diff":-16}]},{"timestamp":1622411844731,"files":[{"filename":"scan/index.js","previous":80407,"size":80407,"diff":0},{"filename":"update/index.js","previous":80099,"size":80114,"diff":15}]},{"timestamp":1622401380707,"files":[{"filename":"scan/index.js","previous":80395,"size":80407,"diff":12},{"filename":"update/index.js","previous":80087,"size":80099,"diff":12}]},{"timestamp":1622400877967,"files":[{"filename":"scan/index.js","previous":34900,"size":80395,"diff":45495},{"filename":"update/index.js","previous":34571,"size":80087,"diff":45516}]},{"timestamp":1622396775879,"files":[{"filename":"scan/index.js","previous":34893,"size":34900,"diff":7},{"filename":"update/index.js","previous":34563,"size":34571,"diff":8}]},{"timestamp":1622396681245,"files":[{"filename":"scan/index.js","previous":34893,"size":34893,"diff":0},{"filename":"update/index.js","previous":34854,"size":34563,"diff":-291}]},{"timestamp":1622396649924,"files":[{"filename":"scan/index.js","previous":34893,"size":34893,"diff":0},{"filename":"update/index.js","previous":34853,"size":34854,"diff":1}]},{"timestamp":1622366115062,"files":[{"filename":"scan/index.js","previous":34891,"size":34893,"diff":2},{"filename":"update/index.js","previous":34852,"size":34853,"diff":1}]},{"timestamp":1622363715555,"files":[{"filename":"clamscan/index.js","previous":1084,"size":0,"diff":-1084},{"filename":"freshclam/index.js","previous":1090,"size":0,"diff":-1090},{"filename":"scan/index.js","previous":0,"size":34891,"diff":34891},{"filename":"update/index.js","previous":0,"size":34852,"diff":34852}]},{"timestamp":1622288885756,"files":[{"filename":"clamscan/index.js","previous":0,"size":1084,"diff":1084},{"filename":"freshclam/index.js","previous":0,"size":1090,"diff":1090}]}]

packages/cdk-s3-antivirus/package.json

@@ -19,9 +19,9 @@
   "keywords": [
     "aws",
     "cdk",
-    "elasticsearch",
-    "cognito",
-    "kinana",
+    "clamav",
+    "antivirus",
+    "s3",
     "@cloudcomponents"
   ],
   "main": "lib/index.js",

packages/cdk-s3-antivirus/src/lambdas/scan/index.ts

@@ -5,6 +5,7 @@ import { AntiVirus, ScanResult } from '../shared/anti-virus';
 
 const antiVirus = new AntiVirus({
   definitionsPath: path.join(process.env.EFS_MOUNT_PATH as string, process.env.EFS_DEFINITIONS_PATH as string),
+  scanStatusTagName: process.env.SCAN_STATUS_TAG_NAME as string,
 });
 
 export const handler = async (event: S3CreateEvent, context: Context): Promise<ScanResult> => {
@@ -15,5 +16,6 @@ export const handler = async (event: S3CreateEvent, context: Context): Promise<S
   const downloadPath = path.join(process.env.EFS_MOUNT_PATH as string, context.awsRequestId);
 
   await antiVirus.updateDefinitions([`PrivateMirror ${mirror}`]);
+
   return antiVirus.scan(bucket, key, downloadPath);
 };

packages/cdk-s3-antivirus/src/lambdas/shared/anti-virus.ts

@@ -9,14 +9,15 @@ const FRESHCLAM_CONF = '/tmp/freshclam.conf';
 const REG_EXP = new RegExp('\\w+.c[vl]d');
 
 export interface ScanResult {
-  bucket: string;
-  key: string;
-  status: ScanStatus;
-  message: string;
+  readonly bucket: string;
+  readonly key: string;
+  readonly status: ScanStatus;
+  readonly message: string;
 }
 
 export interface AntiVirusOptions {
-  definitionsPath: string;
+  readonly definitionsPath: string;
+  readonly scanStatusTagName: string;
 }
 
 export class AntiVirus {
@@ -40,11 +41,7 @@ export class AntiVirus {
     args.push(os.userInfo().username);
     args.push(`--datadir=${this.options.definitionsPath}`);
 
-    const result = await execa('/opt/clamav/freshclam', args);
-
-    if (result.exitCode != 0) {
-      throw new Error(`freshclam exited with unexpected exit code: ${result.exitCode}`);
-    }
+    await execa('/opt/clamav/freshclam', args);
   }
 
   public async scan(bucket: string, key: string, scanPath: string): Promise<ScanResult> {
@@ -129,7 +126,7 @@ export class AntiVirus {
         Tagging: {
           TagSet: [
             {
-              Key: 'cc:scan-status',
+              Key: this.options.scanStatusTagName,
               Value: status,
             },
           ],

packages/cdk-s3-antivirus/src/lambdas/update/index.ts

@@ -4,6 +4,7 @@ import { AntiVirus } from '../shared/anti-virus';
 
 const antiVirus = new AntiVirus({
   definitionsPath: '/tmp',
+  scanStatusTagName: process.env.SCAN_STATUS_TAG_NAME as string,
 });
 
 export const handler = async (_event: ScheduledEvent, _context: Context): Promise<void> => {
@@ -12,6 +13,4 @@ export const handler = async (_event: ScheduledEvent, _context: Context): Promis
   await antiVirus.downloadDefinitions(bucket);
   await antiVirus.updateDefinitions([`DNSDatabaseInfo current.cvd.clamav.net`, `DatabaseMirror  database.clamav.net`, `CompressLocalDatabase yes`]);
   await antiVirus.uploadDefinitions(bucket);
-
-  return;
 };

packages/cdk-s3-antivirus/src/scanner.ts

@@ -17,16 +17,23 @@ export interface ScannerProps {
   readonly onResult?: IDestination;
   readonly onError?: IDestination;
   readonly updateSchedule?: Schedule;
+  /**
+   * @default cc:scan-status
+   */
+  readonly scanStatusTagName?: string;
 }
 
 export class Scanner extends Construct {
   public readonly scanFunction: IFunction;
   public readonly updateFunction: IFunction;
   public readonly sandbox: Sandbox;
+  public readonly scanStatusTagName: string;
 
   constructor(scope: Construct, id: string, props: ScannerProps = {}) {
     super(scope, id);
 
+    this.scanStatusTagName = props.scanStatusTagName ?? 'cc:scna-status';
+
     this.sandbox = new Sandbox(this, 'Sandbox');
 
     const layer = new ClamavLayer(this, 'ClamavLayer');
@@ -44,6 +51,7 @@ export class Scanner extends Construct {
       timeout: Duration.minutes(15),
       memorySize: 10240,
       environment: {
+        SCAN_STATUS_TAG_NAME: this.scanStatusTagName,
         EFS_MOUNT_PATH: '/mnt/lambda',
         EFS_DEFINITIONS_PATH: 'virus_database/',
         DEFINITIONS_URL: this.sandbox.definitionBucket.virtualHostedUrlForObject(),
@@ -58,9 +66,11 @@ export class Scanner extends Construct {
       code: Code.fromAsset(path.join(__dirname, 'lambdas', 'update')),
       handler: 'index.handler',
       runtime: Runtime.NODEJS_12_X,
+      onFailure: props.onError,
       timeout: Duration.minutes(5),
       memorySize: 1024,
       environment: {
+        SCAN_STATUS_TAG_NAME: this.scanStatusTagName,
         DEFINITIONS_BUCKET: this.sandbox.definitionBucket.bucketName,
       },
       layers: [layer],
@@ -126,7 +136,7 @@ export class Scanner extends Construct {
           notPrincipals: [this.scanFunction.role, scanAssumedPrincipal],
           conditions: {
             StringEquals: {
-              's3:ExistingObjectTag/cc:scan-status': ['IN PROGRESS', 'INFECTED', 'ERROR'],
+              [`s3:ExistingObjectTag/${this.scanStatusTagName}`]: ['IN PROGRESS', 'INFECTED', 'ERROR'],
             },
           },
         }),