Skip to content

Commit

Permalink
Fix: Rebooting GitLab may trigger ClamAV alarm (#6114, PR #6155)
Browse files Browse the repository at this point in the history
  • Loading branch information
achave11-ucsc committed Apr 20, 2024
2 parents c6355cd + 433e457 commit 828f5e4
Showing 1 changed file with 22 additions and 22 deletions.
44 changes: 22 additions & 22 deletions terraform/shared/shared.tf.json.template.py
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,13 @@ def conformance_pack(name: str) -> str:
'$.eventType !="AwsServiceEvent"}')
]

# The deployment and/or backup of the GitLab instance requires a reboot, which
# can interrupt an ongoing ClamAV scan. Since scans are run twice a day, we set
# the alarm period to 24 hours (maximum allowed by CloudWatch) to allow enough
# time for the next scan to complete following an interrupted scan.
#
clam_alarm_period = 24 * 60 * 60

tf_config = {
'data': {
'aws_iam_role': {
Expand Down Expand Up @@ -524,26 +531,19 @@ def conformance_pack(name: str) -> str:
}
for a in cis_alarms
},
**{
resource_name: {
'alarm_name': config.qualified_resource_name(resource_name, suffix='.alarm'),
'comparison_operator': 'GreaterThanOrEqualToThreshold',
'evaluation_periods': 1,
'metric_name': '${aws_cloudwatch_log_metric_filter.'
'%s.metric_transformation[0].name}' % resource_name,
'namespace': 'LogMetrics',
'statistic': 'Sum',
'treat_missing_data': 'notBreaching',
'threshold': 1,
'period': period,
'alarm_actions': ['${aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${aws_sns_topic.monitoring.arn}']
} for resource_name, period in [
# With ClamScan running twice a day we've got a 12h period,
# plus 8h upper bound on running time, minus 2h lower bound
# on running time, giving us an 18h evaluation period.
('clam_fail', 18 * 60 * 60)
]
'clam_fail': {
'alarm_name': config.qualified_resource_name('clam_fail', suffix='.alarm'),
'comparison_operator': 'GreaterThanOrEqualToThreshold',
'evaluation_periods': 1,
'metric_name': '${aws_cloudwatch_log_metric_filter.'
'%s.metric_transformation[0].name}' % 'clam_fail',
'namespace': 'LogMetrics',
'statistic': 'Sum',
'treat_missing_data': 'notBreaching',
'threshold': 1,
'period': clam_alarm_period,
'alarm_actions': ['${aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${aws_sns_topic.monitoring.arn}']
},
**{
resource_name: {
Expand Down Expand Up @@ -580,8 +580,8 @@ def conformance_pack(name: str) -> str:
]
} for resource_name, period in [
('trail_logs', 10 * 60),
('clamscan', 18 * 60 * 60),
('freshclam', 18 * 60 * 60)
('clamscan', clam_alarm_period),
('freshclam', clam_alarm_period)
]
}
},
Expand Down

0 comments on commit 828f5e4

Please sign in to comment.