As discussed with Ryan we would like to incorporate the FAC File Scanner which utilizes a small flask application FAC Periodic Scanner to scan files recursively at rest from an S3 target.

The purpose of this application is to:

• Create a small application with terraform
• Utilize a second clamav instance to retroactively scan all files in an s3
• Bind s3 bucket to running application
• Use ClamAV curl to scan files and attach last-scanned metadata to the file
• Utilize the logshipper to stream app logs to new relic.

This does not:

• Automate quarantining of files to the dedicated quarantine bucket, as that has been deemed a manual IR task by the FAC

Considerations:

• The clamav url needs to be sent as input to the module, as that is stored in VCAP_SERVICES as credentials
• It will need to bind the src bucket to read from, the quarantine bucket it creates as part of the module and an existing logdrain sysurl
• We opted to give this its own dedicated ClamAV to scan with, though doesn't need one. A secondary clamav would not be part of this module, just the input of the SCAN_URL

Ticket is subject to change as this is a temporary placeholder to give a brief overview.