saving uncommitted changes in /etc prior to dnf run

Package changes:

.gitignore

@@ -17,6 +17,7 @@ mtab.fuselock
 *.LOCK
 network/run
 adjtime
+udev/hwdb.bin
 lvm/cache
 lvm/archive
 X11/xdm/authdir/authfiles/*

.updated

@@ -1,4 +1,4 @@
 # This file was created by systemd-update-done. Its only 
 # purpose is to hold a timestamp of the time this directory
 # was updated. See man:systemd-update-done.service(8).
-TIMESTAMP_NSEC=1614695289186707635
+TIMESTAMP_NSEC=1657017364181189259

ImageMagick-6/coder.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE codermap [
-<!ELEMENT codermap (coder)+>
+<!ELEMENT codermap (coder)*>
   <!ATTLIST codermap xmlns CDATA #FIXED ''>
   <!ELEMENT coder EMPTY>
   <!ATTLIST coder xmlns CDATA #FIXED '' magick NMTOKEN #REQUIRED

ImageMagick-6/colors.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE colormap [
-<!ELEMENT colormap (color)+>
+<!ELEMENT colormap (color)*>
 <!ELEMENT color (#PCDATA)>
 <!ATTLIST color name CDATA "0">
 <!ATTLIST color color CDATA "rgb(0,0,0)">

ImageMagick-6/delegates.xml

@@ -62,19 +62,15 @@
   <delegate decode="png" encode="bpg" command="&quot;bpgenc&quot; -b 12 -q &quot;%~&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="blender" command="&quot;blender&quot; -b &quot;%i&quot; -F PNG -o &quot;%o&quot;&quot;\n&quot;convert&quot; -concatenate &quot;%o*.png&quot; &quot;%o&quot;"/>
   <delegate decode="browse" stealth="True" spawn="True" command="&quot;xdg-open&quot; https://imagemagick.org/; /usr/bin/rm &quot;%i&quot;"/>
-  <delegate decode="cdr" command="&quot;uniconvertor&quot; &quot;%i&quot; &quot;%o.svg&quot;; /usr/bin/mv &quot;%o.svg&quot; &quot;%o&quot;"/>
-  <delegate decode="cgm" command="&quot;uniconvertor&quot; &quot;%i&quot; &quot;%o.svg&quot;; /usr/bin/mv &quot;%o.svg&quot; &quot;%o&quot;"/>
   <delegate decode="https:decode" command="&quot;curl&quot; -s -k -L -o &quot;%u.dat&quot; &quot;https:%M&quot;"/>
-  <delegate decode="doc" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
-  <delegate decode="docx" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="doc" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="docx" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
   <delegate decode="dng:decode" command="&quot;ufraw-batch&quot; --silent --create-id=also --out-type=png --out-depth=16 &quot;--output=%u.png&quot; &quot;%i&quot;"/>
   <delegate decode="dot" command='&quot;dot&quot; -Tsvg &quot;%i&quot; -o &quot;%o&quot;' />
   <delegate decode="dvi" command="&quot;dvips&quot; -sstdout=%%stderr -o &quot;%o&quot; &quot;%i&quot;"/>
-  <delegate decode="dxf" command="&quot;uniconvertor&quot; &quot;%i&quot; &quot;%o.svg&quot;; /usr/bin/mv &quot;%o.svg&quot; &quot;%o&quot;"/>
   <delegate decode="edit" stealth="True" command="&quot;xterm&quot; -title &quot;Edit Image Comment&quot; -e vi &quot;%o&quot;"/>
   <delegate decode="eps" encode="pdf" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 &quot;-sDEVICE=pdfwrite&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
   <delegate decode="eps" encode="ps" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ps2write&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
-  <delegate decode="fig" command="&quot;uniconvertor&quot; &quot;%i&quot; &quot;%o.svg&quot;; /usr/bin/mv &quot;%o.svg&quot; &quot;%o&quot;"/>
   <delegate decode="hpg" command="&quot;hp2xx&quot; -sstdout=%%stderr -m eps -f `basename &quot;%o&quot;` &quot;%i&quot;;     /usr/bin/mv -f `basename &quot;%o&quot;` &quot;%o&quot;"/>
   <delegate decode="hpgl" command="&quot;hp2xx&quot; -sstdout=%%stderr -m eps -f `basename &quot;%o&quot;` &quot;%i&quot;;     /usr/bin/mv -f `basename &quot;%o&quot;` &quot;%o&quot;"/>
   <delegate decode="htm" command="&quot;html2ps&quot; -U -o &quot;%o&quot; &quot;%i&quot;"/>
@@ -85,20 +81,19 @@
   <delegate decode="lep" mode="decode" command="&quot;lepton&quot; &quot;%i&quot; &quot;%o&quot;"/>
   <delegate decode="miff" encode="show" spawn="True" command="&quot;display&quot; -immutable -delay 0 -title &quot;%M&quot; &quot;%i&quot;"/>
   <delegate decode="miff" encode="win" stealth="True" spawn="True" command="&quot;display&quot; -immutable -delay 0 -title &quot;%M&quot; &quot;%i&quot;"/>
-  <delegate decode="mpeg:decode" command="&quot;ffmpeg&quot; -nostdin -v -1 -i &quot;%i&quot; -vframes %S -vcodec pam -an -f rawvideo -y &quot;%u.pam&quot; 2&gt; &quot;%u&quot;"/>
-  <delegate decode="odt" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="odt" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
   <delegate decode="pcl:cmyk" stealth="True" command="&quot;pcl6&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pamcmyk32&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="pcl:color" stealth="True" command="&quot;pcl6&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ppmraw&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="pcl:mono" stealth="True" command="&quot;pcl6&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pbmraw&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
-  <delegate decode="pdf" encode="eps" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sPDFPassword=&quot;%a&quot; &quot;-sDEVICE=eps2write&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
-  <delegate decode="pdf" encode="ps" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ps2write&quot; -sPDFPassword=&quot;%a&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
+  <delegate decode="pdf" encode="eps" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=eps2write&quot; &quot;-sPDFPassword=%a&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
+  <delegate decode="pdf" encode="ps" mode="bi" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ps2write&quot; &quot;-sPDFPassword=%a&quot; &quot;-sOutputFile=%o&quot; &quot;-f%i&quot;"/>
   <delegate decode="pnm" encode="trace" command="&quot;potrace&quot; --svg --output &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="png" encode="webp" command="&quot;cwebp&quot; -quiet %Q &quot;%i&quot; -o &quot;%o&quot;"/>
   <delegate decode="pnm" encode="ilbm" mode="encode" command="&quot;ppmtoilbm&quot; -24if &quot;%i&quot; &gt; &quot;%o&quot;"/>
   <delegate decode="bmp" encode="jxr" command="/usr/bin/mv &quot;%i&quot; &quot;%i.bmp&quot;; &quot;JxrEncApp&quot; -i &quot;%i.bmp&quot; -o &quot;%o.jxr&quot;; /usr/bin/mv &quot;%i.bmp&quot; &quot;%i&quot;; /usr/bin/mv &quot;%o.jxr&quot; &quot;%o&quot;"/>
   <delegate decode="bmp" encode="wdp" command="/usr/bin/mv &quot;%i&quot; &quot;%i.bmp&quot;; &quot;JxrEncApp&quot; -i &quot;%i.bmp&quot; -o &quot;%o.jxr&quot;; /usr/bin/mv &quot;%i.bmp&quot; &quot;%i&quot;; /usr/bin/mv &quot;%o.jxr&quot; &quot;%o&quot;"/>
-  <delegate decode="ppt" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
-  <delegate decode="pptx" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="ppt" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="pptx" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
   <delegate decode="ps" encode="prt" command='&quot;lpr&quot; &quot;%i&quot;'/>
   <delegate decode="ps:alpha" stealth="True" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pngalpha&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;-f%s&quot; &quot;-f%s&quot;"/>
   <delegate decode="ps:cmyk" stealth="True" command="&quot;gs&quot; -sstdout=%%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pamcmyk32&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;-f%s&quot; &quot;-f%s&quot;"/>
@@ -110,14 +105,17 @@
   <delegate decode="shtml" command="&quot;html2ps&quot; -U -o &quot;%o&quot; &quot;%i&quot;"/>
   <delegate decode="sid" command="&quot;mrsidgeodecode&quot; -if sid -i &quot;%i&quot; -of tif -o &quot;%o&quot; &gt; &quot;%u&quot;"/>
   <delegate decode="svg" command="&quot;rsvg-convert&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
-  <delegate decode="svg:decode" stealth="True" command="&quot;inkscape&quot; &quot;%s&quot; --export-png=&quot;%s&quot; --export-dpi=&quot;%s&quot; --export-background=&quot;%s&quot; --export-background-opacity=&quot;%s&quot; &gt; &quot;%s&quot; 2&gt;&amp;1"/>
+  <!-- Change export-filename to export-png for inkscape < 1.0 -->
+  <delegate decode="svg:decode" stealth="True" command="&quot;inkscape&quot; &quot;%s&quot; --export-filename=&quot;%s&quot; --export-dpi=&quot;%s&quot; --export-background=&quot;%s&quot; --export-background-opacity=&quot;%s&quot; &gt; &quot;%s&quot; 2&gt;&amp;1"/>
+  <delegate decode="tiff" encode="text" command="&quot;tesseract&quot; &quot;%i&quot; &quot;%u&quot;; /usr/bin/mv &quot;%u.txt&quot; &quot;%o&quot;"/>
   <delegate decode="tiff" encode="launch" mode="encode" command="&quot;gimp&quot; &quot;%i&quot;"/>
   <delegate decode="wdp" command="/usr/bin/mv &quot;%i&quot; &quot;%i.jxr&quot;; &quot;JxrDecApp&quot; -i &quot;%i.jxr&quot; -o &quot;%o.bmp&quot;; /usr/bin/mv &quot;%i.jxr&quot; &quot;%i&quot;; /usr/bin/mv &quot;%o.bmp&quot; &quot;%o&quot;"/>
   <delegate decode="webp" command="&quot;dwebp&quot; -pam &quot;%i&quot; -o &quot;%o&quot;"/>
-  <delegate decode="xls" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
-  <delegate decode="xlsx" command="&quot;soffice&quot; --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="xls" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
+  <delegate decode="xlsx" command="&quot;libreoffice&quot; --headless --convert-to pdf -outdir `dirname &quot;%i&quot;` &quot;%i&quot; 2&gt; &quot;%u&quot;; /usr/bin/mv &quot;%i.pdf&quot; &quot;%o&quot;"/>
   <delegate decode="xps:cmyk" stealth="True" command="&quot;gxps&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=bmpsep8&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="xps:color" stealth="True" command="&quot;gxps&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=ppmraw&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
   <delegate decode="xps:mono" stealth="True" command="&quot;gxps&quot; -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 &quot;-sDEVICE=pbmraw&quot; -dTextAlphaBits=%u -dGraphicsAlphaBits=%u &quot;-r%s&quot; %s &quot;-sOutputFile=%s&quot; &quot;%s&quot;"/>
-  <delegate encode="mpeg:encode" stealth="True" command="&quot;ffmpeg&quot; -nostdin -v -1 -i &quot;%M%%d.jpg&quot; &quot;%u.%m&quot; 2&gt; &quot;%u&quot;"/>
+  <delegate decode="video:decode" command="&quot;ffmpeg&quot; -nostdin -loglevel error -i &quot;%s&quot; -an -f rawvideo -y %s &quot;%s&quot;"/>
+  <delegate encode="video:encode" stealth="True" command="&quot;ffmpeg&quot; -nostdin -loglevel error -i &quot;%s%%d.%s&quot; %s &quot;%s.%s&quot;"/>
 </delegatemap>

ImageMagick-6/mime.xml

@@ -827,6 +827,7 @@
   <mime type="image/x-gzeps" description="EPS image (gzip-compressed)" priority="100" pattern="*.epsi.gz" />
   <mime type="image/x-gzeps" description="EPS image (gzip-compressed)" priority="100" pattern="*.epsf.gz" />
   <mime type="image/x-ico" acronym="ICO" description="Windows Icon" priority="100" pattern="*.ico" />
+  <mime type="image/x-icon" acronym="ICO" description="Windows Icon" priority="100" pattern="*.ico" />
   <mime type="image/x-icns" description="MacOS X icon" data-type="string" offset="0" magic="icns" priority="50" />
   <mime type="image/x-icns" description="MacOS X icon" priority="100" pattern="*.icns" />
   <mime type="image/x-iff" description="IFF image" priority="100" pattern="*.iff" />
@@ -1142,4 +1143,7 @@
   <mime type="application/x-t602" description="T602 document" priority="100" pattern="*.602" />
   <mime type="application/x-cisco-vpn-settings" description="Cisco VPN Settings" data-type="string" offset="0" magic="[main]" priority="50" />
   <mime type="application/x-cisco-vpn-settings" description="Cisco VPN Settings" priority="100" pattern="*.pcf" />
+  <mime type="image/apng" acronym="APNG" description="PNG image" priority="100" pattern="*.apng" />
+  <mime type="image/avif" acronym="AVIF" description="AVIF image" priority="100" pattern="*.avif" />
+  <mime type="image/webp" acronym="WEBP" description="Web/P image" priority="100" pattern="*.webp" />
 </mimemap>

ImageMagick-6/policy.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE policymap [
-  <!ELEMENT policymap (policy)+>
+  <!ELEMENT policymap (policy)*>
   <!ATTLIST policymap xmlns CDATA #FIXED ''>
   <!ELEMENT policy EMPTY>
   <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
@@ -38,6 +38,10 @@
 
     <policy domain="resource" name="area" value="1GP"/>
 
+  Use the default system font unless overridden by the application:
+
+    <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
+
   Define arguments for the memory, map, area, width, height and disk resources
   with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
   for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
@@ -52,10 +56,6 @@
     <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
 -->
 <policymap>
-  <!-- <policy domain="system" name="shred" value="2"/> -->
-  <!-- <policy domain="system" name="precision" value="6"/> -->
-  <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
-  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
   <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
   <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
   <!-- <policy domain="resource" name="map" value="4GiB"/> -->
@@ -75,4 +75,9 @@
   <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
   <!-- <policy domain="cache" name="synchronize" value="True"/> -->
   <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="system" name="shred" value="1"/> -->
+  <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
+  <policy domain="Undefined" rights="none"/>
 </policymap>

ImageMagick-6/thresholds.xml

@@ -31,7 +31,7 @@
 
   Each of the "levels" integer values (each value representing the threshold
   intensity "level/divisor" at which that pixel is turned on.  The "levels"
-  integers given can be any postive integers between "0" and the "divisor",
+  integers given can be any positive integers between "0" and the "divisor",
   excluding those limits.
 
   The "divisor" not only defines the upper limit and threshold divisor for each
@@ -127,7 +127,7 @@
 
   These patterns initially start as circles, but then form diamonds
   pattern at the 50% threshold level, before forming negated circles,
-  as it approached the other threshold extereme.
+  as it approached the other threshold extreme.
 -->
   <threshold map="h4x4a" alias="4x1">
     <description>Halftone 4x4 (angled)</description>
@@ -169,12 +169,12 @@
   Halftones - Orthogonally Aligned, or Un-angled
 
   Initially added by Anthony Thyssen, IM v6.2.9-5 using techniques from
-  "Dithering & Halftoning" by Gernot Haffmann
+  "Dithering & Halftoning" by Gernot Hoffmann
   http://www.fho-emden.de/~hoffmann/hilb010101.pdf
 
   These patterns initially start as circles, but then form square
   pattern at the 50% threshold level, before forming negated circles,
-  as it approached the other threshold extereme.
+  as it approached the other threshold extreme.
 -->
   <threshold map="h4x4o">
     <description>Halftone 4x4 (orthogonal)</description>
@@ -214,7 +214,7 @@
 
   <threshold map="h16x16o">
     <!--
-       Direct extract from "Dithering & Halftoning" by Gernot Haffmann.
+       Direct extract from "Dithering & Halftoning" by Gernot Hoffmann.
        This may need some fine tuning for symmetry of the halftone dots,
        as it was a mathematically formulated pattern.
     -->

ImageMagick-6/type-ghostscript.xml

@@ -13,38 +13,38 @@
   ImageMagick Ghostscript font configuration.
 -->
 <typemap>
-  <type name="AvantGarde-Book" fullname="AvantGarde Book" family="AvantGarde" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="a010013l.afm" glyphs="a010013l.pfb"/>
-  <type name="AvantGarde-BookOblique" fullname="AvantGarde Book Oblique" family="AvantGarde" foundry="URW" weight="400" style="oblique" stretch="normal" format="type1" metrics="a010033l.afm" glyphs="a010033l.pfb"/>
-  <type name="AvantGarde-Demi" fullname="AvantGarde DemiBold" family="AvantGarde" foundry="URW" weight="600" style="normal" stretch="normal" format="type1" metrics="a010015l.afm" glyphs="a010015l.pfb"/>
-  <type name="AvantGarde-DemiOblique" fullname="AvantGarde DemiOblique" family="AvantGarde" foundry="URW" weight="600" style="oblique" stretch="normal" format="type1" metrics="a010035l.afm" glyphs="a010035l.pfb"/>
-  <type name="Bookman-Demi" fullname="Bookman DemiBold" family="Bookman" foundry="URW" weight="600" style="normal" stretch="normal" format="type1" metrics="b018015l.afm" glyphs="b018015l.pfb"/>
-  <type name="Bookman-DemiItalic" fullname="Bookman DemiBold Italic" family="Bookman" foundry="URW" weight="600" style="italic" stretch="normal" format="type1" metrics="b018035l.afm" glyphs="b018035l.pfb"/>
-  <type name="Bookman-Light" fullname="Bookman Light" family="Bookman" foundry="URW" weight="300" style="normal" stretch="normal" format="type1" metrics="b018012l.afm" glyphs="b018012l.pfb"/>
-  <type name="Bookman-LightItalic" fullname="Bookman Light Italic" family="Bookman" foundry="URW" weight="300" style="italic" stretch="normal" format="type1" metrics="b018032l.afm" glyphs="b018032l.pfb"/>
-  <type name="Courier" fullname="Courier Regular" family="Courier" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="n022003l.afm" glyphs="n022003l.pfb"/>
-  <type name="Courier-Bold" fullname="Courier Bold" family="Courier" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="n022004l.afm" glyphs="n022004l.pfb"/>
-  <type name="Courier-Oblique" fullname="Courier Regular Oblique" family="Courier" foundry="URW" weight="400" style="oblique" stretch="normal" format="type1" metrics="n022023l.afm" glyphs="n022023l.pfb"/>
-  <type name="Courier-BoldOblique" fullname="Courier Bold Oblique" family="Courier" foundry="URW" weight="700" style="oblique" stretch="normal" format="type1" metrics="n022024l.afm" glyphs="n022024l.pfb"/>
-  <type name="fixed" fullname="Helvetica Regular" family="Helvetica" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="n019003l.afm" glyphs="n019003l.pfb"/>
-  <type name="Helvetica" fullname="Helvetica Regular" family="Helvetica" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="n019003l.afm" glyphs="n019003l.pfb"/>
-  <type name="Helvetica-Bold" fullname="Helvetica Bold" family="Helvetica" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="n019004l.afm" glyphs="n019004l.pfb"/>
-  <type name="Helvetica-Oblique" fullname="Helvetica Regular Italic" family="Helvetica" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="n019023l.afm" glyphs="n019023l.pfb"/>
-  <type name="Helvetica-BoldOblique" fullname="Helvetica Bold Italic" family="Helvetica" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="n019024l.afm" glyphs="n019024l.pfb"/>
-  <type name="Helvetica-Narrow" fullname="Helvetica Narrow" family="Helvetica Narrow" foundry="URW" weight="400" style="normal" stretch="condensed" format="type1" metrics="n019043l.afm" glyphs="n019043l.pfb"/>
-  <type name="Helvetica-Narrow-Oblique" fullname="Helvetica Narrow Oblique" family="Helvetica Narrow" foundry="URW" weight="400" style="oblique" stretch="condensed" format="type1" metrics="n019063l.afm" glyphs="n019063l.pfb"/>
-  <type name="Helvetica-Narrow-Bold" fullname="Helvetica Narrow Bold" family="Helvetica Narrow" foundry="URW" weight="700" style="normal" stretch="condensed" format="type1" metrics="n019044l.afm" glyphs="n019044l.pfb"/>
-  <type name="Helvetica-Narrow-BoldOblique" fullname="Helvetica Narrow Bold Oblique" family="Helvetica Narrow" foundry="URW" weight="700" style="oblique" stretch="condensed" format="type1" metrics="n019064l.afm" glyphs="n019064l.pfb"/>
-  <type name="NewCenturySchlbk-Roman" fullname="New Century Schoolbook" family="NewCenturySchlbk" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="c059013l.afm" glyphs="c059013l.pfb"/>
-  <type name="NewCenturySchlbk-Italic" fullname="New Century Schoolbook Italic" family="NewCenturySchlbk" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="c059033l.afm" glyphs="c059033l.pfb"/>
-  <type name="NewCenturySchlbk-Bold" fullname="New Century Schoolbook Bold" family="NewCenturySchlbk" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="c059016l.afm" glyphs="c059016l.pfb"/>
-  <type name="NewCenturySchlbk-BoldItalic" fullname="New Century Schoolbook Bold Italic" family="NewCenturySchlbk" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="c059036l.afm" glyphs="c059036l.pfb"/>
-  <type name="Palatino-Roman" fullname="Palatino Regular" family="Palatino" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="p052003l.afm" glyphs="p052003l.pfb"/>
-  <type name="Palatino-Italic" fullname="Palatino Italic" family="Palatino" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="p052023l.afm" glyphs="p052023l.pfb"/>
-  <type name="Palatino-Bold" fullname="Palatino Bold" family="Palatino" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="p052004l.afm" glyphs="p052004l.pfb"/>
-  <type name="Palatino-BoldItalic" fullname="Palatino Bold Italic" family="Palatino" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="p052024l.afm" glyphs="p052024l.pfb"/>
-  <type name="Times-Roman" fullname="Times Regular" family="Times" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="n021003l.afm" glyphs="n021003l.pfb"/>
-  <type name="Times-Bold" fullname="Times Medium" family="Times" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="n021004l.afm" glyphs="n021004l.pfb"/>
-  <type name="Times-Italic" fullname="Times Regular Italic" family="Times" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="n021023l.afm" glyphs="n021023l.pfb"/>
-  <type name="Times-BoldItalic" fullname="Times Medium Italic" family="Times" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="n021024l.afm" glyphs="n021024l.pfb"/>
-  <type name="Symbol" fullname="Symbol" family="Symbol" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="s050000l.afm" glyphs="s050000l.pfb" version="0.1" encoding="AdobeCustom"/>
+  <type name="AvantGarde-Book" fullname="AvantGarde Book" family="AvantGarde" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/a010013l.afm" glyphs="/usr/share/ghostscript/fonts/a010013l.pfb"/>
+  <type name="AvantGarde-BookOblique" fullname="AvantGarde Book Oblique" family="AvantGarde" foundry="URW" weight="400" style="oblique" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/a010033l.afm" glyphs="/usr/share/ghostscript/fonts/a010033l.pfb"/>
+  <type name="AvantGarde-Demi" fullname="AvantGarde DemiBold" family="AvantGarde" foundry="URW" weight="600" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/a010015l.afm" glyphs="/usr/share/ghostscript/fonts/a010015l.pfb"/>
+  <type name="AvantGarde-DemiOblique" fullname="AvantGarde DemiOblique" family="AvantGarde" foundry="URW" weight="600" style="oblique" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/a010035l.afm" glyphs="/usr/share/ghostscript/fonts/a010035l.pfb"/>
+  <type name="Bookman-Demi" fullname="Bookman DemiBold" family="Bookman" foundry="URW" weight="600" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/b018015l.afm" glyphs="/usr/share/ghostscript/fonts/b018015l.pfb"/>
+  <type name="Bookman-DemiItalic" fullname="Bookman DemiBold Italic" family="Bookman" foundry="URW" weight="600" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/b018035l.afm" glyphs="/usr/share/ghostscript/fonts/b018035l.pfb"/>
+  <type name="Bookman-Light" fullname="Bookman Light" family="Bookman" foundry="URW" weight="300" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/b018012l.afm" glyphs="/usr/share/ghostscript/fonts/b018012l.pfb"/>
+  <type name="Bookman-LightItalic" fullname="Bookman Light Italic" family="Bookman" foundry="URW" weight="300" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/b018032l.afm" glyphs="/usr/share/ghostscript/fonts/b018032l.pfb"/>
+  <type name="Courier" fullname="Courier Regular" family="Courier" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n022003l.afm" glyphs="/usr/share/ghostscript/fonts/n022003l.pfb"/>
+  <type name="Courier-Bold" fullname="Courier Bold" family="Courier" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n022004l.afm" glyphs="/usr/share/ghostscript/fonts/n022004l.pfb"/>
+  <type name="Courier-Oblique" fullname="Courier Regular Oblique" family="Courier" foundry="URW" weight="400" style="oblique" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n022023l.afm" glyphs="/usr/share/ghostscript/fonts/n022023l.pfb"/>
+  <type name="Courier-BoldOblique" fullname="Courier Bold Oblique" family="Courier" foundry="URW" weight="700" style="oblique" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n022024l.afm" glyphs="/usr/share/ghostscript/fonts/n022024l.pfb"/>
+  <type name="fixed" fullname="Helvetica Regular" family="Helvetica" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n019003l.afm" glyphs="/usr/share/ghostscript/fonts/n019003l.pfb"/>
+  <type name="Helvetica" fullname="Helvetica Regular" family="Helvetica" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n019003l.afm" glyphs="/usr/share/ghostscript/fonts/n019003l.pfb"/>
+  <type name="Helvetica-Bold" fullname="Helvetica Bold" family="Helvetica" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n019004l.afm" glyphs="/usr/share/ghostscript/fonts/n019004l.pfb"/>
+  <type name="Helvetica-Oblique" fullname="Helvetica Regular Italic" family="Helvetica" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n019023l.afm" glyphs="/usr/share/ghostscript/fonts/n019023l.pfb"/>
+  <type name="Helvetica-BoldOblique" fullname="Helvetica Bold Italic" family="Helvetica" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n019024l.afm" glyphs="/usr/share/ghostscript/fonts/n019024l.pfb"/>
+  <type name="Helvetica-Narrow" fullname="Helvetica Narrow" family="Helvetica Narrow" foundry="URW" weight="400" style="normal" stretch="condensed" format="type1" metrics="/usr/share/ghostscript/fonts/n019043l.afm" glyphs="/usr/share/ghostscript/fonts/n019043l.pfb"/>
+  <type name="Helvetica-Narrow-Oblique" fullname="Helvetica Narrow Oblique" family="Helvetica Narrow" foundry="URW" weight="400" style="oblique" stretch="condensed" format="type1" metrics="/usr/share/ghostscript/fonts/n019063l.afm" glyphs="/usr/share/ghostscript/fonts/n019063l.pfb"/>
+  <type name="Helvetica-Narrow-Bold" fullname="Helvetica Narrow Bold" family="Helvetica Narrow" foundry="URW" weight="700" style="normal" stretch="condensed" format="type1" metrics="/usr/share/ghostscript/fonts/n019044l.afm" glyphs="/usr/share/ghostscript/fonts/n019044l.pfb"/>
+  <type name="Helvetica-Narrow-BoldOblique" fullname="Helvetica Narrow Bold Oblique" family="Helvetica Narrow" foundry="URW" weight="700" style="oblique" stretch="condensed" format="type1" metrics="/usr/share/ghostscript/fonts/n019064l.afm" glyphs="/usr/share/ghostscript/fonts/n019064l.pfb"/>
+  <type name="NewCenturySchlbk-Roman" fullname="New Century Schoolbook" family="NewCenturySchlbk" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/c059013l.afm" glyphs="/usr/share/ghostscript/fonts/c059013l.pfb"/>
+  <type name="NewCenturySchlbk-Italic" fullname="New Century Schoolbook Italic" family="NewCenturySchlbk" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/c059033l.afm" glyphs="/usr/share/ghostscript/fonts/c059033l.pfb"/>
+  <type name="NewCenturySchlbk-Bold" fullname="New Century Schoolbook Bold" family="NewCenturySchlbk" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/c059016l.afm" glyphs="/usr/share/ghostscript/fonts/c059016l.pfb"/>
+  <type name="NewCenturySchlbk-BoldItalic" fullname="New Century Schoolbook Bold Italic" family="NewCenturySchlbk" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/c059036l.afm" glyphs="/usr/share/ghostscript/fonts/c059036l.pfb"/>
+  <type name="Palatino-Roman" fullname="Palatino Regular" family="Palatino" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/p052003l.afm" glyphs="/usr/share/ghostscript/fonts/p052003l.pfb"/>
+  <type name="Palatino-Italic" fullname="Palatino Italic" family="Palatino" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/p052023l.afm" glyphs="/usr/share/ghostscript/fonts/p052023l.pfb"/>
+  <type name="Palatino-Bold" fullname="Palatino Bold" family="Palatino" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/p052004l.afm" glyphs="/usr/share/ghostscript/fonts/p052004l.pfb"/>
+  <type name="Palatino-BoldItalic" fullname="Palatino Bold Italic" family="Palatino" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/p052024l.afm" glyphs="/usr/share/ghostscript/fonts/p052024l.pfb"/>
+  <type name="Times-Roman" fullname="Times Regular" family="Times" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n021003l.afm" glyphs="/usr/share/ghostscript/fonts/n021003l.pfb"/>
+  <type name="Times-Bold" fullname="Times Medium" family="Times" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n021004l.afm" glyphs="/usr/share/ghostscript/fonts/n021004l.pfb"/>
+  <type name="Times-Italic" fullname="Times Regular Italic" family="Times" foundry="URW" weight="400" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n021023l.afm" glyphs="/usr/share/ghostscript/fonts/n021023l.pfb"/>
+  <type name="Times-BoldItalic" fullname="Times Medium Italic" family="Times" foundry="URW" weight="700" style="italic" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/n021024l.afm" glyphs="/usr/share/ghostscript/fonts/n021024l.pfb"/>
+  <type name="Symbol" fullname="Symbol" family="Symbol" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/ghostscript/fonts/s050000l.afm" glyphs="/usr/share/ghostscript/fonts/s050000l.pfb" version="0.1" encoding="AdobeCustom"/>
 </typemap>

ImageMagick-6/type-urw-base35.xml

@@ -21,7 +21,7 @@
   <type name="Bookman-DemiItalic" fullname="Bookman DemiBold Italic" family="Bookman" foundry="URW" weight="600" style="italic" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/URWBookman-DemiItalic.afm" glyphs="/usr/share/fonts/urw-base35/URWBookman-DemiItalic.t1"/>
   <type name="Bookman-Light" fullname="Bookman Light" family="Bookman" foundry="URW" weight="300" style="normal" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/URWBookman-Light.afm" glyphs="/usr/share/fonts/urw-base35/URWBookman-Light.t1"/>
   <type name="Bookman-LightItalic" fullname="Bookman Light Italic" family="Bookman" foundry="URW" weight="300" style="italic" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/URWBookman-LightItalic.afm" glyphs="/usr/share/fonts/urw-base35/URWBookman-LightItalic.t1"/>
-  <type name="Courier" fullname="Courier Regular" family="Courier" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/NimbusMonoPS-Refular.afm" glyphs="/usr/share/fonts/urw-base35/NimbusMonoPS-Regular.t1"/>
+  <type name="Courier" fullname="Courier Regular" family="Courier" foundry="URW" weight="400" style="normal" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/NimbusMonoPS-Regular.afm" glyphs="/usr/share/fonts/urw-base35/NimbusMonoPS-Regular.t1"/>
   <type name="Courier-Bold" fullname="Courier Bold" family="Courier" foundry="URW" weight="700" style="normal" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/NimbusMonoPS-Bold.afm" glyphs="/usr/share/fonts/urw-base35/NimbusMonoPS-Bold.t1"/>
   <type name="Courier-Oblique" fullname="Courier Regular Oblique" family="Courier" foundry="URW" weight="400" style="oblique" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/NimbusMonoPS-Italic.afm" glyphs="/usr/share/fonts/urw-base35/NimbusMonoPS-Italic.t1"/>
   <type name="Courier-BoldOblique" fullname="Courier Bold Oblique" family="Courier" foundry="URW" weight="700" style="oblique" stretch="normal" format="type1" metrics="/usr/share/fonts/urw-base35/NimbusMonoPS-BoldItalic.afm" glyphs="/usr/share/fonts/urw-base35/NimbusMonoPS-BoldItalic.t1"/>

ImageMagick-6/type.xml

@@ -13,5 +13,5 @@
   ImageMagick font configuration.
 -->
 <typemap>
-   <include file="type-urw-base35.xml" />
+   <include file="type-ghostscript.xml" /> <include file="type-urw-base35.xml" />
 </typemap>

NetworkManager/dispatcher.d/20-chrony-dhcp

@@ -0,0 +1,58 @@
+#!/bin/sh
+# This is a NetworkManager dispatcher script for chronyd to update
+# its NTP sources passed from DHCP options. Note that this script is
+# specific to NetworkManager-dispatcher due to use of the
+# DHCP4_NTP_SERVERS environment variable.
+
+export LC_ALL=C
+
+interface=$1
+action=$2
+
+helper=/usr/libexec/chrony-helper
+default_server_options=iburst
+server_dir=/run/chrony-helper
+
+dhcp_server_tmpfile=$server_dir/tmp-nm-dhcp.$interface
+dhcp_server_file=$server_dir/nm-dhcp.$interface
+# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
+nm_dhcp_servers=$DHCP4_NTP_SERVERS
+
+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
+    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
+
+add_servers_from_dhcp() {
+    rm -f "$dhcp_server_file"
+
+    # Remove servers saved by the dhclient script before it detected NM.
+    rm -f "/var/lib/dhclient/chrony.servers.$interface"
+
+    # Don't add NTP servers if PEERNTP=no specified; return early.
+    [ "$PEERNTP" = "no" ] && return
+
+    # Create the directory with correct SELinux context.
+    $helper create-helper-directory > /dev/null 2>&1
+
+    for server in $nm_dhcp_servers; do
+        echo "$server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_tmpfile"
+    done
+    [ -e "$dhcp_server_tmpfile" ] && mv "$dhcp_server_tmpfile" "$dhcp_server_file"
+
+    $helper update-daemon > /dev/null 2>&1 || :
+}
+
+clear_servers_from_dhcp() {
+    if [ -f "$dhcp_server_file" ]; then
+        rm -f "$dhcp_server_file"
+        $helper update-daemon > /dev/null 2>&1 || :
+    fi
+}
+
+if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
+    add_servers_from_dhcp
+elif [ "$action" = "down" ]; then
+    clear_servers_from_dhcp
+fi
+
+exit 0

NetworkManager/dispatcher.d/20-chrony-onoffline

@@ -5,11 +5,13 @@
 
 export LC_ALL=C
 
+chronyc=/usr/bin/chronyc
+
 # For NetworkManager consider only up/down events
 [ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
 
 # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
 
-chronyc onoffline > /dev/null 2>&1
+$chronyc onoffline > /dev/null 2>&1
 
 exit 0

NetworkManager/dispatcher.d/20-squid

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+case "$2" in
+        up|down|vpn-up|vpn-down)
+                /bin/systemctl -q reload squid.service || :
+                ;;
+esac

X11/fontpath.d/liberation-mono-fonts

@@ -0,0 +1 @@
+/usr/share/fonts/liberation-mono

almalinux-release

@@ -0,0 +1 @@
+AlmaLinux release 8.9 (Midnight Oncilla)

almalinux-release-upstream

@@ -0,0 +1 @@
+Derived from Red Hat Enterprise Linux 8.9 (Source)

alternatives/alt-java

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/alt-java
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/alt-java

alternatives/alt-java.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/alt-java-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/ifdown

@@ -1 +0,0 @@
-/etc/sysconfig/network-scripts/ifdown

alternatives/ifup

@@ -1 +0,0 @@
-/etc/sysconfig/network-scripts/ifup

alternatives/java

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/java
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/java

alternatives/java.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/jjs

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/jjs
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/jjs

alternatives/jjs.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/jjs-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/jre

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre

alternatives/jre_1.8.0

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre

alternatives/jre_1.8.0_openjdk

@@ -1 +1 @@
-/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64
+/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64

alternatives/jre_openjdk

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre

alternatives/keytool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/keytool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/keytool

alternatives/keytool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/keytool-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/orbd

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/orbd
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/orbd

alternatives/orbd.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/orbd-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/pack200

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/pack200
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/pack200

alternatives/pack200.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/pack200-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/policytool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/policytool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/policytool

alternatives/policytool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/policytool-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/rmid

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/rmid
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/rmid

alternatives/rmid.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/rmid-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/rmiregistry

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/rmiregistry
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/rmiregistry

alternatives/rmiregistry.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/rmiregistry-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/servertool

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/servertool
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/servertool

alternatives/servertool.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/servertool-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/tnameserv

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/tnameserv
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/tnameserv

alternatives/tnameserv.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/tnameserv-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

alternatives/unpack200

@@ -1 +1 @@
-/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64/jre/bin/unpack200
+/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64/jre/bin/unpack200

alternatives/unpack200.1.gz

@@ -1 +1 @@
-/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64.1.gz
+/usr/share/man/man1/unpack200-java-1.8.0-openjdk-1.8.0.402.b06-2.el8.x86_64.1.gz

amavisd/amavisd.conf.rpmnew

@@ -1,828 +0,0 @@
-use strict;
-
-# a minimalistic configuration file for amavisd-new with all necessary settings
-#
-#   see amavisd.conf-default for a list of all variables with their defaults;
-#   for more details see documentation in INSTALL, README_FILES/*
-#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
-
-
-# COMMONLY ADJUSTED SETTINGS:
-
-# @bypass_virus_checks_maps = (1);  # controls running of anti-virus code
-# @bypass_spam_checks_maps  = (1);  # controls running of anti-spam code
-# $bypass_decode_parts = 1;         # controls running of decoders&dearchivers
-
-# $myprogram_name = $0; # set to 'amavisd' or similar to avoid process name
-                        # truncation in /proc/<pid>/stat and ps -e output
-
-$max_servers = 2;            # num of pre-forked children (2..30 is common), -m
-$daemon_user  = 'amavis';    # (no default;  customary: vscan or amavis), -u
-$daemon_group = 'amavis';    # (no default;  customary: vscan or amavis), -g
-
-$mydomain = 'example.com';   # a convenient default for other settings
-
-$MYHOME = '/var/spool/amavisd';   # a convenient default for other settings, -H
-$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to exist, -T
-$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR, used by SA, etc.
-$QUARANTINEDIR = undef;      # -Q
-# $quarantine_subdir_levels = 1;  # add level of subdirs to disperse quarantine
-# $release_format = 'resend';     # 'attach', 'plain', 'resend'
-# $report_format  = 'arf';        # 'attach', 'plain', 'resend', 'arf'
-
-# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef, -R
-
-$db_home   = "$MYHOME/db";        # dir for bdb nanny/cache/snmp databases, -D
-# $helpers_home = "$MYHOME/var";  # working directory for SpamAssassin, -S
-$lock_file = "/run/amavisd/amavisd.lock";  # -L
-$pid_file  = "/run/amavisd/amavisd.pid";   # -P
-#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually
-
-$log_level = 0;              # verbosity 0..5, -d
-$log_recip_templ = undef;    # disable by-recipient level-0 log entries
-$do_syslog = 1;              # log via syslogd (preferred)
-$syslog_facility = 'mail';   # Syslog facility as a string
-           # e.g.: mail, daemon, user, local0, ... local7
-
-$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
-# $enable_zmq = 1;           # enable use of ZeroMQ (SNMP and nanny)
-$nanny_details_level = 2;    # nanny verbosity: 1: traditional, 2: detailed
-$enable_dkim_verification = 1;  # enable DKIM signatures verification
-$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key
-
-@local_domains_maps = ( [".$mydomain"] );  # list of all local domains
-
-@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
-                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );
-
-$unix_socketname = "/run/amavisd/amavisd.sock";  # amavisd-release or amavis-milter
-               # option(s) -p overrides $inet_socket_port and $unix_socketname
-
-# The default receiving port in the Fedora and RHEL SELinux policy is 10024.
-# To allow additional ports you need to label them as 'amavisd_recv_port_t'
-# For example: semanage port -a -t amavisd_recv_port_t -p tcp 10022
-$inet_socket_port = 10024;   # listen on this local TCP port(s)
-# $inet_socket_port = [10022,10024];  # listen on multiple TCP ports
-
-$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
-  originating => 1,  # is true in MYNETS by default, but let's make it explicit
-  os_fingerprint_method => undef,  # don't query p0f for internal clients
-};
-
-# it is up to MTA to re-route mail from authenticated roaming users or
-# from internal hosts to a dedicated TCP port (such as 10022) for filtering
-$interface_policy{'10022'} = 'ORIGINATING';
-
-$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
-  originating => 1,  # declare that mail was submitted by our smtp client
-  allow_disclaimers => 1,  # enables disclaimer insertion if available
-  # notify administrator of locally originating malware
-  virus_admin_maps => ["virusalert\@$mydomain"],
-  spam_admin_maps  => ["virusalert\@$mydomain"],
-  warnbadhsender   => 1,
-  # forward to a smtpd service providing DKIM signing service
-  forward_method => 'smtp:[127.0.0.1]:10025',
-  # force MTA conversion to 7-bit (e.g. before DKIM signing)
-  smtpd_discard_ehlo_keywords => ['8BITMIME'],
-  bypass_banned_checks_maps => [1],  # allow sending any file names and types
-  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
-};
-
-$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname
-
-# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c
-# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'):
-$policy_bank{'AM.PDP-SOCK'} = {
-  protocol => 'AM.PDP',
-  auth_required_release => 0,  # do not require secret_id for amavisd-release
-};
-
-$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
-$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
-$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)
-$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is suppressed
-$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From
-# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off
-$penpals_bonus_score = 8;    # (no effect without a @storage_sql_dsn database)
-$penpals_threshold_high = $sa_kill_level_deflt;  # don't waste time on hi spam
-$bounce_killer_score = 100;  # spam score points to add for joe-jobbed bounces
-
-$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
-$sa_local_tests_only = 0;    # only tests which do not require internet access?
-
-# @lookup_sql_dsn =
-#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
-#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'],
-#     ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] );
-# @storage_sql_dsn = @lookup_sql_dsn;  # none, same, or separate database
-# @storage_redis_dsn = ( {server=>'127.0.0.1:6379', db_id=>1} );
-# $redis_logging_key = 'amavis-log';
-# $redis_logging_queue_size_limit = 300000;  # about 250 MB / 100000
-
-# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP;
-#   defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16)
-
-$virus_admin               = undef;                    # notifications recip.
-
-$mailfrom_notify_admin     = undef;                    # notifications sender
-$mailfrom_notify_recip     = undef;                    # notifications sender
-$mailfrom_notify_spamadmin = undef;                    # notifications sender
-$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef
-
-@addr_extension_virus_maps      = ('virus');
-@addr_extension_banned_maps     = ('banned');
-@addr_extension_spam_maps       = ('spam');
-@addr_extension_bad_header_maps = ('badh');
-# $recipient_delimiter = '+';  # undef disables address extensions altogether
-# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+
-
-$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
-# $dspam = 'dspam';
-
-$MAXLEVELS = 14;
-$MAXFILES = 3000;
-$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not enforced)
-$MAX_EXPANSION_QUOTA = 500*1024*1024;  # bytes  (default undef, not enforced)
-
-$sa_spam_subject_tag = '***Spam*** ';
-$defang_virus  = 1;  # MIME-wrap passed infected mail
-$defang_banned = 1;  # MIME-wrap passed mail containing banned name
-# for defanging bad headers only turn on certain minor contents categories:
-$defang_by_ccat{CC_BADH.",3"} = 1;  # NUL or CR character in header
-$defang_by_ccat{CC_BADH.",5"} = 1;  # header line longer than 998 characters
-$defang_by_ccat{CC_BADH.",6"} = 1;  # header field syntax error
-
-
-# OTHER MORE COMMON SETTINGS (defaults may suffice):
-
-# $myhostname = 'host.example.com';  # must be a fully-qualified domain name!
-
-# The default forwarding port in the Fedora and RHEL SELinux policy is 10025.
-# To allow additional ports you need to label them as 'amavisd_send_port_t'.
-# For example: semanage port -a -t amavisd_send_port_t -p tcp 10023
-# $notify_method  = 'smtp:[127.0.0.1]:10023';
-# $forward_method = 'smtp:[127.0.0.1]:10023';  # set to undef with milter!
-
-$final_virus_destiny      = D_DISCARD;
-$final_banned_destiny     = D_BOUNCE;
-$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT
-$final_bad_header_destiny = D_BOUNCE;
-# $bad_header_quarantine_method = undef;
-
-# $os_fingerprint_method = 'p0f:*:2345';  # to query p0f-analyzer.pl
-
-## hierarchy by which a final setting is chosen:
-##   policy bank (based on port or IP address) -> *_by_ccat
-##   *_by_ccat (based on mail contents) -> *_maps
-##   *_maps (based on recipient address) -> final configuration value
-
-
-# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all)
-
-# $warnbadhsender,
-# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps)
-#
-# @bypass_virus_checks_maps, @bypass_spam_checks_maps,
-# @bypass_banned_checks_maps, @bypass_header_checks_maps,
-#
-# @virus_lovers_maps, @spam_lovers_maps,
-# @banned_files_lovers_maps, @bad_header_lovers_maps,
-#
-# @blacklist_sender_maps, @score_sender_maps,
-#
-# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to,
-# $bad_header_quarantine_to, $spam_quarantine_to,
-#
-# $defang_bad_header, $defang_undecipherable, $defang_spam
-
-
-# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
-
-@keep_decoded_original_maps = (new_RE(
-  qr'^MAIL$',                # let virus scanner see full original message
-  qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
-  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
-# qr'^Zip archive data',     # don't trust Archive::Zip
-));
-
-
-$banned_filename_re = new_RE(
-
-### BLOCKED ANYWHERE
-# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
-  qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
-# qr'^\.(exe|lha|cab|dll)$',              # banned file(1) types
-
-### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
-# [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
-  [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
-
-  qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
-# qr'^\.zip$',                            # block zip type
-
-### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
-# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives
-
-  qr'^application/x-msdownload$'i,        # block these MIME types
-  qr'^application/x-msdos-program$'i,
-  qr'^application/hta$'i,
-
-# qr'^message/partial$'i,         # rfc2046 MIME type
-# qr'^message/external-body$'i,   # rfc2046 MIME type
-
-# qr'^(application/x-msmetafile|image/x-wmf)$'i,  # Windows Metafile MIME type
-# qr'^\.wmf$',                            # Windows Metafile file(1) type
-
-  # block certain double extensions in filenames
-  qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
-
-# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict
-# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose
-
-  qr'.\.(exe|vbs|pif|scr|cpl)$'i,             # banned extension - basic
-# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd
-# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
-#        inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|
-#        msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|
-#        wmf|wsc|wsf|wsh)$'ix,                # banned extensions - long
-# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i,     # consider also
-# qr'.\.(ani|cur|ico)$'i,                 # banned cursors and icons filename
-# qr'^\.ani$',                            # banned animated cursor file(1) type
-# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
-);
-# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
-# and http://www.cknow.com/vtutor/vtextensions.htm
-
-
-# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
-
-@score_sender_maps = ({ # a by-recipient hash lookup table,
-                        # results from all matching recipient tables are summed
-
-# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
-# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
-# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
-# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
-#                           '.cleargreen.com'           => -5.0}],
-
-  ## site-wide opinions about senders (the '.' matches any recipient)
-  '.' => [  # the _first_ matching sender determines the score boost
-
-   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
-    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
-    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
-    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
-    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
-    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
-    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
-    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
-   ),
-
-#  read_hash("/var/amavis/sender_scores_sitewide"),
-
-   { # a hash-type lookup table (associative array)
-     'nobody@cert.org'                        => -3.0,
-     'cert-advisory@us-cert.gov'              => -3.0,
-     'owner-alert@iss.net'                    => -3.0,
-     'slashdot@slashdot.org'                  => -3.0,
-     'securityfocus.com'                      => -3.0,
-     'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
-     'security-alerts@linuxsecurity.com'      => -3.0,
-     'mailman-announce-admin@python.org'      => -3.0,
-     'amavis-user-admin@lists.sourceforge.net'=> -3.0,
-     'amavis-user-bounces@lists.sourceforge.net' => -3.0,
-     'spamassassin.apache.org'                => -3.0,
-     'notification-return@lists.sophos.com'   => -3.0,
-     'owner-postfix-users@postfix.org'        => -3.0,
-     'owner-postfix-announce@postfix.org'     => -3.0,
-     'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
-     'sendmail-announce-request@lists.sendmail.org' => -3.0,
-     'donotreply@sendmail.org'                => -3.0,
-     'ca+envelope@sendmail.org'               => -3.0,
-     'noreply@freshmeat.net'                  => -3.0,
-     'owner-technews@postel.acm.org'          => -3.0,
-     'ietf-123-owner@loki.ietf.org'           => -3.0,
-     'cvs-commits-list-admin@gnome.org'       => -3.0,
-     'rt-users-admin@lists.fsck.com'          => -3.0,
-     'clp-request@comp.nus.edu.sg'            => -3.0,
-     'surveys-errors@lists.nua.ie'            => -3.0,
-     'emailnews@genomeweb.com'                => -5.0,
-     'yahoo-dev-null@yahoo-inc.com'           => -3.0,
-     'returns.groups.yahoo.com'               => -3.0,
-     'clusternews@linuxnetworx.com'           => -3.0,
-     lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
-     lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
-
-     # soft-blacklisting (positive score)
-     'sender@example.net'                     =>  3.0,
-     '.example.net'                           =>  1.0,
-
-   },
-  ],  # end of site-wide tables
-});
-
-
-@decoders = (
-  ['mail', \&do_mime_decode],
-# [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
-  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
-  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
-  ['gz',   \&do_uncompress, 'gzip -d'],
-  ['gz',   \&do_gunzip],
-  ['bz2',  \&do_uncompress, 'bzip2 -d'],
-  ['xz',   \&do_uncompress,
-           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
-  ['lzma', \&do_uncompress,
-           ['lzmadec', 'xz -dc --format=lzma',
-            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
-#  ['lrz',  \&do_uncompress,
-#           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
-  ['lzo',  \&do_uncompress, 'lzop -d'],
-  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
-  ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
-  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
-           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
-  ['deb',  \&do_ar, 'ar'],
-# ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
-  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
-  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
-  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
-  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
-# ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
-  ['cab',  \&do_cabextract, 'cabextract'],
-# ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
-  ['tnef', \&do_tnef],
-# ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
-# ['sit',  \&do_unstuff, 'unstuff'],  # not safe
-  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
-  [['zip','kmz'], \&do_unzip],
-  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
-  [[qw(gz bz2 Z tar)],
-           \&do_7zip,  ['7za', '7z'] ],
-  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
-           \&do_7zip,  '7z' ],
-  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
-);
-
-
-@av_scanners = (
-
-# ### http://www.sophos.com/
-# ['Sophos-SSSP',  # SAV Dynamic Interface
-#   \&ask_daemon, ["{}", 'sssp:/run/savdi/sssp.sock'],
-#           # or: ["{}", 'sssp:[127.0.0.1]:4010'],
-#   qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
-
-# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
-# ['Sophie',
-#   \&ask_daemon, ["{}/\n", 'sophie:/run/sophie'],
-#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
-#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
-
-# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
-# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ],
-
-# ['Avira SAVAPI',
-#   \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'],
-#   qr/^(200|210)/m,  qr/^(310|420|319)/m,
-#   qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ],
-# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1
-
-  ### http://www.clamav.net/
-  ['ClamAV-clamd',
-    \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
-    qr/\bOK$/m, qr/\bFOUND$/m,
-    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-  # NOTE: run clamd under the same user as amavisd - or run it under its own
-  #   uid such as clamav, add user clamav to the amavis group, and then add
-  #   AllowSupplementaryGroups to clamd.conf;
-  # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
-  #   this entry; when running chrooted one may prefer a socket under $MYHOME.
-
-# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
-# # note that Mail::ClamAV requires perl to be build with threading!
-# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
-#   [0], [1], qr/^INFECTED: (.+)/m],
-
-# ### http://www.openantivirus.org/
-# ['OpenAntiVirus ScannerDaemon (OAV)',
-#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
-#   qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ],
-
-# ### http://www.vanja.com/tools/trophie/
-# ['Trophie',
-#   \&ask_daemon, ["{}/\n", 'trophie:/run/trophie'],
-#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
-#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
-
-# ### http://www.grisoft.com/
-# ['AVG Anti-Virus',
-#   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
-#   qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ],
-
-# ### http://www.f-prot.com/
-# ['F-Prot fpscand',  # F-PROT Antivirus for BSD/Linux/Solaris, version 6
-#   \&ask_daemon,
-#   ["SCAN FILE {}/*\n", '127.0.0.1:10200'],
-#   qr/^(0|8|64) /m,
-#   qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m,
-#   qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ],
-
-# ### http://www.f-prot.com/
-# ['F-Prot f-protd',  # old version
-#   \&ask_daemon,
-#   ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
-#     ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202',
-#      '127.0.0.1:10203', '127.0.0.1:10204'] ],
-#   qr/(?i)<summary[^>]*>clean<\/summary>/m,
-#   qr/(?i)<summary[^>]*>infected<\/summary>/m,
-#   qr/(?i)<name>(.+)<\/name>/m ],
-
-# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
-# ['DrWebD', \&ask_daemon,   # DrWebD 4.31 or later
-#   [pack('N',1).  # DRWEBD_SCAN_CMD
-#    pack('N',0x00280001).   # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
-#    pack('N',     # path length
-#      length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
-#    '{}/*'.       # path
-#    pack('N',0).  # content size
-#    pack('N',0),
-#    '/var/drweb/run/drwebd.sock',
-#  # '/var/amavis/run/drwebd.sock',   # suitable for chroot
-#  # '/usr/local/drweb/run/drwebd.sock',  # FreeBSD drweb ports default
-#  # '127.0.0.1:3000',                    # or over an inet socket
-#   ],
-#   qr/\A\x00[\x10\x11][\x00\x10]\x00/sm,        # IS_CLEAN,EVAL_KEY; SKIPPED
-#   qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF
-#   qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm,
-# ],
-# # NOTE: If using amavis-milter, change length to:
-# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").
-
-  ### http://www.kaspersky.com/  (kav4mailservers)
-  ['KasperskyLab AVP - aveclient',
-    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
-     '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
-    '-p /run/aveserver -s {}/*',
-    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m,
-    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m,
-  ],
-  # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
-  # currupted or protected archives are to be handled
-
-  ### http://www.kaspersky.com/
-  ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
-    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4],    # any use for -A -K   ?
-    qr/infected: (.+)/m,
-    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
-    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
-  ],
-
-  ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
-  ### products and replaced by aveserver and aveclient
-  ['KasperskyLab AVPDaemonClient',
-    [ '/opt/AVP/kavdaemon',       'kavdaemon',
-      '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
-      '/opt/AVP/AvpTeamDream',    'AvpTeamDream',
-      '/opt/AVP/avpdc', 'avpdc' ],
-    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ],
-    # change the startup-script in /etc/init.d/kavd to:
-    #   DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
-    #   (or perhaps:   DPARMS="-I0 -Y -* /var/amavis" )
-    # adjusting /var/amavis above to match your $TEMPBASE.
-    # The '-f=/var/amavis' is needed if not running it as root, so it
-    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
-    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
-    #   directory $TEMPBASE specifies) in the 'Names=' section.
-    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
-    # cp AvpDaemonClient /opt/AVP/
-    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"
-
-  ### http://www.centralcommand.com/
-  ['CentralCommand Vexira (new) vascan',
-    ['vascan','/usr/lib/Vexira/vascan'],
-    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
-    "--log=/var/log/vascan.log {}",
-    [0,3], [1,2,5],
-    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ],
-    # Adjust the path of the binary and the virus database as needed.
-    # 'vascan' does not allow to have the temp directory to be the same as
-    # the quarantine directory, and the quarantine option can not be disabled.
-    # If $QUARANTINEDIR is not used, then another directory must be specified
-    # to appease 'vascan'. Move status 3 to the second list if password
-    # protected files are to be considered infected.
-
-  ### http://www.avira.com/
-  ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus
-  ['Avira AntiVir', ['antivir','vexira'],
-    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m,
-    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
-         (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ],
-    # NOTE: if you only have a demo version, remove -z and add 214, as in:
-    #  '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,
-
-  ### http://www.avira.com/
-  ### Avira for UNIX 3.x
-  ['Avira AntiVir', ['avscan'],
-   '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m,
-   qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ],
-
-  ### http://www.commandsoftware.com/
-  ['Command AntiVirus for Linux', 'csav',
-    '-all -archive -packed {}', [50], [51,52,53],
-    qr/Infection: (.+)/m ],
-
-  ### http://www.symantec.com/
-  ['Symantec CarrierScan via Symantec CommandLineScanner',
-    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
-    qr/^Files Infected:\s+0$/m, qr/^Infected\b/m,
-    qr/^(?:Info|Virus Name):\s+(.+)/m ],
-
-  ### http://www.symantec.com/
-  ['Symantec AntiVirus Scan Engine',
-    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
-    [0], qr/^Infected\b/m,
-    qr/^(?:Info|Virus Name):\s+(.+)/m ],
-    # NOTE: check options and patterns to see which entry better applies
-
-# ### http://www.f-secure.com/products/anti-virus/  version 5.52
-#  ['F-Secure Antivirus for Linux servers',
-#   ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
-#   '--virus-action1=report --archive=yes --auto=yes '.
-#   '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
-#   qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
-#   # NOTE: internal archive handling may be switched off by '--archive=no'
-#   #   to prevent fsav from exiting with status 9 on broken archives
-
-  ### http://www.f-secure.com/ version 9.14
-   ['F-Secure Linux Security',
-    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
-    '--virus-action1=report --archive=yes --auto=yes '.
-    '--list=no --nomimeerr {}', [0], [3,4,6,8],
-    qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
-    # NOTE: internal archive handling may be switched off by '--archive=no'
-    #   to prevent fsav from exiting with status 9 on broken archives
-
-# ### http://www.avast.com/
-# ['avast! Antivirus daemon',
-#   \&ask_daemon,  # greets with 220, terminate with QUIT
-#   ["SCAN {}\015\012QUIT\015\012", '/run/avast4/mailscanner.sock'],
-#   qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ],
-
-# ### http://www.avast.com/
-# ['avast! Antivirus - Client/Server Version', 'avastlite',
-#   '-a /run/avast4/mailscanner.sock -n {}', [0], [1],
-#   qr/\t\[L\]\t([^[ \t\015\012]+)/m ],
-
-  ['CAI InoculateIT', 'inocucmd',  # retired product
-    '-sec -nex {}', [0], [100],
-    qr/was infected by virus (.+)/m ],
-  # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html
-
-  ### http://www3.ca.com/Solutions/Product.asp?ID=156  (ex InoculateIT)
-  ['CAI eTrust Antivirus', 'etrust-wrapper',
-    '-arc -nex -spm h {}', [0], [101],
-    qr/is infected by virus: (.+)/m ],
-    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
-    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783
-
-  ### http://mks.com.pl/english.html
-  ['MkS_Vir for Linux (beta)', ['mks32','mks'],
-    '-s {}/*', [0], [1,2],
-    qr/--[ \t]*(.+)/m ],
-
-  ### http://mks.com.pl/english.html
-  ['MkS_Vir daemon', 'mksscan',
-    '-s -q {}', [0], [1..7],
-    qr/^... (\S+)/m ],
-
-# ### http://www.nod32.com/,  version v2.52 (old)
-# ['ESET NOD32 for Linux Mail servers',
-#   ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
-#    '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
-#    '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
-#    '--action-on-notscanned=accept {}',
-#   [0,3], [1,2], qr/virus="([^"]+)"/m ],
-
-# ### http://www.eset.com/, version v2.7 (old)
-# ['ESET NOD32 Linux Mail Server - command line interface',
-#   ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
-#   '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ],
-
-# ### http://www.eset.com/, version 2.71.12
-# ['ESET Software ESETS Command Line Interface',
-#   ['/usr/bin/esets_cli', 'esets_cli'],
-#   '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ],
-
-  ### http://www.eset.com/, version 3.0
-  ['ESET Software ESETS Command Line Interface',
-    ['/usr/bin/esets_cli', 'esets_cli'],
-    '--subdir {}', [0], [1,2,3],
-    qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ],
-
-  ## http://www.nod32.com/,  NOD32LFS version 2.5 and above
-  ['ESET NOD32 for Linux File servers',
-    ['/opt/eset/nod32/sbin/nod32','nod32'],
-    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
-    '-w -a --action=1 -b {}',
-    [0], [1,10], qr/^object=.*, virus="(.*?)",/m ],
-
-# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
-# ['ESET Software NOD32 Client/Server (NOD32SS)',
-#   \&ask_daemon2,    # greets with 200, persistent, terminate with QUIT
-#   ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
-#   qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ],
-
-  ### http://www.norman.com/products_nvc.shtml
-  ['Norman Virus Control v5 / Linux', 'nvcc',
-    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
-    qr/(?i).* virus in .* -> \'(.+)\'/m ],
-
-  ### http://www.pandasoftware.com/
-  ['Panda CommandLineSecure 9 for Linux',
-    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
-    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
-    qr/Number of files infected[ .]*: 0+(?!\d)/m,
-    qr/Number of files infected[ .]*: 0*[1-9]/m,
-    qr/Found virus :\s*(\S+)/m ],
-  # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
-  # before starting amavisd - the bases are then loaded only once at startup.
-  # To reload bases in a signature update script:
-  #   /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
-  # Please review other options of pavcl, for example:
-  #  -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies
-
-# ### http://www.pandasoftware.com/
-# ['Panda Antivirus for Linux', ['pavcl'],
-#   '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
-#   [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
-#   qr/Found virus :\s*(\S+)/m ],
-
-# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
-# Check your RAV license terms before fiddling with the following two lines!
-# ['GeCAD RAV AntiVirus 8', 'ravav',
-#   '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ],
-# # NOTE: the command line switches changed with scan engine 8.5 !
-# # (btw, assigning stdin to /dev/null causes RAV to fail)
-
-  ### http://www.nai.com/
-  ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
-    '--secure -rv --mime --summary --noboot - {}', [0], [13],
-    qr/(?x) Found (?:
-        \ the\ (.+)\ (?:virus|trojan)  |
-        \ (?:virus|trojan)\ or\ variant\ ([^ ]+)  |
-        :\ (.+)\ NOT\ a\ virus)/m,
-  # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
-  # sub {delete $ENV{LD_PRELOAD}},
-  ],
-  # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
-  # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
-  # and then clear it when finished to avoid confusing anything else.
-  # NOTE2: to treat encrypted files as viruses replace the [13] with:
-  #  qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/
-
-  ### http://www.virusbuster.hu/en/
-  ['VirusBuster', ['vbuster', 'vbengcl'],
-    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
-    qr/: '(.*)' - Virus/m ],
-  # VirusBuster Ltd. does not support the daemon version for the workstation
-  # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
-  # binaries, some parameters AND return codes have changed (from 3 to 1).
-  # See also the new Vexira entry 'vascan' which is possibly related.
-
-# ### http://www.virusbuster.hu/en/
-# ['VirusBuster (Client + Daemon)', 'vbengd',
-#   '-f -log scandir {}', [0], [3],
-#   qr/Virus found = (.*);/m ],
-# # HINT: for an infected file it always returns 3,
-# # although the man-page tells a different story
-
-  ### http://www.cyber.com/
-  ['CyberSoft VFind', 'vfind',
-    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m,
-  # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
-  ],
-
-# ### http://www.avast.com/  (old)
-# ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
-#   '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ],
-
-# ### http://www.avast.com/
-# ['avast! Antivirus', '/bin/scan', '{}', [0], [1], qr/\t(.+)/m ],
-
-  ### http://www.ikarus-software.com/
-  ['Ikarus AntiVirus for Linux', 'ikarus',
-    '{}', [0], [40], qr/Signature (.+) found/m ],
-
-  ### http://www.bitdefender.com/
-  ['BitDefender', 'bdscan',  # new version
-    '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m,
-    qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m,
-    qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ],
-
-  ### http://www.bitdefender.com/
-  ['BitDefender', 'bdc',  # old version
-    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m,
-    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m,
-    qr/(?:suspected|infected): (.*)(?:\033|$)/m ],
-  # consider also: --all --nowarn --alev=15 --flev=15.  The --all argument may
-  # not apply to your version of bdc, check documentation and see 'bdc --help'
-
-  ### ArcaVir for Linux and Unix http://www.arcabit.pl/
-  ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
-    '-v 1 -summary 0 -s {}', [0], [1,2],
-    qr/(?:VIR|WIR):[ \t]*(.+)/m ],
-
-# ### a generic SMTP-client interface to a SMTP-based virus scanner
-# ['av_smtp', \&ask_av_smtp,
-#   ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'],
-#   qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ],
-
-# ['File::Scan', sub {Amavis::AV::ask_av(sub{
-#   use File::Scan; my($fn)=@_;
-#   my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
-#   my($vname) = $f->scan($fn);
-#   $f->error ? (2,"Error: ".$f->error)
-#   : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
-#   ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ],
-
-# ### fully-fledged checker for JPEG marker segments of invalid length
-# ['check-jpeg',
-#   sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
-#   ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ],
-# # NOTE: place file JpegTester.pm somewhere where Perl can find it,
-# #       for example in /usr/local/lib/perl5/site_perl
-
-);
-
-
-@av_scanners_backup = (
-
-  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
-  ['ClamAV-clamscan', 'clamscan',
-    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
-    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-
-# ### http://www.clamav.net/ - using remote clamd scanner as a backup
-# ['ClamAV-clamdscan', 'clamdscan',
-#   "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
-#   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-
-# ['ClamAV-clamd-stream',
-#   \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'],
-#   qr/\bOK$/m, qr/\bFOUND$/m,
-#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-
-  ### http://www.f-prot.com/   - backs up F-Prot Daemon, V6
-  ['F-PROT Antivirus for UNIX', ['fpscan'],
-    '--report --mount --adware {}',  # consider: --applications -s 4 -u 3 -z 10
-    [0,8,64],  [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3],
-    qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ],
-
-  ### http://www.f-prot.com/   - backs up F-Prot Daemon (old)
-  ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
-    '-dumb -archive -packed {}', [0,8], [3,6],   # or: [0], [3,6,8],
-    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ],
-
-  ### http://www.trendmicro.com/   - backs up Trophie
-  ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
-    '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ],
-
-  ### http://www.sald.com/, http://drweb.imshop.de/   - backs up DrWebD
-  ['drweb - DrWeb Antivirus',  # security LHA hole in Dr.Web 4.33 and earlier
-    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
-    '-path={} -al -go -ot -cn -upn -ok-',
-    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ],
-
-   ### http://www.kaspersky.com/
-   ['Kaspersky Antivirus v5.5',
-     ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
-      '/opt/kav/5.5/kav4unix/bin/kavscanner',
-      '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
-     '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
-     qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,
-#    sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
-#    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
-   ],
-
-  ### http://www.sophos.com/
-  ['Sophos Anti Virus (savscan)',   # formerly known as 'sweep'
-    ['/opt/sophos-av/bin/savscan', 'savscan'],  # 'sweep'
-    '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
-    '--no-reset-atime {}',
-    [0,2], qr/Virus .*? found/m,
-    qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
-  ],
-  # other options to consider: -idedir=/usr/local/sav
-  # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD).
-  # Make sure the correct 'sweep' is found in the path if using the old name.
-
-# Always succeeds and considers mail clean.
-# Potentially useful when all other scanners fail and it is desirable
-# to let mail continue to flow with no virus checking (when uncommented).
-# ['always-clean', sub {0}],
-
-);
-
-
-1;  # insure a defined return value

ansible/ansible.cfg

@@ -1,490 +1,11 @@
-# config file for ansible -- https://ansible.com/
-# ===============================================
-
-# nearly all parameters can be overridden in ansible-playbook
-# or with command line flags. ansible will read ANSIBLE_CONFIG,
-# ansible.cfg in the current working directory, .ansible.cfg in
-# the home directory or /etc/ansible/ansible.cfg, whichever it
-# finds first
-
-[defaults]
-
-# some basic default values...
-
-#inventory      = /etc/ansible/hosts
-#library        = /usr/share/my_modules/
-#module_utils   = /usr/share/my_module_utils/
-#remote_tmp     = ~/.ansible/tmp
-#local_tmp      = ~/.ansible/tmp
-#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
-#forks          = 5
-#poll_interval  = 15
-#sudo_user      = root
-#ask_sudo_pass = True
-#ask_pass      = True
-#transport      = smart
-#remote_port    = 22
-#module_lang    = C
-#module_set_locale = False
-
-# plays will gather facts by default, which contain information about
-# the remote system.
+# Since Ansible 2.12 (core):
+# To generate an example config file (a "disabled" one with all default settings, commented out):
+#               $ ansible-config init --disabled > ansible.cfg
 #
-# smart - gather by default, but don't regather if already gathered
-# implicit - gather by default, turn off with gather_facts: False
-# explicit - do not gather by default, must say gather_facts: True
-#gathering = implicit
+# Also you can now have a more complete file by including existing plugins:
+# ansible-config init --disabled -t all > ansible.cfg
 
-# This only affects the gathering done by a play's gather_facts directive,
-# by default gathering retrieves all facts subsets
-# all - gather all subsets
-# network - gather min and network facts
-# hardware - gather hardware facts (longest facts to retrieve)
-# virtual - gather min and virtual facts
-# facter - import facts from facter
-# ohai - import facts from ohai
-# You can combine them using comma (ex: network,virtual)
-# You can negate them using ! (ex: !hardware,!facter,!ohai)
-# A minimal set of facts is always gathered.
-#gather_subset = all
+# For previous versions of Ansible you can check for examples in the 'stable' branches of each version
+# Note that this file was always incomplete  and lagging changes to configuration settings
 
-# some hardware related facts are collected
-# with a maximum timeout of 10 seconds. This
-# option lets you increase or decrease that
-# timeout to something more suitable for the
-# environment.
-# gather_timeout = 10
-
-# Ansible facts are available inside the ansible_facts.* dictionary
-# namespace. This setting maintains the behaviour which was the default prior
-# to 2.5, duplicating these variables into the main namespace, each with a
-# prefix of 'ansible_'.
-# This variable is set to True by default for backwards compatibility. It
-# will be changed to a default of 'False' in a future release.
-# ansible_facts.
-# inject_facts_as_vars = True
-
-# additional paths to search for roles in, colon separated
-#roles_path    = /etc/ansible/roles
-
-# uncomment this to disable SSH key host checking
-#host_key_checking = False
-
-# change the default callback, you can only have one 'stdout' type  enabled at a time.
-#stdout_callback = skippy
-
-
-## Ansible ships with some plugins that require whitelisting,
-## this is done to avoid running all of a type by default.
-## These setting lists those that you want enabled for your system.
-## Custom plugins should not need this unless plugin author specifies it.
-
-# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
-#callback_whitelist = timer, mail
-
-# Determine whether includes in tasks and handlers are "static" by
-# default. As of 2.0, includes are dynamic by default. Setting these
-# values to True will make includes behave more like they did in the
-# 1.x versions.
-#task_includes_static = False
-#handler_includes_static = False
-
-# Controls if a missing handler for a notification event is an error or a warning
-#error_on_missing_handler = True
-
-# change this for alternative sudo implementations
-#sudo_exe = sudo
-
-# What flags to pass to sudo
-# WARNING: leaving out the defaults might create unexpected behaviours
-#sudo_flags = -H -S -n
-
-# SSH timeout
-#timeout = 10
-
-# default user to use for playbooks if user is not specified
-# (/usr/bin/ansible will use current user as default)
-#remote_user = root
-
-# logging is off by default unless this path is defined
-# if so defined, consider logrotate
-#log_path = /var/log/ansible.log
-
-# default module name for /usr/bin/ansible
-#module_name = command
-
-# use this shell for commands executed under sudo
-# you may need to change this to bin/bash in rare instances
-# if sudo is constrained
-#executable = /bin/sh
-
-# if inventory variables overlap, does the higher precedence one win
-# or are hash values merged together?  The default is 'replace' but
-# this can also be set to 'merge'.
-#hash_behaviour = replace
-
-# by default, variables from roles will be visible in the global variable
-# scope. To prevent this, the following option can be enabled, and only
-# tasks and handlers within the role will see the variables there
-#private_role_vars = yes
-
-# list any Jinja2 extensions to enable here:
-#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
-
-# if set, always use this private key file for authentication, same as
-# if passing --private-key to ansible or ansible-playbook
-#private_key_file = /path/to/file
-
-# If set, configures the path to the Vault password file as an alternative to
-# specifying --vault-password-file on the command line.
-#vault_password_file = /path/to/vault_password_file
-
-# format of string {{ ansible_managed }} available within Jinja2
-# templates indicates to users editing templates files will be replaced.
-# replacing {file}, {host} and {uid} and strftime codes with proper values.
-#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
-# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
-# in some situations so the default is a static string:
-#ansible_managed = Ansible managed
-
-# by default, ansible-playbook will display "Skipping [host]" if it determines a task
-# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
-# messages. NOTE: the task header will still be shown regardless of whether or not the
-# task is skipped.
-#display_skipped_hosts = True
-
-# by default, if a task in a playbook does not include a name: field then
-# ansible-playbook will construct a header that includes the task's action but
-# not the task's args.  This is a security feature because ansible cannot know
-# if the *module* considers an argument to be no_log at the time that the
-# header is printed.  If your environment doesn't have a problem securing
-# stdout from ansible-playbook (or you have manually specified no_log in your
-# playbook on all of the tasks where you have secret information) then you can
-# safely set this to True to get more informative messages.
-#display_args_to_stdout = False
-
-# by default (as of 1.3), Ansible will raise errors when attempting to dereference
-# Jinja2 variables that are not set in templates or action lines. Uncomment this line
-# to revert the behavior to pre-1.3.
-#error_on_undefined_vars = False
-
-# by default (as of 1.6), Ansible may display warnings based on the configuration of the
-# system running ansible itself. This may include warnings about 3rd party packages or
-# other conditions that should be resolved if possible.
-# to disable these warnings, set the following value to False:
-#system_warnings = True
-
-# by default (as of 1.4), Ansible may display deprecation warnings for language
-# features that should no longer be used and will be removed in future versions.
-# to disable these warnings, set the following value to False:
-#deprecation_warnings = True
-
-# (as of 1.8), Ansible can optionally warn when usage of the shell and
-# command module appear to be simplified by using a default Ansible module
-# instead.  These warnings can be silenced by adjusting the following
-# setting or adding warn=yes or warn=no to the end of the command line
-# parameter string.  This will for example suggest using the git module
-# instead of shelling out to the git command.
-# command_warnings = False
-
-
-# set plugin path directories here, separate with colons
-#action_plugins     = /usr/share/ansible/plugins/action
-#become_plugins     = /usr/share/ansible/plugins/become
-#cache_plugins      = /usr/share/ansible/plugins/cache
-#callback_plugins   = /usr/share/ansible/plugins/callback
-#connection_plugins = /usr/share/ansible/plugins/connection
-#lookup_plugins     = /usr/share/ansible/plugins/lookup
-#inventory_plugins  = /usr/share/ansible/plugins/inventory
-#vars_plugins       = /usr/share/ansible/plugins/vars
-#filter_plugins     = /usr/share/ansible/plugins/filter
-#test_plugins       = /usr/share/ansible/plugins/test
-#terminal_plugins   = /usr/share/ansible/plugins/terminal
-#strategy_plugins   = /usr/share/ansible/plugins/strategy
-
-
-# by default, ansible will use the 'linear' strategy but you may want to try
-# another one
-#strategy = free
-
-# by default callbacks are not loaded for /bin/ansible, enable this if you
-# want, for example, a notification or logging callback to also apply to
-# /bin/ansible runs
-#bin_ansible_callbacks = False
-
-
-# don't like cows?  that's unfortunate.
-# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
-#nocows = 1
-
-# set which cowsay stencil you'd like to use by default. When set to 'random',
-# a random stencil will be selected for each task. The selection will be filtered
-# against the `cow_whitelist` option below.
-#cow_selection = default
-#cow_selection = random
-
-# when using the 'random' option for cowsay, stencils will be restricted to this list.
-# it should be formatted as a comma-separated list with no spaces between names.
-# NOTE: line continuations here are for formatting purposes only, as the INI parser
-#       in python does not support them.
-#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
-#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
-#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
-
-# don't like colors either?
-# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
-#nocolor = 1
-
-# if set to a persistent type (not 'memory', for example 'redis') fact values
-# from previous runs in Ansible will be stored.  This may be useful when
-# wanting to use, for example, IP information from one group of servers
-# without having to talk to them in the same playbook run to get their
-# current IP information.
-#fact_caching = memory
-
-#This option tells Ansible where to cache facts. The value is plugin dependent.
-#For the jsonfile plugin, it should be a path to a local directory.
-#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
-
-#fact_caching_connection=/tmp
-
-
-
-# retry files
-# When a playbook fails a .retry file can be created that will be placed in ~/
-# You can enable this feature by setting retry_files_enabled to True
-# and you can change the location of the files by setting retry_files_save_path
-
-#retry_files_enabled = False
-#retry_files_save_path = ~/.ansible-retry
-
-# squash actions
-# Ansible can optimise actions that call modules with list parameters
-# when looping. Instead of calling the module once per with_ item, the
-# module is called once with all items at once. Currently this only works
-# under limited circumstances, and only with parameters named 'name'.
-#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
-
-# prevents logging of task data, off by default
-#no_log = False
-
-# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
-#no_target_syslog = False
-
-# controls whether Ansible will raise an error or warning if a task has no
-# choice but to create world readable temporary files to execute a module on
-# the remote machine.  This option is False by default for security.  Users may
-# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
-# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
-# for more secure ways to fix this than enabling this option.
-#allow_world_readable_tmpfiles = False
-
-# controls the compression level of variables sent to
-# worker processes. At the default of 0, no compression
-# is used. This value must be an integer from 0 to 9.
-#var_compression_level = 9
-
-# controls what compression method is used for new-style ansible modules when
-# they are sent to the remote system.  The compression types depend on having
-# support compiled into both the controller's python and the client's python.
-# The names should match with the python Zipfile compression types:
-# * ZIP_STORED (no compression. available everywhere)
-# * ZIP_DEFLATED (uses zlib, the default)
-# These values may be set per host via the ansible_module_compression inventory
-# variable
-#module_compression = 'ZIP_DEFLATED'
-
-# This controls the cutoff point (in bytes) on --diff for files
-# set to 0 for unlimited (RAM may suffer!).
-#max_diff_size = 1048576
-
-# This controls how ansible handles multiple --tags and --skip-tags arguments
-# on the CLI.  If this is True then multiple arguments are merged together.  If
-# it is False, then the last specified argument is used and the others are ignored.
-# This option will be removed in 2.8.
-#merge_multiple_cli_flags = True
-
-# Controls showing custom stats at the end, off by default
-#show_custom_stats = True
-
-# Controls which files to ignore when using a directory as inventory with
-# possibly multiple sources (both static and dynamic)
-#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
-
-# This family of modules use an alternative execution path optimized for network appliances
-# only update this setting if you know how this works, otherwise it can break module execution
-#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
-
-# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
-# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
-# jinja2 templating language which will be run through the templating engine.
-# ENABLING THIS COULD BE A SECURITY RISK
-#allow_unsafe_lookups = False
-
-# set default errors for all plays
-#any_errors_fatal = False
-
-[inventory]
-# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
-#enable_plugins = host_list, virtualbox, yaml, constructed
-
-# ignore these extensions when parsing a directory as inventory source
-#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
-
-# ignore files matching these patterns when parsing a directory as inventory source
-#ignore_patterns=
-
-# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
-#unparsed_is_failed=False
-
-[privilege_escalation]
-#become=True
-#become_method=sudo
-#become_user=root
-#become_ask_pass=False
-
-[paramiko_connection]
-
-# uncomment this line to cause the paramiko connection plugin to not record new host
-# keys encountered.  Increases performance on new host additions.  Setting works independently of the
-# host key checking setting above.
-#record_host_keys=False
-
-# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
-# line to disable this behaviour.
-#pty=False
-
-# paramiko will default to looking for SSH keys initially when trying to
-# authenticate to remote devices.  This is a problem for some network devices
-# that close the connection after a key failure.  Uncomment this line to
-# disable the Paramiko look for keys function
-#look_for_keys = False
-
-# When using persistent connections with Paramiko, the connection runs in a
-# background process.  If the host doesn't already have a valid SSH key, by
-# default Ansible will prompt to add the host key.  This will cause connections
-# running in background processes to fail.  Uncomment this line to have
-# Paramiko automatically add host keys.
-#host_key_auto_add = True
-
-[ssh_connection]
-
-# ssh arguments to use
-# Leaving off ControlPersist will result in poor performance, so use
-# paramiko on older platforms rather than removing it, -C controls compression use
-#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
-
-# The base directory for the ControlPath sockets.
-# This is the "%(directory)s" in the control_path option
-#
-# Example:
-# control_path_dir = /tmp/.ansible/cp
-#control_path_dir = ~/.ansible/cp
-
-# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
-# port and username (empty string in the config). The hash mitigates a common problem users
-# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
-# In those cases, a "too long for Unix domain socket" ssh error would occur.
-#
-# Example:
-# control_path = %(directory)s/%%h-%%r
-#control_path =
-
-# Enabling pipelining reduces the number of SSH operations required to
-# execute a module on the remote server. This can result in a significant
-# performance improvement when enabled, however when using "sudo:" you must
-# first disable 'requiretty' in /etc/sudoers
-#
-# By default, this option is disabled to preserve compatibility with
-# sudoers configurations that have requiretty (the default on many distros).
-#
-#pipelining = False
-
-# Control the mechanism for transferring files (old)
-#   * smart = try sftp and then try scp [default]
-#   * True = use scp only
-#   * False = use sftp only
-#scp_if_ssh = smart
-
-# Control the mechanism for transferring files (new)
-# If set, this will override the scp_if_ssh option
-#   * sftp  = use sftp to transfer files
-#   * scp   = use scp to transfer files
-#   * piped = use 'dd' over SSH to transfer files
-#   * smart = try sftp, scp, and piped, in that order [default]
-#transfer_method = smart
-
-# if False, sftp will not use batch mode to transfer files. This may cause some
-# types of file transfer failures impossible to catch however, and should
-# only be disabled if your sftp version has problems with batch mode
-#sftp_batch_mode = False
-
-# The -tt argument is passed to ssh when pipelining is not enabled because sudo 
-# requires a tty by default. 
-#usetty = True
-
-# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
-# For each retry attempt, there is an exponential backoff,
-# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
-#retries = 3
-
-[persistent_connection]
-
-# Configures the persistent connection timeout value in seconds.  This value is
-# how long the persistent connection will remain idle before it is destroyed.
-# If the connection doesn't receive a request before the timeout value
-# expires, the connection is shutdown. The default value is 30 seconds.
-#connect_timeout = 30
-
-# The command timeout value defines the amount of time to wait for a command
-# or RPC call before timing out. The value for the command timeout must
-# be less than the value of the persistent connection idle timeout (connect_timeout)
-# The default value is 30 second.
-#command_timeout = 30
-
-[accelerate]
-#accelerate_port = 5099
-#accelerate_timeout = 30
-#accelerate_connect_timeout = 5.0
-
-# The daemon timeout is measured in minutes. This time is measured
-# from the last activity to the accelerate daemon.
-#accelerate_daemon_timeout = 30
-
-# If set to yes, accelerate_multi_key will allow multiple
-# private keys to be uploaded to it, though each user must
-# have access to the system via SSH to add a new key. The default
-# is "no".
-#accelerate_multi_key = yes
-
-[selinux]
-# file systems that require special treatment when dealing with security context
-# the default behaviour that copies the existing context or uses the user default
-# needs to be changed to use the file system dependent context.
-#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
-
-# Set this to yes to allow libvirt_lxc connections to work without SELinux.
-#libvirt_lxc_noseclabel = yes
-
-[colors]
-#highlight = white
-#verbose = blue
-#warn = bright purple
-#error = red
-#debug = dark gray
-#deprecate = purple
-#skip = cyan
-#unreachable = red
-#ok = green
-#changed = yellow
-#diff_add = green
-#diff_remove = red
-#diff_lines = cyan
-
-
-[diff]
-# Always print diff when running ( same as always running with -D/--diff )
-# always = no
-
-# Set how many context lines to show in diff
-# context = 3
+# for example, for 2.9: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg

ansible/hosts

@@ -8,14 +8,14 @@
 #   - You can enter hostnames or ip addresses
 #   - A hostname/ip can be a member of multiple groups
 
-# Ex 1: Ungrouped hosts, specify before any group headers.
+# Ex 1: Ungrouped hosts, specify before any group headers:
 
 ## green.example.com
 ## blue.example.com
 ## 192.168.100.1
 ## 192.168.100.10
 
-# Ex 2: A collection of hosts belonging to the 'webservers' group
+# Ex 2: A collection of hosts belonging to the 'webservers' group:
 
 ## [webservers]
 ## alpha.example.org
@@ -23,12 +23,16 @@
 ## 192.168.1.100
 ## 192.168.1.110
 
-# If you have multiple hosts following a pattern you can specify
+# If you have multiple hosts following a pattern, you can specify
 # them like this:
 
 ## www[001:006].example.com
 
-# Ex 3: A collection of database servers in the 'dbservers' group
+# You can also use ranges for multiple hosts: 
+
+## db-[99:101]-node.example.com
+
+# Ex 3: A collection of database servers in the 'dbservers' group:
 
 ## [dbservers]
 ##
@@ -37,8 +41,14 @@
 ## 10.25.1.56
 ## 10.25.1.57
 
-# Here's another example of host ranges, this time there are no
-# leading 0s:
 
-## db-[99:101]-node.example.com
+# Ex4: Multiple hosts arranged into groups such as 'Debian' and 'openSUSE':
+
+## [Debian]
+## alpha.example.org
+## beta.example.org
+
+## [openSUSE]
+## green.example.com
+## blue.example.com
 

appstream.conf

@@ -0,0 +1,29 @@
+#
+# This is the configuration file for AppStream.
+# If data for your distribution is missing, you can submit
+# a patch to include it upstream.
+# The distribution identifier is fetched from /etc/os-release
+#
+
+[general]
+
+#
+# Set this value to have AppStream always prefer data from a local metainfo file
+# over data provided from a network source.
+# This option is only useful in case one wants to test how data from local
+# metainfo files looks like in the software center prior to making a release
+# containing the new metadata.
+#
+#PreferLocalMetainfoData=true
+
+#
+# Distribution specific settings
+#
+[debian]
+ScreenshotUrl=http://screenshots.debian.net
+
+[opensuse]
+ScreenshotUrl=http://software.opensuse.org/package
+
+[ubuntu]
+ScreenshotUrl=http://screenshots.ubuntu.com

audit/auditd.conf

@@ -9,12 +9,12 @@ log_group = root
 log_format = ENRICHED
 flush = INCREMENTAL_ASYNC
 freq = 50
-max_log_file = 8
+max_log_file = 10
 num_logs = 5
 priority_boost = 4
 name_format = NONE
 ##name = mydomain
-max_log_file_action = ROTATE
+max_log_file_action = keep_logs
 space_left = 75
 space_left_action = SYSLOG
 verify_email = yes
@@ -33,7 +33,8 @@ transport = TCP
 krb5_principal = auditd
 ##krb5_key_file = /etc/audit/audit.key
 distribute_network = no
-q_depth = 400
+q_depth = 1200
 overflow_action = SYSLOG
 max_restarts = 10
 plugin_dir = /etc/audit/plugins.d
+end_of_event_timeout = 2

authselect/user-nsswitch.conf

@@ -35,8 +35,6 @@
 #
 # Notes:
 #
-# 'sssd' performs its own 'files'-based caching, so it should generally
-# come before 'files'.
 #
 # WARNING: Running nscd with a secondary caching service like sssd may
 # 	   lead to unexpected behaviour, especially with how long
@@ -53,9 +51,9 @@
 # group:     db files
 
 # In order of likelihood of use to accelerate lookup.
-passwd:      sss files systemd
+passwd:      files sss systemd
 shadow:     files sss
-group:       sss files systemd
+group:       files sss systemd
 hosts:      files dns myhostname
 services:   files sss
 netgroup:   sss

authselect/user-nsswitch.conf.save_by_rpm

@@ -0,0 +1,72 @@
+#
+# /etc/nsswitch.conf
+#
+# Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
+#
+# Valid databases are: aliases, ethers, group, gshadow, hosts,
+# initgroups, netgroup, networks, passwd, protocols, publickey,
+# rpc, services, and shadow.
+#
+# Valid service provider entries include (in alphabetical order):
+#
+#	compat			Use /etc files plus *_compat pseudo-db
+#	db			Use the pre-processed /var/db files
+#	dns			Use DNS (Domain Name Service)
+#	files			Use the local files in /etc
+#	hesiod			Use Hesiod (DNS) for user lookups
+#	nis			Use NIS (NIS version 2), also called YP
+#	nisplus			Use NIS+ (NIS version 3)
+#
+# See `info libc 'NSS Basics'` for more information.
+#
+# Commonly used alternative service providers (may need installation):
+#
+#	ldap			Use LDAP directory server
+#	myhostname		Use systemd host names
+#	mymachines		Use systemd machine names
+#	mdns*, mdns*_minimal	Use Avahi mDNS/DNS-SD
+#	resolve			Use systemd resolved resolver
+#	sss			Use System Security Services Daemon (sssd)
+#	systemd			Use systemd for dynamic user option
+#	winbind			Use Samba winbind support
+#	wins			Use Samba wins support
+#	wrapper			Use wrapper module for testing
+#
+# Notes:
+#
+# 'sssd' performs its own 'files'-based caching, so it should generally
+# come before 'files'.
+#
+# WARNING: Running nscd with a secondary caching service like sssd may
+# 	   lead to unexpected behaviour, especially with how long
+# 	   entries are cached.
+#
+# Installation instructions:
+#
+# To use 'db', install the appropriate package(s) (provide 'makedb' and
+# libnss_db.so.*), and place the 'db' in front of 'files' for entries
+# you want to be looked up first in the databases, like this:
+#
+# passwd:    db files
+# shadow:    db files
+# group:     db files
+
+# In order of likelihood of use to accelerate lookup.
+passwd:      sss files systemd
+shadow:     files sss
+group:       sss files systemd
+hosts:      files dns myhostname
+services:   files sss
+netgroup:   sss
+automount:  files sss
+
+aliases:    files
+ethers:     files
+gshadow:    files
+# Allow initgroups to default to the setting for group.
+# initgroups: files
+networks:   files dns
+protocols:  files
+publickey:  files
+rpc:        files

bash_completion.d/python-argcomplete.sh

@@ -0,0 +1,74 @@
+# Copyright 2012-2013, Andrey Kislyuk and argcomplete contributors.
+# Licensed under the Apache License. See https://github.com/kislyuk/argcomplete for more info.
+
+# Copy of __expand_tilde_by_ref from bash-completion
+__python_argcomplete_expand_tilde_by_ref () {
+    if [ "${!1:0:1}" = "~" ]; then
+        if [ "${!1}" != "${!1//\/}" ]; then
+            eval $1="${!1/%\/*}"/'${!1#*/}';
+        else
+            eval $1="${!1}";
+        fi;
+    fi
+}
+
+# Run something, muting output or redirecting it to the debug stream
+# depending on the value of _ARC_DEBUG.
+__python_argcomplete_run() {
+    if [[ -z "$_ARC_DEBUG" ]]; then
+        "$@" 8>&1 9>&2 1>/dev/null 2>&1
+    else
+        "$@" 8>&1 9>&2 1>&9 2>&1
+    fi
+}
+
+_python_argcomplete_global() {
+    local executable=$1
+    __python_argcomplete_expand_tilde_by_ref executable
+
+    local ARGCOMPLETE=0
+    if [[ "$executable" == python* ]] || [[ "$executable" == pypy* ]]; then
+        if [[ "${COMP_WORDS[1]}" == -m ]]; then
+            if "$executable" -m argcomplete._check_module "${COMP_WORDS[2]}" >/dev/null 2>&1; then
+                ARGCOMPLETE=3
+            else
+                return
+            fi
+        elif [[ -f "${COMP_WORDS[1]}" ]] && (head -c 1024 "${COMP_WORDS[1]}" | grep --quiet "PYTHON_ARGCOMPLETE_OK") >/dev/null 2>&1; then
+            local ARGCOMPLETE=2
+        else
+            return
+        fi
+    elif which "$executable" >/dev/null 2>&1; then
+        local SCRIPT_NAME=$(which "$executable")
+        if (type -t pyenv && [[ "$SCRIPT_NAME" = $(pyenv root)/shims/* ]]) >/dev/null 2>&1; then
+            local SCRIPT_NAME=$(pyenv which "$executable")
+        fi
+        if (head -c 1024 "$SCRIPT_NAME" | grep --quiet "PYTHON_ARGCOMPLETE_OK") >/dev/null 2>&1; then
+            local ARGCOMPLETE=1
+        elif (head -c 1024 "$SCRIPT_NAME" | egrep --quiet "(PBR Generated)|(EASY-INSTALL-(SCRIPT|ENTRY-SCRIPT|DEV-SCRIPT))" \
+            && python-argcomplete-check-easy-install-script "$SCRIPT_NAME") >/dev/null 2>&1; then
+            local ARGCOMPLETE=1
+        fi
+    fi
+
+    if [[ $ARGCOMPLETE != 0 ]]; then
+        local IFS=$(echo -e '\v')
+        COMPREPLY=( $(_ARGCOMPLETE_IFS="$IFS" \
+            COMP_LINE="$COMP_LINE" \
+            COMP_POINT="$COMP_POINT" \
+            COMP_TYPE="$COMP_TYPE" \
+            _ARGCOMPLETE_COMP_WORDBREAKS="$COMP_WORDBREAKS" \
+            _ARGCOMPLETE=$ARGCOMPLETE \
+            _ARGCOMPLETE_SUPPRESS_SPACE=1 \
+            __python_argcomplete_run "$executable" "${COMP_WORDS[@]:1:ARGCOMPLETE-1}") )
+        if [[ $? != 0 ]]; then
+            unset COMPREPLY
+        elif [[ "$COMPREPLY" =~ [=/:]$ ]]; then
+            compopt -o nospace
+        fi
+    else
+        type -t _completion_loader | grep -q 'function' && _completion_loader "$@"
+    fi
+}
+complete -o default -o bashdefault -D -F _python_argcomplete_global

bash_completion.d/torsocks

@@ -0,0 +1,3 @@
+#-*- mode: shell-script;-*-
+
+complete -F _command torsocks

bindresvport.blacklist

@@ -8,6 +8,11 @@
 631     # cups
 636     # ldaps
 664     # Secure ASF, used by IPMI on some cards
+749     # Kerberos V kadmin
+774     # rpasswd
+873     # rsyncd
 921     # lwresd
+992     # SSL-enabled telnet
 993     # imaps
+994     # irc
 995     # pops

cczerc

@@ -0,0 +1,93 @@
+# Configuration file for ccze
+#
+# Available 'pre' attributes: bold, underline, underscore, blink, reverse
+# Available colors:  black, red, green, yellow, blue, magenta, cyan, white
+# Available bgcolors: on_black, on_red, on_green, on_yellow, on_blue, on_magenta, on_cyan, on_white
+#
+# You can also use item names in color definition, like:
+#
+# default   blue
+# date      'default'
+#
+# Here you defined default color to blue, and date color to default value's color, so
+# your date color is blue. (You can only use predefined item names!)
+
+# item          color                   # comment (what is color, or why it's that ;)
+
+date            bold cyan               # Dates and times
+host            bold blue               # Host names and IP numbers
+process         green                   # Sender process
+pid             bold white              # PIDs (Process IDs)
+pid-sqbr        bold green              # Brackets around PIDs
+default         cyan                    # Default (not colorised)
+email           bold green              # E-mail addresses
+subject         magenta                 # Subject lines (procmail)
+dir             bold cyan               # Directory names
+size            bold white              # Sizes
+user            bold yellow             # Usernames
+httpcodes       bold white              # HTTP status codes (200, 404, etc)
+getsize         magenta                 # Transfer sizes
+get             green                   # HTTP GET
+post            bold green              # HTTP POST
+head            green                   # HTTP HEAD
+put             bold green              # HTTP PUT
+connect         green                   # HTTP CONNECT
+trace           green                   # HTTP TRACE
+unknown         cyan                    # Unknown message
+gettime         bold magenta            # Transfer times
+uri             bold green              # URIs (http://, ftp://, etc)
+ident           bold white              # Remote user (proxy/http)
+ctype           white                   # Content type (http/proxy)
+error           bold red                # Error messages
+miss            red                     # Proxy MISS
+hit             bold yellow             # Proxy HIT
+deny            bold red                # Proxy DENIED
+refresh         bold white              # Proxy REFRESH
+swapfail        bold white              # Proxy SWAPFAIL
+debug           white                   # Debug messages
+warning         red                     # Warnings
+direct          bold white              # Proxy DIRECT
+parent          bold yellow             # Proxy PARENT
+swapnum         blue on_white           # Proxy swap number
+create          bold white              # Proxy CREATE
+swapin          bold white              # Proxy SWAPIN
+swapout         bold white              # Proxy SWAPOUT
+release         bold white              # Proxy RELEASE
+mac             bold white              # MAC addresses
+version         bold white              # Version numbers
+address         bold white              # Memory addresses
+numbers         white                   # Numbers
+signal          bold yellow             # Signal names
+service         bold magenta            # Services
+prot            magenta                 # Protocols
+bad             bold yellow             # "Bad words"
+good            bold green              # "Good words"
+system          bold cyan               # "System words"
+incoming        bold white              # Incoming mail (exim)
+outgoing        white                   # Outgoing mail (exim)
+uniqn           bold white              # Unique ID (exim)
+repeat          white                   # 'last message repeated N times'
+field           green                   # RFC822 Field
+chain           cyan                    # Chain names (ulogd)
+percentage      bold yellow             # Percentages
+ftpcodes        cyan                    # FTP codes
+keyword         bold yellow             # Various keywords (like PHP in php.log, etc)
+
+# CSS codes for the HTML output
+cssblack        black
+cssboldblack    black
+cssred          darkred
+cssboldred      red
+cssgreen        #00C000
+cssboldgreen    lime
+cssyellow       brown
+cssboldyellow   yellow
+cssblue         blue
+cssboldblue     slateblue
+csscyan         darkcyan
+cssboldcyan     cyan
+cssmagenta      darkmagenta
+cssboldmagenta  magenta
+csswhite        grey
+cssboldwhite    white
+cssbody         #404040

centos-release

@@ -1 +0,0 @@
-CentOS Linux release 8.4.2105

centos-release

@@ -0,0 +1 @@
+almalinux-release

centos-release-upstream

@@ -1 +0,0 @@
-Derived from Red Hat Enterprise Linux 8.4

clamd.conf

@@ -123,7 +123,7 @@ StreamMaxLength 10M
 
 # Maximum number of threads running at the same time.
 # Default: 10
-MaxThreads 5
+MaxThreads 2
 
 # Waiting for data from a client socket will timeout after this time (seconds).
 # Default: 120
@@ -450,3 +450,6 @@ BytecodeSecurity TrustSigned
 # 
 # Default: 5000
 BytecodeTimeout 3000
+
+# Limit memory usage
+ConcurrentDatabaseReload no

clamd.conf.rpmnew

@@ -1,791 +0,0 @@
-##
-## Example config file for the Clam AV daemon
-## Please read the clamd.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-Example
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-#LogFile /tmp/clamd.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-#LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-#LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-#LogClean yes
-
-# Use system logger (can work together with LogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# Enable Prelude output.
-# Default: no
-#PreludeEnable yes
-#
-# Set the name of the analyzer used by prelude-admin.
-# Default: ClamAV
-#PreludeAnalyzerName ClamAV
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-#ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# This file will be owned by root, as long as clamd was started by root.
-# It is recommended that the directory where this file is stored is
-# also owned by root to keep other users from tampering with it.
-# Default: disabled
-#PidFile /var/run/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-#TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-#DatabaseDirectory /var/lib/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both.
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-#LocalSocket /tmp/clamd.socket
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-#FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-#TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world. This option can be specified multiple
-# times if you want to listen on multiple IPs. IPv6 is now supported.
-# Default: no
-#TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-#MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-#StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-#MaxThreads 20
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-#ReadTimeout 300
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 30
-#CommandReadTimeout 30
-
-# This option specifies how long to wait (in milliseconds) if the send buffer
-# is full.
-# Keep this value low to prevent clamd hanging.
-#
-# Default: 500
-#SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by
-# MaxThreads threads).
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out  of file
-# descriptors, the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
-# max is 1024).
-#
-# Default: 100
-#MaxQueue 200
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-#IdleTimeout 60
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-#CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-#SelfCheck 600
-
-# Enable non-blocking (multi-threaded/concurrent) database reloads.
-# This feature will temporarily load a second scanning engine while scanning
-# continues using the first engine. Once loaded, the new engine takes over.
-# The old engine is removed as soon as all scans using the old engine have
-# completed.
-# This feature requires more RAM, so this option is provided in case users are
-# willing to block scans during reload in exchange for lower RAM requirements.
-# Default: yes
-#ConcurrentDatabaseReload no
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-#User clamav
-
-# Stop daemon when libclamav reports out of memory condition.
-#ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-#LeaveTemporaryFiles yes
-
-# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
-# any ALLMATCHSCAN command as invalid.
-# Default: yes
-#AllowAllMatchScan no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-#DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
-# the complete list of PUA categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-#IncludePUA Spy
-#IncludePUA Scanner
-#IncludePUA RAT
-
-# This option causes memory or nested map scans to dump the content to disk.
-# If you turn on this option, more data is written to disk and is available
-# when the LeaveTemporaryFiles option is enabled.
-#ForceToDisk yes
-
-# This option allows you to disable the caching feature of the engine. By
-# default, the engine will store an MD5 in a cache of any files that are
-# not flagged as virus or that hit limits checks. Disabling the cache will
-# have a negative performance impact on large scans.
-# Default: no
-#DisableCache yes
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
-# may be malicious.  This option enables alerting on such heuristically
-# detected potential threats.
-# Default: yes
-#HeuristicAlerts yes
-
-# Allow heuristic alerts to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only
-# at the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first,
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-#HeuristicScanPrecedence yes
-
-
-##
-## Heuristic Alerts
-##
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and alert on them with the Broken.Executable heuristic signature.
-# Default: no
-#AlertBrokenExecutables yes
-
-# With this option clamav will try to detect broken media file (JPEG,
-# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
-# Default: no
-#AlertBrokenMedia yes
-
-# Alert on encrypted archives _and_ documents with heuristic signature
-# (encrypted .zip, .7zip, .rar, .pdf).
-# Default: no
-#AlertEncrypted yes
-
-# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
-# .rar).
-# Default: no
-#AlertEncryptedArchive yes
-
-# Alert on encrypted archives with heuristic signature (encrypted .pdf).
-# Default: no
-#AlertEncryptedDoc yes
-
-# With this option enabled OLE2 files containing VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-#AlertOLE2Macros yes
-
-# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-# Default: no
-#AlertPhishingSSLMismatch yes
-
-# Alert on cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-# Default: no
-#AlertPhishingCloak yes
-
-# Alert on raw DMG image files containing partition intersections
-# Default: no
-#AlertPartitionIntersection yes
-
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option
-# allows ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite. If you turn off this option, the original files will still be
-# scanned, but without additional processing.
-# Default: yes
-#ScanPE yes
-
-# Certain PE files contain an authenticode signature. By default, we check
-# the signature chain in the PE file against a database of trusted and
-# revoked certificates if the file being scanned is marked as a virus.
-# If any certificate in the chain validates against any trusted root, but
-# does not match any revoked certificate, the file is marked as whitelisted.
-# If the file does match a revoked certificate, the file is marked as virus.
-# The following setting completely turns off authenticode verification.
-# Default: no
-#DisableCertCheck yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanELF yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanOLE2 yes
-
-# This option enables scanning within PDF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanPDF yes
-
-# This option enables scanning within SWF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanSWF yes
-
-# This option enables scanning xml-based document files supported by libclamav.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanXMLDOCS yes
-
-# This option enables scanning of HWP3 files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanHWP3 yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# If you turn off this option, the original files will still be scanned, but
-# without parsing individual messages/attachments.
-# Default: yes
-#ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial
-# directory.
-# WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
-# Default: no
-#ScanPartialMessages yes
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# HTML.Phishing and Email.Phishing NDB signatures.
-# Default: yes
-#PhishingSignatures no
-
-# With this option enabled ClamAV will try to detect phishing attempts by
-# analyzing URLs found in emails using WDB and PDB signature databases.
-# Default: yes
-#PhishingScanURLs no
-
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-#StructuredDataDetection yes
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# With this option enabled the DLP module will search for valid Credit Card
-# numbers only. Debit and Private Label cards will not be searched.
-# Default: no
-#StructuredCCOnly yes
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-#StructuredSSNFormatNormal yes
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-#StructuredSSNFormatStripped yes
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-#ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# If you turn off this option, the original files will still be scanned, but
-# without unpacking and additional processing.
-# Default: yes
-#ScanArchive yes
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of time to a scan may take.
-# In this version, this field only affects the scan time of ZIP archives.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result allow scanning
-# of certain files to lock up the scanning process/threads resulting in a
-# Denial of Service.
-# Time is in milliseconds.
-# Default: 120000
-#MaxScanTime 300000
-
-# This option sets the maximum amount of data to be scanned for each input
-# file. Archives and other containers are recursively extracted and scanned
-# up to this value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-#MaxScanSize 150M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-#MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-#MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# Maximum size of a file to check for embedded PE. Files larger than this value
-# will skip the additional analysis step.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxEmbeddedPE 10M
-
-# Maximum size of a HTML file to normalize. HTML files larger than this value
-# will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxHTMLNormalize 10M
-
-# Maximum size of a normalized HTML file to scan. HTML files larger than this
-# value after normalization will not be scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 2M
-#MaxHTMLNoTags 2M
-
-# Maximum size of a script file to normalize. Script content larger than this
-# value will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 5M
-#MaxScriptNormalize 5M
-
-# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
-# than this value will skip the step to potentially reanalyze as PE.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 1M
-#MaxZipTypeRcg 1M
-
-# This option sets the maximum number of partitions of a raw disk image to be
-# scanned.
-# Raw disk images with more partitions than this value will have up to
-# the value number partitions scanned. Negative values are not allowed.
-# Note: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 50
-#MaxPartitions 128
-
-# This option sets the maximum number of icons within a PE to be scanned.
-# PE files with more icons than this value will have up to the value number
-# icons scanned.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 100
-#MaxIconsPE 200
-
-# This option sets the maximum recursive calls for HWP3 parsing during
-# scanning. HWP3 files using more than this limit will be terminated and
-# alert the user.
-# Scans will be unable to scan any HWP3 attachments if the recursive limit
-# is reached.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 16
-#MaxRecHWP3 16
-
-# This option sets the maximum calls to the PCRE match function during
-# an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user
-# but the scan will continue.
-# For more information on match_limit, see the PCRE documentation.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 100000
-#PCREMatchLimit 20000
-
-# This option sets the maximum recursive calls to the PCRE match function
-# during an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user
-# but the scan will continue.
-# For more information on match_limit_recursion, see the PCRE documentation.
-# Negative values are not allowed and values > PCREMatchLimit are superfluous.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 2000
-#PCRERecMatchLimit 10000
-
-# This option sets the maximum filesize for which PCRE subsigs will be
-# executed. Files exceeding this limit will not have PCRE subsigs executed
-# unless a subsig is encompassed to a smaller buffer.
-# Negative values are not allowed.
-# Setting this value to zero disables the limit.
-# WARNING: setting this limit too high or disabling it may severely impact
-# performance.
-# Default: 25M
-#PCREMaxFileSize 100M
-
-# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
-# MaxRecursion limit will be flagged with the virus
-# "Heuristics.Limits.Exceeded".
-# Default: no
-#AlertExceedsMax yes
-
-##
-## On-access Scan Settings
-##
-
-# Don't scan files larger than OnAccessMaxFileSize
-# Value of 0 disables the limit.
-# Default: 5M
-#OnAccessMaxFileSize 10M
-
-# Max number of scanning threads to allocate to the OnAccess thread pool at
-# startup. These threads are the ones responsible for creating a connection
-# with the daemon and kicking off scanning after an event has been processed.
-# To prevent clamonacc from consuming all clamd's resources keep this lower
-# than clamd's max threads.
-# Default: 5
-#OnAccessMaxThreads 10
-
-# Max amount of time (in milliseconds) that the OnAccess client should spend
-# for every connect, send, and recieve attempt when communicating with clamd
-# via curl.
-# Default: 5000 (5 seconds)
-# OnAccessCurlTimeout 10000
-
-# Toggles dynamic directory determination. Allows for recursively watching
-# include paths.
-# Default: no
-#OnAccessDisableDDD yes
-
-# Set the include paths (all files inside them will be scanned). You can have
-# multiple OnAccessIncludePath directives but each directory must be added
-# in a separate line.
-# Default: disabled
-#OnAccessIncludePath /home
-#OnAccessIncludePath /students
-
-# Set the exclude paths. All subdirectories are also excluded.
-# Default: disabled
-#OnAccessExcludePath /home/user
-
-# Modifies fanotify blocking behaviour when handling permission events.
-# If off, fanotify will only notify if the file scanned is a virus,
-# and not perform any blocking.
-# Default: no
-#OnAccessPrevention yes
-
-# When using prevention, if this option is turned on, any errors that occur
-# during scanning will result in the event attempt being denied. This could
-# potentially lead to unwanted system behaviour with certain configurations,
-# so the client defaults this to off and prefers allowing access events in
-# case of scan or connection error.
-# Default: no
-#OnAccessDenyOnError yes
-
-# Toggles extra scanning and notifications when a file or directory is
-# created or moved.
-# Requires the  DDD system to kick-off extra scans.
-# Default: no
-#OnAccessExtraScanning yes
-
-# Set the  mount point to be scanned. The mount point specified, or the mount
-# point containing the specified directory will be watched. If any directories
-# are specified, this option will preempt (disable and ignore all options
-# related to) the DDD system. This option will result in verdicts only.
-# Note that prevention is explicitly disallowed to prevent common, fatal
-# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
-# made on vital system directories)
-# It can be used multiple times.
-# Default: disabled
-#OnAccessMountPath /
-#OnAccessMountPath /home/user
-
-# With this option you can whitelist the root UID (0). Processes run under
-# root with be able to access all files without triggering scans or
-# permission denied events.
-# Note that if clamd cannot check the uid of the process that generated an
-# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
-# the process already exited), clamd will perform a scan.  Thus, setting
-# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
-# root user from triggering a scan (unless OnAccessPrevention is enabled).
-# Default: no
-#OnAccessExcludeRootUID no
-
-# With this option you can whitelist specific UIDs. Processes with these UIDs
-# will be able to access all files without triggering scans or permission
-# denied events.
-# This option can be used multiple times (one per line).
-# Using a value of 0 on any line will disable this option entirely.
-# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
-# option.
-# Also note that if clamd cannot check the uid of the process that generated an
-# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
-# the process already exited), clamd will perform a scan.  Thus, setting
-# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
-# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
-# Default: disabled
-#OnAccessExcludeUID -1
-
-# This option allows exclusions via user names when using the on-access
-# scanning client. It can be used multiple times.
-# It has the same potential race condition limitations of the
-# OnAccessExcludeUID option.
-# Default: disabled
-#OnAccessExcludeUname clamav
-
-# Number of times the OnAccess client will retry a failed scan due to
-# connection problems (or other issues).
-# Default: 0
-#OnAccessRetryAttempts 3
-
-##
-## Bytecode
-##
-
-# With this option enabled ClamAV will load bytecode from the database.
-# It is highly recommended you keep this option on, otherwise you'll miss
-# detections for many new viruses.
-# Default: yes
-#Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-#   None -      No security at all, meant for debugging.
-#               DO NOT USE THIS ON PRODUCTION SYSTEMS.
-#               This value is only available if clamav was built
-#               with --enable-debug!
-#   TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
-#               runtime safety checks for bytecode loaded from other sources.
-#   Paranoid -  Don't trust any bytecode, insert runtime checks for all.
-# Recommended: TrustSigned, because bytecode in .cvd files already has these
-# checks.
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-#BytecodeSecurity TrustSigned
-
-# Allow loading bytecode from outside digitally signed .c[lv]d files.
-# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
-# Doing so may result in arbitrary code execution.
-# Default: no
-#BytecodeUnsigned yes
-
-# Set bytecode timeout in milliseconds.
-#
-# Default: 5000
-# BytecodeTimeout 1000
-

clamd.conf.rpmsave

@@ -1,452 +0,0 @@
-##
-## Example config file for the Clam AV daemon
-## Please read the clamd.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-#Example
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-LogFile /var/log/clamav/clamd.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers.
-# Default: 1M
-LogFileMaxSize 0
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-LogClean no
-
-# Use system logger (can work together with LogFile).
-# Default: no
-LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-LogVerbose yes
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# Default: disabled
-PidFile /var/run/clamav/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/lib/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both. 
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-LocalSocket /var/run/clamav/clamd.sock
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world.
-# Default: no
-TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-MaxThreads 5
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-ReadTimeout 120
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 5
-CommandReadTimeout 5
-
-# This option specifies how long to wait (in miliseconds) if the send buffer is full.
-# Keep this value low to prevent clamd hanging
-#
-# Default: 500
-SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by MaxThreads threads)
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
-# the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
-#
-# Default: 100
-MaxQueue 50
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-IdleTimeout 10
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-SelfCheck 43200
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-User amavis
-
-# Initialize supplementary group access (clamd must be started by root).
-# Default: no
-#AllowSupplementaryGroups yes
-
-# Stop daemon when libclamav reports out of memory condition.
-ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-LeaveTemporaryFiles no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See http://www.clamav.net/support/pua for the complete list of PUA
-# categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-IncludePUA Spy
-IncludePUA Scanner
-IncludePUA RAT
-IncludePUA Packed
-IncludePUA PwTool
-IncludePUA NetTool
-IncludePUA P2P
-IncludePUA IRC
-IncludePUA Tool
-IncludePUA Server
-IncludePUA Script
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to provide accurate detection. This option
-# controls the algorithmic detection.
-# Default: yes
-AlgorithmicDetection yes
-
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option allows
-# ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite.
-# Default: yes
-ScanPE yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# Default: yes
-ScanELF yes
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and mark them as Broken.Executable.
-# Default: no
-#DetectBrokenExecutables yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# Default: yes
-ScanOLE2 yes
-
-
-# With this option enabled OLE2 files with VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-OLE2BlockMacros yes
-
-# This option enables scanning within PDF files.
-# Default: yes
-ScanPDF yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# Default: yes
-ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
-# WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
-# Default: no
-ScanPartialMessages no
-
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# signatures.
-# Default: yes
-PhishingSignatures yes
-
-# Scan URLs found in mails for phishing attempts using heuristics.
-# Default: yes
-PhishingScanURLs yes
-
-# Always block SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-#
-# Default: no
-PhishingAlwaysBlockSSLMismatch no
-
-# Always block cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-#
-# Default: no
-PhishingAlwaysBlockCloak no
-
-# Allow heuristic match to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only at
-# the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first, 
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-HeuristicScanPrecedence no
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-StructuredDataDetection no
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-StructuredSSNFormatNormal no
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-StructuredSSNFormatStripped no
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# Default: yes
-ScanArchive yes
-
-# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
-# Default: no
-ArchiveBlockEncrypted no
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of data to be scanned for each input file.
-# Archives and other containers are recursively extracted and scanned up to this
-# value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-MaxScanSize 50M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# With this option enabled ClamAV will load bytecode from the database. 
-# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
-# Default: yes
-Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
-#         This value is only available if clamav was built with --enable-debug!
-#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
-#                insert runtime safety checks for bytecode loaded from other sources
-#       Paranoid - don't trust any bytecode, insert runtime checks for all
-# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-BytecodeSecurity TrustSigned
-
-# Set bytecode timeout in miliseconds.
-# 
-# Default: 5000
-BytecodeTimeout 3000

clamd.d/scan.conf

@@ -283,7 +283,7 @@ User clamscan
 # at the end of a scan. If an archive contains both a heuristically detected
 # virus/phish, and a real malware, the real malware will be reported
 #
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
+# Keep this disabled if you intend to handle "Heuristics.*" viruses
 # differently from "real" malware.
 # If a non-heuristically-detected virus (signature-based) is found first,
 # the scan is interrupted immediately, regardless of this config option.
@@ -533,7 +533,7 @@ User clamscan
 # file, all files within it will also be scanned. This options specifies how
 # deeply the process should be continued.
 # Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
+# Default: 17
 #MaxRecursion 10
 
 # Number of files to be scanned within an archive, a document, or any other
@@ -639,7 +639,7 @@ User clamscan
 #PCREMaxFileSize 100M
 
 # When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
-# MaxRecursion limit will be flagged with the virus
+# MaxRecursion limit will be flagged with the virus name starting with
 # "Heuristics.Limits.Exceeded".
 # Default: no
 #AlertExceedsMax yes

clamd.d/scan.conf.rpmnew

@@ -1,762 +0,0 @@
-##
-## Example config file for the Clam AV daemon
-## Please read the clamd.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-#Example
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-#LogFile /var/log/clamd.scan
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-#LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-#LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-#LogClean yes
-
-# Use system logger (can work together with LogFile).
-# Default: no
-LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# Enable Prelude output.
-# Default: no
-#PreludeEnable yes
-#
-# Set the name of the analyzer used by prelude-admin.
-# Default: ClamAV
-#PreludeAnalyzerName ClamAV
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-#ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# Default: disabled
-#PidFile /run/clamd.scan/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-#TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-#DatabaseDirectory /var/lib/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both.
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-#LocalSocket /run/clamd.scan/clamd.sock
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-#FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-#TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world. This option can be specified multiple
-# times if you want to listen on multiple IPs. IPv6 is now supported.
-# Default: no
-#TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-#MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-#StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-#MaxThreads 20
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-#ReadTimeout 300
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 30
-#CommandReadTimeout 30
-
-# This option specifies how long to wait (in milliseconds) if the send buffer
-# is full.
-# Keep this value low to prevent clamd hanging.
-#
-# Default: 500
-#SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by
-# MaxThreads threads).
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out  of file
-# descriptors, the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
-# max is 1024).
-#
-# Default: 100
-#MaxQueue 200
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-#IdleTimeout 60
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-#CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-#SelfCheck 600
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-User clamscan
-
-# Stop daemon when libclamav reports out of memory condition.
-#ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-#LeaveTemporaryFiles yes
-
-# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
-# any ALLMATCHSCAN command as invalid.
-# Default: yes
-#AllowAllMatchScan no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-#DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
-# the complete list of PUA categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-#IncludePUA Spy
-#IncludePUA Scanner
-#IncludePUA RAT
-
-# This option causes memory or nested map scans to dump the content to disk.
-# If you turn on this option, more data is written to disk and is available
-# when the LeaveTemporaryFiles option is enabled.
-#ForceToDisk yes
-
-# This option allows you to disable the caching feature of the engine. By
-# default, the engine will store an MD5 in a cache of any files that are
-# not flagged as virus or that hit limits checks. Disabling the cache will
-# have a negative performance impact on large scans.
-# Default: no
-#DisableCache yes
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
-# may be malicious.  This option enables alerting on such heuristically
-# detected potential threats.
-# Default: yes
-#HeuristicAlerts yes
-
-# Allow heuristic alerts to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only
-# at the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first,
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-#HeuristicScanPrecedence yes
-
-
-##
-## Heuristic Alerts
-##
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and alert on them with the Broken.Executable heuristic signature.
-# Default: no
-#AlertBrokenExecutables yes
-
-# Alert on encrypted archives _and_ documents with heuristic signature
-# (encrypted .zip, .7zip, .rar, .pdf).
-# Default: no
-#AlertEncrypted yes
-
-# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
-# .rar).
-# Default: no
-#AlertEncryptedArchive yes
-
-# Alert on encrypted archives with heuristic signature (encrypted .pdf).
-# Default: no
-#AlertEncryptedDoc yes
-
-# With this option enabled OLE2 files containing VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-#AlertOLE2Macros yes
-
-# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-# Default: no
-#AlertPhishingSSLMismatch yes
-
-# Alert on cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-# Default: no
-#AlertPhishingCloak yes
-
-# Alert on raw DMG image files containing partition intersections
-# Default: no
-#AlertPartitionIntersection yes
-
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option
-# allows ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite. If you turn off this option, the original files will still be
-# scanned, but without additional processing.
-# Default: yes
-#ScanPE yes
-
-# Certain PE files contain an authenticode signature. By default, we check
-# the signature chain in the PE file against a database of trusted and
-# revoked certificates if the file being scanned is marked as a virus.
-# If any certificate in the chain validates against any trusted root, but
-# does not match any revoked certificate, the file is marked as whitelisted.
-# If the file does match a revoked certificate, the file is marked as virus.
-# The following setting completely turns off authenticode verification.
-# Default: no
-#DisableCertCheck yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanELF yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanOLE2 yes
-
-# This option enables scanning within PDF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanPDF yes
-
-# This option enables scanning within SWF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanSWF yes
-
-# This option enables scanning xml-based document files supported by libclamav.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanXMLDOCS yes
-
-# This option enables scanning of HWP3 files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanHWP3 yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# If you turn off this option, the original files will still be scanned, but
-# without parsing individual messages/attachments.
-# Default: yes
-#ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial
-# directory.
-# WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
-# Default: no
-#ScanPartialMessages yes
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# HTML.Phishing and Email.Phishing NDB signatures.
-# Default: yes
-#PhishingSignatures no
-
-# With this option enabled ClamAV will try to detect phishing attempts by
-# analyzing URLs found in emails using WDB and PDB signature databases.
-# Default: yes
-#PhishingScanURLs no
-
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-#StructuredDataDetection yes
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-#StructuredSSNFormatNormal yes
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-#StructuredSSNFormatStripped yes
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-#ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# If you turn off this option, the original files will still be scanned, but
-# without unpacking and additional processing.
-# Default: yes
-#ScanArchive yes
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of time to a scan may take.
-# In this version, this field only affects the scan time of ZIP archives.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result allow scanning
-# of certain files to lock up the scanning process/threads resulting in a
-# Denial of Service.
-# Time is in milliseconds.
-# Default: 120000
-#MaxScanTime 300000
-
-# This option sets the maximum amount of data to be scanned for each input
-# file. Archives and other containers are recursively extracted and scanned
-# up to this value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-#MaxScanSize 150M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-#MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-#MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# Maximum size of a file to check for embedded PE. Files larger than this value
-# will skip the additional analysis step.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxEmbeddedPE 10M
-
-# Maximum size of a HTML file to normalize. HTML files larger than this value
-# will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxHTMLNormalize 10M
-
-# Maximum size of a normalized HTML file to scan. HTML files larger than this
-# value after normalization will not be scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 2M
-#MaxHTMLNoTags 2M
-
-# Maximum size of a script file to normalize. Script content larger than this
-# value will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 5M
-#MaxScriptNormalize 5M
-
-# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
-# than this value will skip the step to potentially reanalyze as PE.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 1M
-#MaxZipTypeRcg 1M
-
-# This option sets the maximum number of partitions of a raw disk image to be
-# scanned.
-# Raw disk images with more partitions than this value will have up to
-# the value number partitions scanned. Negative values are not allowed.
-# Note: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 50
-#MaxPartitions 128
-
-# This option sets the maximum number of icons within a PE to be scanned.
-# PE files with more icons than this value will have up to the value number
-# icons scanned.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 100
-#MaxIconsPE 200
-
-# This option sets the maximum recursive calls for HWP3 parsing during
-# scanning. HWP3 files using more than this limit will be terminated and
-# alert the user.
-# Scans will be unable to scan any HWP3 attachments if the recursive limit
-# is reached.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact
-# performance.
-# Default: 16
-#MaxRecHWP3 16
-
-# This option sets the maximum calls to the PCRE match function during
-# an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user
-# but the scan will continue.
-# For more information on match_limit, see the PCRE documentation.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 100000
-#PCREMatchLimit 20000
-
-# This option sets the maximum recursive calls to the PCRE match function
-# during an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user
-# but the scan will continue.
-# For more information on match_limit_recursion, see the PCRE documentation.
-# Negative values are not allowed and values > PCREMatchLimit are superfluous.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 2000
-#PCRERecMatchLimit 10000
-
-# This option sets the maximum filesize for which PCRE subsigs will be
-# executed. Files exceeding this limit will not have PCRE subsigs executed
-# unless a subsig is encompassed to a smaller buffer.
-# Negative values are not allowed.
-# Setting this value to zero disables the limit.
-# WARNING: setting this limit too high or disabling it may severely impact
-# performance.
-# Default: 25M
-#PCREMaxFileSize 100M
-
-# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
-# MaxRecursion limit will be flagged with the virus
-# "Heuristics.Limits.Exceeded".
-# Default: no
-#AlertExceedsMax yes
-
-##
-## On-access Scan Settings
-##
-
-# Don't scan files larger than OnAccessMaxFileSize
-# Value of 0 disables the limit.
-# Default: 5M
-#OnAccessMaxFileSize 10M
-
-# Max number of scanning threads to allocate to the OnAccess thread pool at
-# startup. These threads are the ones responsible for creating a connection
-# with the daemon and kicking off scanning after an event has been processed.
-# To prevent clamonacc from consuming all clamd's resources keep this lower
-# than clamd's max threads.
-# Default: 5
-#OnAccessMaxThreads 10
-
-# Max amount of time (in milliseconds) that the OnAccess client should spend
-# for every connect, send, and recieve attempt when communicating with clamd
-# via curl.
-# Default: 5000 (5 seconds)
-# OnAccessCurlTimeout 10000
-
-# Toggles dynamic directory determination. Allows for recursively watching
-# include paths.
-# Default: no
-#OnAccessDisableDDD yes
-
-# Set the include paths (all files inside them will be scanned). You can have
-# multiple OnAccessIncludePath directives but each directory must be added
-# in a separate line.
-# Default: disabled
-#OnAccessIncludePath /home
-#OnAccessIncludePath /students
-
-# Set the exclude paths. All subdirectories are also excluded.
-# Default: disabled
-#OnAccessExcludePath /home/user
-
-# Modifies fanotify blocking behaviour when handling permission events.
-# If off, fanotify will only notify if the file scanned is a virus,
-# and not perform any blocking.
-# Default: no
-#OnAccessPrevention yes
-
-# When using prevention, if this option is turned on, any errors that occur
-# during scanning will result in the event attempt being denied. This could
-# potentially lead to unwanted system behaviour with certain configurations,
-# so the client defaults this to off and prefers allowing access events in
-# case of scan or connection error.
-# Default: no
-#OnAccessDenyOnError yes
-
-# Toggles extra scanning and notifications when a file or directory is
-# created or moved.
-# Requires the  DDD system to kick-off extra scans.
-# Default: no
-#OnAccessExtraScanning yes
-
-# Set the  mount point to be scanned. The mount point specified, or the mount
-# point containing the specified directory will be watched. If any directories
-# are specified, this option will preempt (disable and ignore all options
-# related to) the DDD system. This option will result in verdicts only.
-# Note that prevention is explicitly disallowed to prevent common, fatal
-# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
-# made on vital system directories)
-# It can be used multiple times.
-# Default: disabled
-#OnAccessMountPath /
-#OnAccessMountPath /home/user
-
-# With this option you can whitelist the root UID (0). Processes run under
-# root with be able to access all files without triggering scans or
-# permission denied events.
-# Note that if clamd cannot check the uid of the process that generated an
-# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
-# the process already exited), clamd will perform a scan.  Thus, setting
-# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
-# root user from triggering a scan (unless OnAccessPrevention is enabled).
-# Default: no
-#OnAccessExcludeRootUID no
-
-# With this option you can whitelist specific UIDs. Processes with these UIDs
-# will be able to access all files without triggering scans or permission
-# denied events.
-# This option can be used multiple times (one per line).
-# Using a value of 0 on any line will disable this option entirely.
-# To whitelist the root UID (0) please enable the OnAccessExcludeRootUID
-# option.
-# Also note that if clamd cannot check the uid of the process that generated an
-# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
-# the process already exited), clamd will perform a scan.  Thus, setting
-# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
-# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
-# Default: disabled
-#OnAccessExcludeUID -1
-
-# This option allows exclusions via user names when using the on-access
-# scanning client. It can be used multiple times.
-# It has the same potential race condition limitations of the
-# OnAccessExcludeUID option.
-# Default: disabled
-#OnAccessExcludeUname clamav
-
-# Number of times the OnAccess client will retry a failed scan due to
-# connection problems (or other issues).
-# Default: 0
-#OnAccessRetryAttempts 3
-
-##
-## Bytecode
-##
-
-# With this option enabled ClamAV will load bytecode from the database.
-# It is highly recommended you keep this option on, otherwise you'll miss
-# detections for many new viruses.
-# Default: yes
-#Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-#   None -      No security at all, meant for debugging.
-#               DO NOT USE THIS ON PRODUCTION SYSTEMS.
-#               This value is only available if clamav was built
-#               with --enable-debug!
-#   TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
-#               runtime safety checks for bytecode loaded from other sources.
-#   Paranoid -  Don't trust any bytecode, insert runtime checks for all.
-# Recommended: TrustSigned, because bytecode in .cvd files already has these
-# checks.
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-#BytecodeSecurity TrustSigned
-
-# Set bytecode timeout in milliseconds.
-#
-# Default: 5000
-# BytecodeTimeout 1000
-

clamd.d/scan.conf.rpmsave

@@ -1,674 +0,0 @@
-##
-## Example config file for the Clam AV daemon
-## Please read the clamd.conf(5) manual before editing this file.
-##
-
-
-# Comment or remove the line below.
-#Example
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-LogFile /var/log/clamd.scan
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-#LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-#LogClean yes
-
-# Use system logger (can work together with LogFile).
-# Default: no
-LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-LogRotate yes
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# Default: disabled
-PidFile /var/run/clamd.scan/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both. 
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-LocalSocket /var/run/clamav/clamd.sock
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-#FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-#TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world. This option can be specified multiple
-# times if you want to listen on multiple IPs. IPv6 is now supported.
-# Default: no
-#TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-#MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-#StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-#MaxThreads 20
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-#ReadTimeout 300
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 5
-#CommandReadTimeout 5
-
-# This option specifies how long to wait (in miliseconds) if the send buffer is full.
-# Keep this value low to prevent clamd hanging
-#
-# Default: 500
-#SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by MaxThreads threads)
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
-# the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
-#
-# Default: 100
-#MaxQueue 200
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-#IdleTimeout 60
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-#CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-#SelfCheck 600
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-User amavis
-
-# Initialize supplementary group access (clamd must be started by root).
-# Default: no
-AllowSupplementaryGroups yes
-
-# Stop daemon when libclamav reports out of memory condition.
-#ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-#LeaveTemporaryFiles yes
-
-# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
-# any ALLMATCHSCAN command as invalid.
-# Default: yes
-#AllowAllMatchScan no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-#DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 
-# the complete list of PUA categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-#IncludePUA Spy
-#IncludePUA Scanner
-#IncludePUA RAT
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to provide accurate detection. This option
-# controls the algorithmic detection.
-# Default: yes
-#AlgorithmicDetection yes
-
-# This option causes memory or nested map scans to dump the content to disk.
-# If you turn on this option, more data is written to disk and is available
-# when the LeaveTemporaryFiles option is enabled.
-#ForceToDisk yes
-
-# This option allows you to disable the caching feature of the engine. By
-# default, the engine will store an MD5 in a cache of any files that are
-# not flagged as virus or that hit limits checks. Disabling the cache will
-# have a negative performance impact on large scans.
-# Default: no
-#DisableCache yes
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option allows
-# ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite. If you turn off this option, the original files will still be
-# scanned, but without additional processing.
-# Default: yes
-#ScanPE yes
-
-# Certain PE files contain an authenticode signature. By default, we check
-# the signature chain in the PE file against a database of trusted and
-# revoked certificates if the file being scanned is marked as a virus.
-# If any certificate in the chain validates against any trusted root, but
-# does not match any revoked certificate, the file is marked as whitelisted.
-# If the file does match a revoked certificate, the file is marked as virus.
-# The following setting completely turns off authenticode verification.
-# Default: no
-#DisableCertCheck yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanELF yes
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and mark them as Broken.Executable.
-# Default: no
-#DetectBrokenExecutables yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanOLE2 yes
-
-# With this option enabled OLE2 files with VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-#OLE2BlockMacros no
-
-# This option enables scanning within PDF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanPDF yes
-
-# This option enables scanning within SWF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanSWF yes
-
-# This option enables scanning xml-based document files supported by libclamav.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanXMLDOCS yes
-
-# This option enables scanning of HWP3 files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanHWP3 yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# If you turn off this option, the original files will still be scanned, but
-# without parsing individual messages/attachments.
-# Default: yes
-#ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
-# WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
-# Default: no
-#ScanPartialMessages yes
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# signatures.
-# Default: yes
-#PhishingSignatures yes
-
-# Scan URLs found in mails for phishing attempts using heuristics.
-# Default: yes
-#PhishingScanURLs yes
-
-# Always block SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockSSLMismatch no
-
-# Always block cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockCloak no
-
-# Detect partition intersections in raw disk images using heuristics.
-# Default: no
-#PartitionIntersection no
-
-# Allow heuristic match to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only at
-# the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first, 
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-#HeuristicScanPrecedence yes
-
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-#StructuredDataDetection yes
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-#StructuredSSNFormatNormal yes
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-#StructuredSSNFormatStripped yes
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-#ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# If you turn off this option, the original files will still be scanned, but
-# without unpacking and additional processing.
-# Default: yes
-#ScanArchive yes
-
-# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
-# Default: no
-#ArchiveBlockEncrypted no
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of data to be scanned for each input file.
-# Archives and other containers are recursively extracted and scanned up to this
-# value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-#MaxScanSize 150M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-#MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-#MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# Maximum size of a file to check for embedded PE. Files larger than this value
-# will skip the additional analysis step.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxEmbeddedPE 10M
-
-# Maximum size of a HTML file to normalize. HTML files larger than this value
-# will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxHTMLNormalize 10M
-
-# Maximum size of a normalized HTML file to scan. HTML files larger than this
-# value after normalization will not be scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 2M
-#MaxHTMLNoTags 2M
-
-# Maximum size of a script file to normalize. Script content larger than this
-# value will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 5M
-#MaxScriptNormalize 5M
-
-# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
-# than this value will skip the step to potentially reanalyze as PE.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 1M
-#MaxZipTypeRcg 1M
-
-# This option sets the maximum number of partitions of a raw disk image to be scanned.
-# Raw disk images with more partitions than this value will have up to the value number
-# partitions scanned. Negative values are not allowed.
-# Note: setting this limit too high may result in severe damage or impact performance.
-# Default: 50
-#MaxPartitions 128
-
-# This option sets the maximum number of icons within a PE to be scanned.
-# PE files with more icons than this value will have up to the value number icons scanned.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact performance.
-# Default: 100
-#MaxIconsPE 200
-
-# This option sets the maximum recursive calls for HWP3 parsing during scanning.
-# HWP3 files using more than this limit will be terminated and alert the user.
-# Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact performance.
-# Default: 16
-#MaxRecHWP3 16
-
-# This option sets the maximum calls to the PCRE match function during an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user but the scan will continue.
-# For more information on match_limit, see the PCRE documentation.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 10000
-#PCREMatchLimit 20000
-
-# This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.
-# Instances using more than this limit will be terminated and alert the user but the scan will continue.
-# For more information on match_limit_recursion, see the PCRE documentation.
-# Negative values are not allowed and values > PCREMatchLimit are superfluous.
-# WARNING: setting this limit too high may severely impact performance.
-# Default: 5000
-#PCRERecMatchLimit 10000
-
-# This option sets the maximum filesize for which PCRE subsigs will be executed.
-# Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.
-# Negative values are not allowed.
-# Setting this value to zero disables the limit.
-# WARNING: setting this limit too high or disabling it may severely impact performance.
-# Default: 25M
-#PCREMaxFileSize 100M
-
-
-##
-## On-access Scan Settings
-##
-
-# Enable on-access scanning. Currently, this is supported via fanotify.
-# Clamuko/Dazuko support has been deprecated.
-# Default: no
-#ScanOnAccess yes
-
-# Set the  mount point to be scanned. The mount point specified, or the mount point 
-# containing the specified directory will be watched. If any directories are specified, 
-# this option will preempt the DDD system. This will notify only. It can be used multiple times.
-# (On-access scan only)
-# Default: disabled
-#OnAccessMountPath /
-#OnAccessMountPath /home/user
-
-# Don't scan files larger than OnAccessMaxFileSize
-# Value of 0 disables the limit.
-# Default: 5M
-#OnAccessMaxFileSize 10M
-
-# Set the include paths (all files inside them will be scanned). You can have
-# multiple OnAccessIncludePath directives but each directory must be added
-# in a separate line. (On-access scan only)
-# Default: disabled
-#OnAccessIncludePath /home
-#OnAccessIncludePath /students
-
-# Set the exclude paths. All subdirectories are also excluded.
-# (On-access scan only)
-# Default: disabled
-#OnAccessExcludePath /home/bofh
-
-# With this option you can whitelist specific UIDs. Processes with these UIDs
-# will be able to access all files.
-# This option can be used multiple times (one per line).
-# Default: disabled
-#OnAccessExcludeUID 0
-
-# Toggles dynamic directory determination. Allows for recursively watching include paths.
-# (On-access scan only)
-# Default: no
-#OnAccessDisableDDD yes
-
-# Modifies fanotify blocking behaviour when handling permission events.
-# If off, fanotify will only notify if the file scanned is a virus,
-# and not perform any blocking.
-# (On-access scan only)
-# Default: no
-#OnAccessPrevention yes
-
-# Toggles extra scanning and notifications when a file or directory is created or moved.
-# Requires the  DDD system to kick-off extra scans.
-# (On-access scan only)
-# Default: no
-#OnAccessExtraScanning yes
-
-##
-## Bytecode
-##
-
-# With this option enabled ClamAV will load bytecode from the database. 
-# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
-# Default: yes
-#Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
-#         This value is only available if clamav was built with --enable-debug!
-#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
-#                insert runtime safety checks for bytecode loaded from other sources
-#       Paranoid - don't trust any bytecode, insert runtime checks for all
-# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-#BytecodeSecurity TrustSigned
-
-# Set bytecode timeout in miliseconds.
-# 
-# Default: 5000
-# BytecodeTimeout 1000
-
-##
-## Statistics gathering and submitting
-##
-
-# Enable statistical reporting.
-# Default: no
-#StatsEnabled yes
-
-# Disable submission of individual PE sections for files flagged as malware.
-# Default: no
-#StatsPEDisabled yes
-
-# HostID in the form of an UUID to use when submitting statistical information.
-# Default: auto
-#StatsHostID auto
-
-# Time in seconds to wait for the stats server to come back with a response
-# Default: 10
-#StatsTimeout 10

cloud/cloud.cfg.rpmsave

@@ -1,69 +0,0 @@
-users:
- - default
-
-disable_root: 1
-ssh_pwauth:   0
-
-mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']
-resize_rootfs_tmp: /dev
-ssh_deletekeys:   0
-ssh_genkeytypes:  ~
-syslog_fix_perms: ~
-disable_vmware_customization: false
-
-cloud_init_modules:
- - disk_setup
- - migrator
- - bootcmd
- - write-files
- - growpart
- - resizefs
- - set_hostname
- - update_hostname
- - update_etc_hosts
- - rsyslog
- - users-groups
- - ssh
-
-cloud_config_modules:
- - mounts
- - locale
- - set-passwords
- - rh_subscription
- - yum-add-repo
- - package-update-upgrade-install
- - timezone
- - puppet
- - chef
- - salt-minion
- - mcollective
- - disable-ec2-metadata
- - runcmd
-
-cloud_final_modules:
- - rightscale_userdata
- - scripts-per-once
- - scripts-per-boot
- - scripts-per-instance
- - scripts-user
- - ssh-authkey-fingerprints
- - keys-to-console
- - phone-home
- - final-message
- - power-state-change
-
-system_info:
-  default_user:
-    name: centos
-    lock_passwd: true
-    gecos: Cloud User
-    groups: [adm, systemd-journal]
-    sudo: ["ALL=(ALL) NOPASSWD:ALL"]
-    shell: /bin/bash
-  distro: rhel
-  paths:
-    cloud_dir: /var/lib/cloud
-    templates_dir: /etc/cloud/templates
-  ssh_svcname: sshd
-
-# vim:syntax=yaml

containerd/config.toml

@@ -1,4 +1,4 @@
-#   Copyright 2018-2020 Docker Inc.
+#   Copyright 2018-2022 Docker Inc.
 
 #   Licensed under the Apache License, Version 2.0 (the "License");
 #   you may not use this file except in compliance with the License.

cron.d/clamav-unofficial-sigs

@@ -26,6 +26,6 @@
 # 60 - 600 seconds.  To Adjust the cron values, edit your configs and run
 # bash clamav-unofficial-sigs.sh --install-cron to generate a new file.
 MAILTO=root
-1 0 * * *  amavis [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --force && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --update && sudo systemctl restart clamd
+1 0 * * * root cronitor exec no4Ch4 "[ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --force && /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh --update && chown amavis:amavis /etc/clamd.d/ -R && chown amavis:amavis /etc/clamd.conf && sudo systemctl restart clamd"
 # https://eXtremeSHOK.com ######################################################
 

cron.d/csf_update

@@ -1,2 +1,2 @@
 SHELL=/bin/sh
-7 20 * * * root /usr/sbin/csf -u
+7 20 * * * root cronitor exec V8JpWv /usr/sbin/csf -u

cron.d/lfd-cron

@@ -1,2 +1,2 @@
 SHELL=/bin/sh
-0 0 * * * root /usr/sbin/csf --lfd restart > /dev/null 2>&1
+0 0 * * * root cronitor exec 9v9pQX /usr/sbin/csf --lfd restart > /dev/null 2>&1

cron.d/maldet_pub

@@ -1 +1 @@
-*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1
+*/5 * * * * root cronitor exec okp04n /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1

cron.daily/aide

@@ -1 +0,0 @@
-18 01 * * *		/usr/bin/perl	/opt/aide.pl

cron.daily/csget

@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 ###############################################################################
-# Copyright 2006-2020, Way to the Web Limited
+# Copyright 2006-2023, Way to the Web Limited
 # URL: http://www.configserver.com
 # Email: sales@waytotheweb.com
 ###############################################################################

cron.daily/maldet

@@ -88,8 +88,8 @@ elif [ "$cron_daily_scan" == "1" ]; then
 	elif [ -d "/var/customers/webs" ]; then
 		# froxlor
 		$inspath/maldet -b -r /var/customers/webs/ $scan_days >> /dev/null 2>&1
-        elif [ -d "/usr/local/vesta" ]; then
-                # VestaCP
+        elif [ -d "/usr/local/vesta" ] || [ -d "/usr/local/hestia" ]; then
+                # VestaCP or HestiaCP
                 $inspath/maldet -b -r /home/?/web/?/public_html/,/home/?/web/?/public_shtml/,/home/?/tmp/,/home/?/web/?/private/ $scan_days >> /dev/null 2>&1
         elif [ -d "/usr/share/dtc" ]; then
                 # DTC
@@ -99,7 +99,7 @@ elif [ "$cron_daily_scan" == "1" ]; then
                 $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
 	else
 		# cpanel, interworx and other standard home/user/public_html setups
-	        $inspath/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
+	        $inspath/maldet -b -r /home?/?/public_html/,/var/www/,/usr/local/apache/htdocs/ $scan_days >> /dev/null 2>&1
 	fi
 fi
 

cron.daily/netdata-updater

@@ -0,0 +1 @@
+/usr/libexec/netdata/netdata-updater.sh

cron.monthly/aide

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+/usr/bin/perl	/opt/aide.pl
+

cronitor/cronitor.json

@@ -0,0 +1,7 @@
+{
+    "CRONITOR_API_KEY": "a580c8932f144886b56140690063b52b",
+    "CRONITOR_PING_API_KEY": "",
+    "CRONITOR_HOSTNAME": "",
+    "CRONITOR_LOG": "",
+    "CRONITOR_ENV": ""
+}

crowdsec/collections/apache2.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/apache2.yaml

crowdsec/collections/base-http-scenarios.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/base-http-scenarios.yaml

crowdsec/collections/http-cve.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/http-cve.yaml

crowdsec/collections/linux.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/linux.yaml

crowdsec/collections/mysql.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/mysql.yaml

crowdsec/collections/nginx.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/nginx.yaml

crowdsec/collections/sshd.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/collections/crowdsecurity/sshd.yaml

crowdsec/parsers/s00-raw/syslog-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s00-raw/crowdsecurity/syslog-logs.yaml

crowdsec/parsers/s01-parse/apache2-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/apache2-logs.yaml

crowdsec/parsers/s01-parse/mysql-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/mysql-logs.yaml

crowdsec/parsers/s01-parse/nginx-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/nginx-logs.yaml

crowdsec/parsers/s01-parse/sshd-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s01-parse/crowdsecurity/sshd-logs.yaml

crowdsec/parsers/s02-enrich/dateparse-enrich.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/dateparse-enrich.yaml

crowdsec/parsers/s02-enrich/geoip-enrich.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml

crowdsec/parsers/s02-enrich/http-logs.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/http-logs.yaml

crowdsec/parsers/s02-enrich/whitelists.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml

crowdsec/scenarios/CVE-2019-18935.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/scenarios/crowdsecurity/CVE-2019-18935.yaml

crowdsec/scenarios/CVE-2022-26134.yaml

@@ -0,0 +1 @@
+/etc/crowdsec/hub/scenarios/crowdsecurity/CVE-2022-26134.yaml