Linux Security unable to perform on-access scanning on private temporary files in systemd

This discussion has a more recent version.
Katriina_MKatriina_M Posts: 445 Moderator

Symptoms

All Linux distributions are transitioning to systemd. Out of the box, systemd services make use of namespaces to contain their temporary files. For example,

/usr/lib/systemd/system/httpd.service

specifies

PrivateTmp=true

As an unintended consequence of this setting, all file access by the httpd service bypasses Fanotify altogether, exposing the service and the whole system to undetected malware.

Diagnosis

F-Secure Linux Security introduces support for the newest Linux distributions through the Linux kernel's Fanotify facility. Fanotify makes it possible to implement on-access malware scanning entirely in user space.

Fanotify was originally added to the Linux kernel for malware scanning and similar purposes. Unfortunately, another modern Linux kernel feature, namespaces, is in conflict with it at the moment. Namespaces is used for various purposes, such as containers and service insulation.

Solution

For F-Secure Linux Security to perform on-access scanning, it is imperative that the system services disable the PrivateTmp feature:

  1. Change the PrivateTmp setting to
    PrivateTmp=false
    .
  2. Reload the (HTTP) service with the commands:
    1. systemctl daemon-reload
    2. systemctl reload httpd
Sign In or Register to comment.