F-Secure Linux Security 9.13 interoperability with Computer Associates Access Control (CAAC)
To securely implement on-access scanning of files, F-Secure Linux Security requires full access to read, write and create files at all file system locations it is configured to monitor. If access to files is unexpectedly prevented, on-access scanning is not able to work properly. That can cause drastically reduced I/O performance and make the system unstable.
Additionally, the Dazuko on-access scanning module may conflict with other kernel modules or other programs doing Linux system call hooking.
Computer Associates Access Control (CAAC) is one product known to conflict with Linux Security, unless both CAAC and Linux Security are configured properly.
Installing CAAC and Linux Security:
To run Linux Security with CAAC, LS must be configured to use an alternative RedirFS based on-access scanning method. This feature is present starting from LS 9.13 for interoperability with CAAC compatibility only, and is not recommended for any other purpose.
Linux security can be configured to use RedirFS instead of Dazuko by adding
"hooker=redirfs" to installer options, for example
# ./f-secure-Linux-9.13.1893 --auto hooker=redirfs
Installing LS with CAAC
To enable F-Secure Linux Security and CAAC to work without conflict, some specific steps need to be taken before and after installing or upgrading Linux Security. Care must be taken to prevent CAAC from disturbing installation and operation of Linux Security.
These instructions assume that CAAC endpoint software has already been installed, and that you have the privileges needed to configure the CAAC endpoint locally. The commands must be run as root.
1. Turn off CAAC.
# /opt/CA/AccessControl/bin/secons -S
2. Install or upgrade F-Secure Linux Security by running the installer. The "hooker=redirfs" option must always be used to enable RedirFS, both when installing and upgrading.
3. Make sure "dazuko" module is not loaded, and "redirfs" and "avflt" are.
4. Turn off Linux Security.
# /etc/init.d/fsma stop
5. Turn on CAAC.
6. Apply CAAC rules needed for proper operation of LS. The following example grants Linux Security processes full privileges.
If you are upgrading Linux Security from an earlier version, and the following rules have already been added during the previous installation, entering them again is not necessary, and you may skip this step. If you are unsure of what to do, entering them again does no harm.
Start the CAAC command line interpreter:
Enter the following commands:
er SPECIALPGM ("/opt/f-secure/fssp/sbin/fsavd") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsav/libexec/fsoasd_bh") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsav/libexec/fsoasd_th") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsav/bin/fstatusd") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsav/java/bin/java") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/common/postgresql/bin/postmaster") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsaua/bin/fsaua") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fssp/libexec/fsupdated") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsma/bin/fvch") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsav/libexec/fsadhd") pgmtype(fullbypass propagate)
er SPECIALPGM ("/opt/f-secure/fsma/bin/fsmapipe") pgmtype(fullbypass propagate)
Exit the CAAC command line interpreter with the command "exit".
7. Start Linux Security.
# /etc/init.d/fsma start
8. Verify that the "redirfs" and "avflt" modules are loaded.
9. Verify Linux Security on-access scanning works for your non-root file systems e.g. using the Eicar test file. You can also check the contents of the /sys/fs/redirfs/avflt/paths file containing the on-access scanning module low-level path configuration and look for the mount points of your external file systems.
- On-access scanning of network file systems (such as CIFS or NFS) is not supported when using RedirFS
- If some less usual mount options such as --bind or --move are used, unmounting the file system later may fail. In that case, the workaround is to stop Linux Security,and restart if after the unmount.
Great post and very easy to understand. Thanks for sharing this one. It is really quite helpful.0 Like