Pre-installation checklist for F-Secure Linux Security version 9.x
Some distributions and Linux installations may require certain workarounds to be applied before the product can be installed. This file describes the most common configurations where that might be needed.
The general idea is that during installation you must have compiler and kernel source installed because real-time anti-virus and IDS features depend on a kernel driver which is compiled during installation to fit the running kernel.
All 64-bit Distributions
Some 64-bit distributions don't install 32-bit compatibility libraries by default. Be sure that these libraries are installed. Compatibility library package naming varies so check exact package name from distributions documentation. On 64-bit Ubuntu and Debian you should install ia32-libs.
Some distributions, like Asianux, run prelink periodically from cron to reduce startup time of binaries using dynamic libraries. Prelinking modifies binaries and dynamic libraries on the disk. This conflicts with the purpose of Linux Security's Integrity Checker feature, whose sole purpose is to detect modifications to system files.
We recommend you disable automatic prelink runs from cron. On Asianux, this can be done by editing
/etc/sysconfig/prelink and changing the line:
/etc/cron.daily/prelink. Now you can install F-Secure Linux Security and operate it normally.
If you have already installed F-Secure Linux Security, you should do this:
- Turn on software installation mode by running
/opt/f-secure/fsav/bin/fsims on. In software installation mode Linux Security allow modifications to system files.
/etc/sysconfig/prelinkas described above and run
- Turn off software installation mode by running
When Linux Security software installation mode is turned off, the state of system files is stored in the Integrity Checker baseline, which is signed by interactively asking the administrator to enter a passphrase.
You can still use prelinking but you will have to turn on Linux Security software installation mode before prelinking and turn software installation mode off when prelinking is finished. This allows prelink to make the changes in system files in a controlled way. For example:
# /opt/f-secure/fsav/bin/fsims on # prelink -a # /opt/f-secure/fsav/bin/fsims off
Please note that this operation cannot easily be automated: Turning software installation mode off creates a new baseline and signs it by interactively asking administrator to enter a passphrase.
The following steps are required to install FSAV Linux Security on a computer running Red Hat Enterprise Linux 4 AS, MIRACLE LINUX 4, Asianux 2.0 or CentOS 4:
The following additional rpms are needed (compared to default installation):
At least ONE of the following rpm packages are needed:
(see which kernel is in use with command:
For the 'F-Icon' System Tray applet to work these rpm packages are required:
Install the rpms from system CDs with command
rpm -ivh , or use "Applications->System Settings->Add/Remove Applications" or up2date in Red Hat.
Now you can install F-Secure Linux Client/Server Security normally
Make sure that the following packages are installed, using, for example, yum(8), the search tab in Applications -> Add/Remove Software (RHEL 5), System -> Administration -> Add/Remove Software (CentOS/RHEL 6), or the
Running the following command as root will ensure the necessary packages are installed and up-to-date:
yum install gcc glibc-devel glibc-headers kernel-devel make perl patch pam.i686 zlib.i686<BR />
Packages pam.i686 and zlib.i686 are required on 64-bit Redhat EL 6 and Centos 6 platforms.
Note, if you encounter the following error during installation:
"error: protected multilib versions”: pam-<version>.el6.i686 != pam-<version>.el6.x86_64", execute the following command before retrying pam.i686 installation:
sudo apt-get install rpm make gcc linux-headers-`uname -r` patch
Additionally, on 64-bit platforms:
sudo apt-get install ia32-libs
sudo apt-get install rpm libc6-dev patch linux-libc-dev
sudo apt-get install rpm libc6-dev patch linux-libc-dev make gcc
These instructions has been tested and should work on (at least) the following SUSE versions: 9.1, 9.2, 9.3, 10.0, 10.1.
Make sure packages "kernel-source", "make", "patch" and "gcc" are installed through YaST or other means. The FSAV installer will warn you during installation if it cannot find the necessary components.
The following steps are required to install the product on a computer running Turbolinux 10 or 11.
You need to install the Turbolinux package groups Development tools and _Kernel recompile kit_ in order to be able to compile the Dazuko kernel module. Use the following list if you want to install individual packages:
Sometimes Turbolinux kernel sources are not configured and they cannot be used to compile kernel drivers. Use the following commands:
where major.minor is the kernel version. architecture is either
i686, i686smp64G, x86_64, on Turbolinux11, and is either
i586, i586smp, i586smp64G, x86_64, x86_64smp on Turbolinux10.
Known problems and solutions
WebUI login does not work on 64-bit Ubuntu 10.04
Because 64-bit Ubuntu 10.04 does not ship the 32-bit versions of PAM modules anymore, WebUI login will not work. As a workaround, please copy /lib/security/pam_unix.so from a 32-bit Ubuntu 10.04 to /lib32/security/pam_unix.so on the 64-bit computer. If you do not have a 32-bit Ubuntu 10.04 installation available, you can run the following commands:
# wget http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.1.1-2ubuntu5.4_i386.deb # dpkg -x http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.1.1-2ubuntu5.4_i386.deb tmp # cp tmp/lib/security/pam_unix.so /lib32/security
Note that the actual package name might be different if there has been upgrades to the package. Also note that you will not get security updates automatically to the PAM module installed like this.
Initializing the product
If some depending packages were missing before the product was installed, execute the following command to properly initialize all F-Secure modules after installing the packages:
In case the Linux Security kernel interceptor could not be compiled, execute:
(fsav-compile-drivers also executes "fsma restart").
24 Aug 2012: Added Debian 5 / 6
01 Nov 2011: Red Hat EL 3 / MIRACLE LINUX 3 (Asianux 1.0) / Debian 4.0 and Ubuntu 6.06 / Ubuntu 7.10 removed as relevant Linux Security releases are no longer supported
01 Dec 2011: Added new section "Known problems".
08 Feb 2012: Added missing packages for RHEL 6/CENTOS 6 64-bit. Edited Known problems to include solution for running "fsma restart" and fsav-compile-drivers
09 March 2012: a minimal RHEL/Centos installation needs make, patch, perl to properly compile the redirfs driver.