Linux Security 11.00 unable to perform on-access scanning on private temporary files in systemd

Symptoms

All Linux distributions are transitioning to systemd. Out of the box, systemd services make use of namespaces to contain their temporary files. For example,

/usr/lib/systemd/system/httpd.service

specifies

PrivateTmp=true

As an unintended consequence of this setting, all file access by the httpd service bypasses Fanotify altogether, exposing the service and the whole system to undetected malware.

Diagnosis

F-Secure Linux Security 11.00 introduces support for the newest Linux distributions through the Linux kernel's Fanotify facility. Fanotify makes it possible to implement on-access malware scanning entirely in user space.

Fanotify was originally added to the Linux kernel for malware scanning and similar purposes. Unfortunately, another modern Linux kernel feature, namespaces, is in conflict with it at the moment. Namespaces is used for various purposes, such as containers and service insulation.

Solution

For F-Secure Linux Security 11.00 to perform on-access scanning, it is imperative that the system services disable the PrivateTmp feature:

  1. Change the PrivateTmp setting to
    PrivateTmp=false
    .
  2. Reload the (HTTP) service with the commands:
    1. systemctl daemon-reload
    2. systemctl reload httpd
Pricing & Product Info

For product info and pricing please go to the F-Secure product page

Version history
Revision #:
5 of 5
Last update:
Wednesday
Updated by: