Linux Security 11.00 unable to perform on-access scanning on private
temporary files in systemd
All Linux distributions are transitioning to
systemd. Out of the box, systemd services make use of namespaces to contain
their temporary files. For example,
As an unintended consequence of this setting, all file access by the
httpd service bypasses Fanotify altogether, exposing the service and the whole
system to undetected malware.
F-Secure Linux Security 11.00 introduces support for the newest Linux
distributions through the Linux kernel's Fanotify facility. Fanotify makes it
possible to implement on-access malware scanning entirely in user space.
Fanotify was originally added to the Linux kernel for malware scanning
and similar purposes. Unfortunately, another modern Linux kernel feature,
namespaces, is in conflict with it at the moment. Namespaces is used for
various purposes, such as containers and service insulation.
For F-Secure Linux Security 11.00 to perform on-access scanning, it is
imperative that the system services disable the PrivateTmp feature:
Change the PrivateTmp setting to