cancel
Showing results for 
Search instead for 
Did you mean: 

Pre-installation checklist for F-Secure Linux Security version 11.x

Some Linux distributions and Linux installations may require certain software packages to be installed or workarounds to be applied before the F-Secure Linux Security product can be installed successfully. This article describes the most common configurations and the relevant solutions.

Distributions using Prelink

Prelinking can reduce the startup time of binaries, but it conflicts with the Integrity Checker in the product.

To disable prelinking, locate the configuration file in your operating system (for example /etc/sysconfig/prelink) and change the line: PRELINKING=yes to PRELINKING=noand run /etc/cron.daily/prelink before you install the product.

You should disable automatic prelink runs from cron. Some distributions run prelink periodically from cron to reduce the startup time of binaries which use dynamic libraries. Prelinking modifies binaries and dynamic libraries on the disk. This conflicts with the purpose of the Integrity Checker, which detects modifications to system files.

If you have already installed F-Secure Linux Security, follow these instructions:

  1. Run /opt/f-secure/fsav/bin/fsims on from the command line to turn on the software installation mode. In the software installation mode, the product allows modifications to system files.
  2. Edit /etc/sysconfig/prelink and change the line: PRELINKING=yes to PRELINKING=no.
  3. Run /etc/cron.daily/prelink.
  4. Run /opt/f-secure/fsav/bin/fsims off from the command line to turn off the software installation mode.

When the software installation mode is turned off, the state of system files is stored in the Integrity Checker baseline.

To use prelinking, you have to turn on the software installation mode before prelinking and turn it off when prelinking is finished. This allows the prelink to make the changes in system files in a controlled way. For example:

# /opt/f-secure/fsav/bin/fsims on
# prelink -a
# /opt/f-secure/fsav/bin/fsims off

Note: This operation cannot be automated easily - Turning off the software installation mode creates a new baseline, which needs to be signed with a passphrase that the administrator has to enter.

Pre-installation requirements

The following packages must be installed before installing the product. In 64-bit environments, you may have to enable the Multiarch support before installing the 32-bit runtime support. For distributions that use the Dazuko kernel driver, kernel headers and compiler tools must also be installed.

In order to compile the kernel driver successfully, package versions of currently used kernel, kernel-devel and kernel-headers need to be matched.

CentOS/RHEL 6 (32-bit)

yum install gcc glibc-devel glibc-headers kernel-devel make pam patch perl

Debian 7 (32-bit)

sudo apt-get install gcc libc6-dev libpam-modules linux-headers-$(uname -r) make patch perl rpm

Debian 8 (32-bit)

sudo apt-get install rpm pam perl

Ubuntu 12.04, 12.04.1, 12.04.2 (32-bit)

sudo apt-get install gcc linux-headers-$(uname -r) perl rpm

Ubuntu 12.04.3, 12.04.4, 12.04.5 (32-bit)

sudo apt-get install rpm

SUSE Linux Enterprise Server 11 (32-bit)

sudo zypper in gcc kernel-default-devel make patch perl

Oracle Linux 6 RHCK (32-bit)

yum install gcc glibc-devel kernel-devel make patch perl

Amazon Linux 2017.03 (64-bit)

yum install libstdc++44.i686 pam.i686

CentOS/RHEL 6 (64-bit)

yum install gcc glibc-devel glibc-headers glibc.i686 glibc.x86_64 kernel-devel libstdc++.i686 libstdc++.x86_64 make pam.i686 pam.x86_64 patch perl zlib.i686 zlib.x86_64

CentOS/RHEL 7 (64-bit)

yum install glibc.i686 glibc.x86_64 libstdc++.i686 libstdc++.x86_64 pam.i686 pam.x86_64 perl zlib.i686 zlib.x86_64

Debian 7 (64-bit)

  1. Enable Multiarch support:
    dpkg --add-architecture i386
    apt-get update
  2. Install following packages:
    sudo apt-get install gcc libc6-dev libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) make patch perl rpm zlib1g:i386

Debian 8 (64-bit)

  1. Enable Multiarch support:
    dpkg --add-architecture i386
    apt-get update
  2. Install following packages:
    sudo apt-get install libpam-modules:i386 libstdc++6:i386 perl rpm zlib1g:i386

Ubuntu 12.04, 12.04.1, 12.04.2 (64-bit)

sudo apt-get install gcc libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) perl rpm zlib1g:i386

Ubuntu 12.04.3, 12.04.4, 12.04.5 (64-bit)

sudo apt-get install libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386

Ubuntu 14.04, 16.04 (64-bit)

sudo apt-get install libc6-dev:i386 libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386

SUSE Linux Enterprise Server 11 SP1, SP2, SP3 (64-bit)

sudo zypper in gcc kernel-default-devel libgcc43-32bit libstdc++43-32bit make pam-modules-32bit patch perl

SUSE Linux Enterprise Server 11 SP4 (64-bit)

sudo zypper in gcc kernel-default-devel libgcc_s1-32bit libstdc++6-32bit make pam-modules-32bit patch perl

SUSE Linux Enterprise Server 12 (64-bit)

sudo zypper in libstdc++6-32bit libz1-32bit pam-32bit

Oracle Linux 6 RHCK (64-bit)

yum install gcc glibc-devel glibc-devel.i686 kernel-devel libstdc++.i686 make pam.i686 patch perl zlib.i686

Oracle Linux 7 UEK (64-bit)

yum install libstdc++.i686 pam.i686 zlib.i686

Initializing Linux Security

If some package dependencies were missing before the product was installed, execute the following command to properly initialize all F-Secure modules after installing the packages: /etc/init.d/fsma restart

If the Linux Security kernel interceptor could not be compiled, execute: /opt/f-secure/fsav/bin/fsav-compile-drivers

Note that fsav-compile-drivers also executes "fsma restart".

Version history
Revision #:
30 of 30
Last update:
‎27-06-2017 11:39 AM
Updated by: