Linux Security unable to perform on-access scanning on private temporary files in systemd - WithSecure Community
<main>
<article class="userContent">
<p> </p>Linux Security unable to perform on-access scanning on private temporary files in systemd <h3>Symptoms </h3> <p>All Linux distributions are transitioning to systemd. Out of the box, systemd services make use of namespaces to contain their temporary files. For example, </p> <pre class="code codeBlock" spellcheck="false">/usr/lib/systemd/system/httpd.service</pre> <p>specifies </p> <pre class="code codeBlock" spellcheck="false">PrivateTmp=true</pre> <p>As an unintended consequence of this setting, all file access by the httpd service bypasses Fanotify altogether, exposing the service and the whole system to undetected malware. </p> <h3>Diagnosis </h3> <p>F-Secure Linux Security introduces support for the newest Linux distributions through the Linux kernel's Fanotify facility. Fanotify makes it possible to implement on-access malware scanning entirely in user space. </p> <p>Fanotify was originally added to the Linux kernel for malware scanning and similar purposes. Unfortunately, another modern Linux kernel feature, namespaces, is in conflict with it at the moment. Namespaces is used for various purposes, such as containers and service insulation. </p> <h3>Solution </h3> <p>For F-Secure Linux Security to perform on-access scanning, it is imperative that the system services disable the PrivateTmp feature: </p> <ol><li> Change the PrivateTmp setting to <pre class="code codeBlock" spellcheck="false">PrivateTmp=false</pre>. </li> <li> Reload the (HTTP) service with the commands: <ol type="a"><li> <pre class="code codeBlock" spellcheck="false">systemctl daemon-reload</pre> </li> <li> <pre class="code codeBlock" spellcheck="false">systemctl reload httpd</pre> </li> </ol></li> </ol>
</article>
</main>