Pre-installation checklist for F-Secure Linux Security version 11.x Some Linux distributions and Linux installations may require certain software packages to be installed or workarounds to be applied before the F-Secure Linux Security product can be installed successfully. This article describes the most common configurations and the relevant solutions.
Distributions using Prelink
Prelinking can reduce the startup time of binaries, but it conflicts with the Integrity Checker in the product.
To disable prelinking, locate the configuration file in your operating system (for example /etc/sysconfig/prelink) and change the line: PRELINKING=yes to PRELINKING=noand run /etc/cron.daily/prelink before you install the product.
You should disable automatic prelink runs from cron. Some distributions run prelink periodically from cron to reduce the startup time of binaries which use dynamic libraries. Prelinking modifies binaries and dynamic libraries on the disk. This conflicts with the purpose of the Integrity Checker, which detects modifications to system files.
If you have already installed F-Secure Linux Security, follow these instructions:
- Run
/opt/f-secure/fsav/bin/fsims on from the command line to turn on the software installation mode. In the software installation mode, the product allows modifications to system files. - Edit
/etc/sysconfig/prelink and change the line: PRELINKING=yes to PRELINKING=no. - Run
/etc/cron.daily/prelink. - Run
/opt/f-secure/fsav/bin/fsims off from the command line to turn off the software installation mode.
When the software installation mode is turned off, the state of system files is stored in the Integrity Checker baseline.
To use prelinking, you have to turn on the software installation mode before prelinking and turn it off when prelinking is finished. This allows the prelink to make the changes in system files in a controlled way. For example:
# /opt/f-secure/fsav/bin/fsims on # prelink -a # /opt/f-secure/fsav/bin/fsims off
Note: This operation cannot be automated easily - Turning off the software installation mode creates a new baseline, which needs to be signed with a passphrase that the administrator has to enter.
Pre-installation requirements
The following packages must be installed before installing the product. In 64-bit environments, you may have to enable the Multiarch support before installing the 32-bit runtime support. For distributions that use the Dazuko kernel driver, kernel headers and compiler tools must also be installed.
In order to compile the kernel driver successfully, package versions of currently used kernel, kernel-devel and kernel-headers need to be matched.
CentOS/RHEL 6 (32-bit)
yum install gcc glibc-devel glibc-headers kernel-devel make pam patch perl
Debian 7 (32-bit)
sudo apt-get install gcc libc6-dev libpam-modules linux-headers-$(uname -r) make patch perl rpm
Debian 8, 9 (32-bit)
sudo apt-get install rpm pam perl
Ubuntu 12.04, 12.04.1, 12.04.2 (32-bit)
sudo apt-get install gcc linux-headers-$(uname -r) perl rpm
Ubuntu 12.04.3, 12.04.4, 12.04.5 (32-bit)
sudo apt-get install rpm
SUSE Linux Enterprise Server 11 (32-bit)
sudo zypper in gcc kernel-default-devel make patch perl
Oracle Linux 6 RHCK (32-bit)
yum install gcc glibc-devel kernel-devel make patch perl
Amazon Linux 2017.03, 2017.09, 2018.03 (64-bit)
yum install libstdc++44.i686 pam.i686
CentOS/RHEL 6 (64-bit)
yum install gcc glibc-devel glibc-headers glibc.i686 glibc.x86_64 kernel-devel libstdc++.i686 libstdc++.x86_64 make pam.i686 pam.x86_64 patch perl zlib.i686 zlib.x86_64
CentOS/RHEL 7 (64-bit)
yum install glibc.i686 glibc.x86_64 libstdc++.i686 libstdc++.x86_64 pam.i686 pam.x86_64 perl zlib.i686 zlib.x86_64
Debian 7 (64-bit)
- Enable Multiarch support:
dpkg --add-architecture i386 apt-get update
- Install following packages:
sudo apt-get install gcc libc6-dev libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) make patch perl rpm zlib1g:i386
Debian 8, 9 (64-bit)
- Enable Multiarch support:
dpkg --add-architecture i386 apt-get update
- Install following packages:
sudo apt-get install libpam-modules:i386 libstdc++6:i386 perl rpm zlib1g:i386
Ubuntu 12.04, 12.04.1, 12.04.2 (64-bit)
sudo apt-get install gcc libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) perl rpm zlib1g:i386
Ubuntu 12.04.3, 12.04.4, 12.04.5 (64-bit)
sudo apt-get install libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386
Ubuntu 14.04, 16.04, 18.04 (64-bit)
sudo apt-get install libc6-dev:i386 libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386
SUSE Linux Enterprise Server 11-SP1, 11-SP2, 11-SP3 (64-bit)
sudo zypper in gcc kernel-default-devel libgcc43-32bit libstdc++43-32bit make pam-modules-32bit patch perl
SUSE Linux Enterprise Server 11-SP4 (64-bit)
sudo zypper in gcc kernel-default-devel libgcc_s1-32bit libstdc++6-32bit make pam-modules-32bit patch perl
SUSE Linux Enterprise Server 12 (64-bit)
sudo zypper in libstdc++6-32bit libz1-32bit pam-32bit
Oracle Linux 6 RHCK (64-bit)
yum install gcc glibc-devel glibc-devel.i686 kernel-devel libstdc++.i686 make pam.i686 patch perl zlib.i686
Oracle Linux 7 UEK (64-bit)
yum install libstdc++.i686 pam.i686 zlib.i686
Initializing Linux Security
If some package dependencies were missing before the product was installed, execute the following command to properly initialize all F-Secure modules after installing the packages: /etc/init.d/fsma restart
If the Linux Security kernel interceptor could not be compiled, execute: /opt/f-secure/fsav/bin/fsav-compile-drivers
Note that
fsav-compile-drivers
also executes "fsma restart".