McAfee

Original author: nazunalika

Last modified: Mon Aug 1 17:02

Depending on the environment you’re in, you might need to have McAfee installed on your workstation. We are of the opinion that antivirus for Linux is pointless and ridiculous. We are also of the opinion that the auditors and “security professionals” just want to check a box to say they’re compliant. To make them happy, this is how to install McAfee without destroying your host system.

It will still report to the ePO server and everything, and as far as the managers of the application are concerned, it reports just fine, including hardware information.

 % dnf --nogpg --installroot=/var/lib/machines/lazybox install @core anacron dmidecode --releasever=30 initscripts -y
 % setenforce 0
 % systemd-nspawn -M lazybox
 lazybox% passwd   # Set your root password
                   # Press CTRL + ] three times to exit
 # Copy the agent and antivirus packages to somewhere like /var/lib/machines/lazybox/opt/av
 % setenforce 1
 % systemd-nspawn -M lazybox -b
 # You will see a login prompt, login as root
 lazybox% unzip agentPackages.zip
 lazybox% tar xzf ISecTP-10.6.1-115-Release-standalone.tar.gz
 lazybox% chmod +x *.sh
 lazybox% ./install.sh -i
 lazybox% ./install-isectp.sh
 lazybox% cd /opt/isec/ens/threatprevention/bin
 lazybox% ./isecav --usefanotify
 lazybox% exit
 # Press CTRL + ] three times
 % vi /etc/systemd/system/mcafee.service
 [Unit]
Description=McAfee Container

[Service]
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
LimitNOFILE=100000
ExecStart=/usr/bin/systemd-nspawn -M lazybox -b --capability=CAP_IPC_LOCK,CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_SYS_MODULE,CAP_SYSLOG,CAP_NET_ADMIN --link-journal=try-guest
WatchdogSec=3min
Slice=machine.slice
Delegate=yes
TasksMax=16384

# Enforce a strict device policy, similar to the one nspawn configures when it
# allocates its own scope unit. Make sure to keep these policies in sync if you
# change them!
DevicePolicy=closed
DeviceAllow=/dev/net/tun rwm
DeviceAllow=char-pts rw

# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
# the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw

# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw

KillMode=mixed

[Install]
WantedBy=multi-user.target

% systemctl daemon-reload
% systemctl enable mcafee.service --now
% systemctl status mcafee.service
● mcafee.service - McAfee Container
   Loaded: loaded (/etc/systemd/system/mcafee.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-05-14 09:09:42 MST; 1h 29min ago
 Main PID: 1084 (systemd-nspawn)
   Status: "Container running: Startup finished in 10.280s."
    Tasks: 1 (limit: 16384)
   Memory: 3.3M
   CGroup: /machine.slice/mcafee.service
           └─1084 /usr/bin/systemd-nspawn -M lazybox -b --capability=CAP_IPC_LOCK,CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_SYS_MODULE,CAP_SYSLOG,CAP_NET_ADMIN --link-journal=try-guest

May 14 09:09:46 diurne.chotel.com systemd-nspawn[1084]: [  OK  ] Started Network Manager Script Dispatcher Service.
May 14 09:09:46 diurne.chotel.com systemd-nspawn[1084]: [  OK  ] Started McAfee Endpoint Security Platform for Linux.
May 14 09:09:46 diurne.chotel.com systemd-nspawn[1084]:          Starting Network Name Resolution...
May 14 09:09:47 diurne.chotel.com systemd-nspawn[1084]: [  OK  ] Started Network Name Resolution.
May 14 09:09:47 diurne.chotel.com systemd-nspawn[1084]: [  OK  ] Reached target Host and Network Name Lookups.
May 14 09:09:47 diurne.chotel.com systemd-nspawn[1084]: [  OK  ] Started Session c2 of user mfe.
May 14 09:09:51 diurne.chotel.com systemd-nspawn[1084]: [2B blob data]
May 14 09:09:51 diurne.chotel.com systemd-nspawn[1084]: Fedora 30 (Thirty)
May 14 09:09:51 diurne.chotel.com systemd-nspawn[1084]: Kernel 5.0.13-300.fc30.x86_64 on an x86_64 (console)
May 14 09:09:51 diurne.chotel.com systemd-nspawn[1084]: [1B blob data]

% ps -ef | grep McAfee
root      1909  1187  0 09:09 ?        00:00:02 /opt/McAfee/agent/bin/masvc self_start
root      2432  1187  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2434  2432  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2435  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2436  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2437  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2438  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2439  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start
root      2440  2434  0 09:09 ?        00:00:00 /opt/McAfee/agent/bin/macompatsvc self_start

Optionally, you can modify the nspawn container to run on a private network, which requires additional configuration.