Is fanotify supported in Red Hat Enterprise Linux?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL) 6 - all versions
  • Red Hat Enterprise Linux (RHEL) 7 - all versions

Issue

  • Please backport fanotify to RHEL 6.
  • Is the Talpa kernel module supported in RHEL?
  • Is fanotify the same as the Talpa kernel module?
  • Sophos Anti-Virus needs fanotify for On-Access scanning.
  • McAfee VirusScan Enterprise for Linux 2.0 needs fanotify for On-Access scanning.
  • Does RHEL support On-Access or realtime file system scanning by antivirus software?

Resolution

What is fanotify?

As described by the RHEL 7 Linux Manual (man fanotify):

The fanotify API provides notification and interception of filesystem events. Use cases include virus scanning and hierarchical storage management. Currently, only a limited set of events is supported. In particular, there is no support for create, delete, and move events. (See inotify(7) for details of an API that does notify those events.)

In what kernel releases is fanotify provided and supported by Red Hat?

  • Upstream linux.org: The fanotify API was accepted and Content from lwn.net is not included.merged into the upstream Linux kernel as of version 2.6.37.
  • RHEL 7: Because Linux kernel version 3.10.0 is used in RHEL 7, the fanotify API is included and is fully supported as of RHEL 7.0.
  • RHEL 6: Because Linux kernel version 2.6.32 was used as the base kernel for the RHEL 6 major release, this preceeded the acceptance of fanotify in the upstream kernel. While some work had been done to prepare RHEL 6 for future backporting of fanotify, as well as provide access for third party vendors' own kernel hooks, the full feature of fanotify has not been backported. This has most recently been evaluated on Bugzilla 1060883 in which it was determined that the backport of fanotify would be too disruptive to the Virtual File System (VFS) layer in RHEL 6 due to the amount of change between kernel 2.6.32 and the time that fanotify and the vfs layer matured. Therefore, in order to maintain the stability that customers expect from a product in the middle of its life cycle, it is currently not being considered for inclusion into RHEL 6. Customers should consider upgrading to RHEL 7 if this functionality is required.

Alternatives to fanotify

Potential alternatives to fanotify might include dnotify or inotify, depending upon the use case. Additionally the Talpa kernel module has also been used by some customers and third party security software vendors, though the Talpa kernel module is not provided nor supported by Red Hat. The article, Content from www.lanedo.com is not included.Filesystem monitoring in the Linux kernel, provides a nice overview and comparison on the differences between dnotify, inotify and fanotify.

What is the Talpa kernel module?

The Talpa kernel module is a project hosted on SourceForge.net and was the Content from lwn.net is not included.precursor to fanotify before it was accepted and merged into the upstream Linux kernel. It is available at <Content from talpa.sourceforge.net is not included.http://talpa.sourceforge.net/>, however it appears it is no longer active, presumably because all current work is focused on fanotify in the mainline kernel upstream. Base on release notes by third party software vendors, it appears that they might still develop and ship this in their products. Red Hat does not provide, ship, nor support the Talpa kernel module.

What third party vendors provide fanotify, talpa or equivalent functionality?

Based only on publicly available product release notes, it appears that the following software vendors provide at least some level of equivalent functionality for RHEL 6. Please consult the third party software vendors for further details about the features and support of their respective products.

Software Vendor McAfee appears to provide On-Access Scanning by way of native fanotify support for VSEL 2.0 in RHEL 7. Support in RHEL 6 is provided by way of its own unspecified "kernel hooks" in VSEL 1.9, as described in the following snippets from the product release: Content from community.mcafee.com is not included.McAfee VirusScan Enterprise for Linux 2.0 is now Available!

We are pleased to announce release of McAfee VirusScan Enterprise for Linux v2.0. This release provides On-Access Scanning (OAS) without kernel hooks. It uses fanotify technology instead of traditional kernel hooks for OAS. Fanotify is new File Access Notification system built in to kernel 2.6.38 and above. It removes hassle of recompiling kernel modules for OAS after kernel update, thereby, ensures Linux systems are always protected.

  • On-Access Scanning without kernel hooks using fanotify technology
  • Available for kernel 2.6.38 and above with fanotify enabled kernel

Note: This release does not support 32 bit Linux systems and kernel below 2.6.38. You can use previous VSEL 1.9 version on such systems. For example, Red Hat 6 is not supported in this release because it still uses 2.6.32 kernel. VSEL 2.0 will support future versions of Red Hat such as RHEL 7.

Software Vendor Sophos appears to provide On-Access Scanning by way of native support for fanotify in RHEL 7. Support in RHEL 6 is provided by way of its own pre-compiled "Talpa Binary Pack" for use with its software as described in the following snippets from the product release: Content from downloads.sophos.com is not included.Sophos Anti-Virus for Linux 9 Recommended release notes. Notice the release notes indicating ongoing changes to the Talpa module, suggesting continued maintenance of the Talpa code.

  • Version 9.7.1, September 2014
  • Sophos Anti-Virus now includes Talpa Binary Pack support for Red Hat Enterprise Linux 7 and CentOS 7.
    • A new version of Talpa, 1.18.1, which fixes Talpa-related issues, has been added.
    • Sophos Anti-Virus now supports scanning using fanotify.
  • Version 9.6.1, April 2014
    • A new version of Talpa, 1.17.5, which fixes Talpa-related issues, has been added.
    • Sophos Anti-Virus now supports scanning of files on the btrfs filesystem with Talpa and fanotify.
  • Version 9.6.0, February 2014
    • A new version of Talpa, 1.17.2, which fixes Talpa-related issues, has been added.

Additional reference links for Sophos:

Software Vendor AVG appears to provide On-Access Scanning by way of native support for fanotify in RHEL 7. Support in RHEL 6 is provided by way of external, self-compiled kernel modules (RedirFS, DazukoFS and Dazuko) as instructed in the following document: [AVG: HOW TO ENABLE ON-ACCESS SCANNING] (http://www.avg.com/us-en/faq.num-4888)

On-Access Deamon (OAD) serves as a real-time protection for the file system. It is a service independent on application protocol, which can be used to guard most of the public services (smb, http, ftp, nfs, ...). In case the kernel 2.6.38 or newer is used it is highly recommended to use AVG Linux Server Edition 2012, because of the direct support for fanotify (filesystem notification system). In order for the OAD to function properly on lower kernel versions it is required to use a special layer between virtual file system (VFS) used by applications and file system drivers used by the operating system. Several engines are used to achieve that (RedirFS, DazukoFS and Dazuko). In general, all these solutions are being distributed in the form of extended kernel module. In case you use kernel 2.6.37 or lower, please choose one of the mentioned engines and follow the steps below to install and setup it properly.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.