Prisma Cloud Host Protection unable to handle Processes originated from Systemd services defined with 'PrivateTmp=true'
3454
Created On 06/27/22 03:43 AM - Last Modified 06/27/22 06:16 AM
Symptom
- As an example, running the following command on an Apache HTTP Server confirms that the Apache service is running with 'PrivateTmp=true' in its unit file.
sudo systemctl cat httpd
- As a result, Processes originated from this service go undetected and hence not alerted by Prisma Cloud Host Protection Mechanism.
Environment
- Prisma Cloud
Cause
- Systemd services defined with `PrivateTmp=true' spawn processes in a separate (not host) mount namespace.
- If true, it sets up a new file system namespace for the executed processes and mounts private /tmp/ and /var/tmp/ directories inside it that are not shared by processes outside of the namespace.
- This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp/ or /var/tmp/ impossible.
- More information on this can be found here: PrivateTmp=
- Currently, Prisma Cloud Host Protection does not support Processes originated from Systemd services defined with 'PrivateTmp=true'.
Resolution
- An open feature improvement to support this has already been raised on priority with no ETA at this time.
- Meanwhile, changing the default settings of Systemd services or making 'PrivateTmp=false' for Prisma Cloud Host Protection to detect and alert on such processes is neither advised nor recommended for security reasons.