Endpoint protection / antivirus solutions compatible with Fedora Atomic?

Ask Fedora
, , ,
1

I’ll start with saying I’m not looking for ClamAV or that I don’t need an antivirus, I know these but they don’t fit my current need.

I work as a software contractor, and so I have contracts with a number of different clients. Most of them require contractors to have an “antivirus from reputable vendor” or some variation of that. The “reputable vendor” part is often more important than anything else when it comes to contracts.

I tried to look for antivirus or endpoint protection solutions, but found that 1) there are not that many for Linux to begin with, for various reasons, 2) those that exist rarely support Fedora, 3) the one that I found that would support Fedora (Microsoft Endpoint Protection for Linux) I could not install on an Atomic Fedora as it seemed that the installer would want to create and modify files in atomic’s read-only filesystems.

So, any ideas for solutions that would work with Atomic Fedora?

2 Likes
2

Could you provide a link to those installation instructions?

1 Like
3

Here: Deploy Microsoft Defender for Endpoint on Linux manually - Microsoft Defender for Endpoint | Microsoft Learn

I was able to add the software repository, they even have official repos for Fedora 40 & 41. However, when I ran sudo rpm-ostree install mdatp, it failed upon trying to create some files in /var/opt. After this I googled for a bit but could not find a solution unfortunately.

1 Like
4

Hmm, now that I’m looking at this, /var/opt should maybe be writable? :thinking: Perhaps there was something else at play after all.

5

You can try sharing the full log for sudo rpm-ostree install mdatp and the listing of the RPM package content (rpm -qlp mdatp*.rpm) as well as its scripts (rpmbuild - how to extract the instructions provided by the rpm spec file - Unix & Linux Stack Exchange).

1 Like
6

Added 3rd-party-software

7

Thanks, I’ll try that next! Will post results :ok_hand:

8

Side note - I found a list of potential FOSS solutions on Reddit. I might have a look at those as well.

9

Okay so running sudo rpm-ostree install mdatp produces the following:

error: Running %prein for mdatp: bwrap(/bin/sh): Child process killed by signal 1; run `journalctl -t 'rpm-ostree(mdatp.prein)'` for more information

And then journalctl -t 'rpm-ostree(mdatp.prein)' gives this:

Oct 17 20:05:58 silverblue40 rpm-ostree(mdatp.prein)[4212]: mkdir: cannot create directory ‘/var/opt’: Read-only file system
Oct 17 20:05:58 silverblue40 rpm-ostree(mdatp.prein)[4196]: ERROR: Failed to create /var/opt/microsoft/mdatp
Oct 17 20:05:58 silverblue40 rpm-ostree(mdatp.prein)[4196]: [LogTelemetry] Invalid code ()

This seems weird as /var/opt is not read-only I think, at least I was able to manually create the requested folder.

Running rpm -qlp mdatp*.rpm does not find any packages for some reason, even though rpm-ostree install finds the package. I went ahead and downloaded the RPM package directly from the repo and then ran rpm -qlp Downloads/mdatp-101.24082.0004_insiderfast-1.x86_64.rpm. Results below, sorry for the long wall of text.

Any ideas how to proceed?

evakkuri@silverblue40:~$ rpm -qlp Downloads/mdatp-101.24082.0004_insiderfast-1.x86_64.rpm 
warning: Downloads/mdatp-101.24082.0004_insiderfast-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID be1229cf: NOKEY
/opt/microsoft/mdatp
/opt/microsoft/mdatp/conf
/opt/microsoft/mdatp/conf/BuildInfo
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_btf.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_btf_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_btf_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_btf_uprobe_rbuff_enriched.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_uprobe_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_uprobe_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_args64_krsi_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_btf.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_btf_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_btf_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_btf_uprobe_rbuff_enriched.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_btf.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_btf_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_btf_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_btf_uprobe_rbuff_enriched.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_uprobe_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_uprobe_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_noloops_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_btf.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_btf_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_btf_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_btf_uprobe_rbuff_enriched.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_uprobe_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_uprobe_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_sub4096_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_uprobe_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_uprobe_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_raw_tp_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_btf.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_btf_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_btf_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_btf_uprobe_rbuff_enriched.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_uprobe.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_uprobe_kfunc.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_uprobe_kfunc_rbuff.o
/opt/microsoft/mdatp/conf/ebpf_wrapper_kern_tp_uprobe_rbuff.o
/opt/microsoft/mdatp/conf/mdatp.service
/opt/microsoft/mdatp/conf/scripts
/opt/microsoft/mdatp/conf/scripts/TestScript.py
/opt/microsoft/mdatp/conf/scripts/keychain_diagnosis.py
/opt/microsoft/mdatp/conf/scripts/mde_installer.sh
/opt/microsoft/mdatp/conf/scripts/open_files.py
/opt/microsoft/mdatp/conf/scripts/release_isolation.sh
/opt/microsoft/mdatp/conf/scripts/stat_bash_history.py
/opt/microsoft/mdatp/conf/scripts/tvm
/opt/microsoft/mdatp/conf/scripts/tvm/account_disabled.sh
/opt/microsoft/mdatp/conf/scripts/tvm/account_locked.sh
/opt/microsoft/mdatp/conf/scripts/tvm/arch32_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/arch64_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/auditd.sh
/opt/microsoft/mdatp/conf/scripts/tvm/auditd_privilieged_commands.sh
/opt/microsoft/mdatp/conf/scripts/tvm/auditd_privilieged_commands_rules_file.sh
/opt/microsoft/mdatp/conf/scripts/tvm/auditd_sudo_logfile.sh
/opt/microsoft/mdatp/conf/scripts/tvm/deb_no_iptables.sh
/opt/microsoft/mdatp/conf/scripts/tvm/deb_no_nftables.sh
/opt/microsoft/mdatp/conf/scripts/tvm/etc_group_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ip6tables_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/iptables_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/iptables_input.sh
/opt/microsoft/mdatp/conf/scripts/tvm/iptables_output.sh
/opt/microsoft/mdatp/conf/scripts/tvm/iptv6_loopback.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ipv6_disabled_v2.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nft_loopback.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nft_ruleset.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nft_ruleset_drop.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nft_tables.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_apparmor_profiles_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_auditd_auditctl_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_auditd_file_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_bootloader_password_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_bootloader_perm_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_firewall-cmd_state_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_firewalld_applicable_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_grub_option_exist_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_grub_option_not_exist_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_inactive_password.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_ip6tables_loopback_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_ip6tables_openports_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_iptables_applicable_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_iptables_openports_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_kernel_default_parameter_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_kernel_parameter_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_nftables_applicable_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_password_change_past.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_password_expiration.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_password_warning.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_removiable_media_mp_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_symlink_file_perm644_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/nix_user_shadow_primary_group_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/no_ufw.sh
/opt/microsoft/mdatp/conf/scripts/tvm/no_ungrouped_files_and_directories.sh
/opt/microsoft/mdatp/conf/scripts/tvm/no_unowned_files_and_directories.sh
/opt/microsoft/mdatp/conf/scripts/tvm/root_path.sh
/opt/microsoft/mdatp/conf/scripts/tvm/service_enabled_running.sh
/opt/microsoft/mdatp/conf/scripts/tvm/service_masked_stopped.sh
/opt/microsoft/mdatp/conf/scripts/tvm/sestatus_check.sh
/opt/microsoft/mdatp/conf/scripts/tvm/sshd_running_config_nm.sh
/opt/microsoft/mdatp/conf/scripts/tvm/sysctl_running_config.sh
/opt/microsoft/mdatp/conf/scripts/tvm/tmout_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ufw_disabled.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ufw_enabled.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ufw_open_ports.sh
/opt/microsoft/mdatp/conf/scripts/tvm/ufw_status.sh
/opt/microsoft/mdatp/conf/scripts/tvm/umask_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/unconfined_services.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_dot_files_exist.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_dot_files_perm_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_home_exist.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_home_permissions.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_netrc_file_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/users_own_home_directory.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wbissue.net.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wbissue.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wbmotd.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wireless_check.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wireless_check_v2.sh
/opt/microsoft/mdatp/conf/scripts/tvm/wireless_check_v3.sh
/opt/microsoft/mdatp/conf/scripts/tvm/world_writable_dirs_sticky.sh
/opt/microsoft/mdatp/conf/scripts/tvm/world_writable_files.sh
/opt/microsoft/mdatp/conf/scripts/tvm/xdnd_chk.sh
/opt/microsoft/mdatp/conf/scripts/tvm/yum_no_security_updates.sh
/opt/microsoft/mdatp/conf/selinux_policies
/opt/microsoft/mdatp/conf/selinux_policies/out
/opt/microsoft/mdatp/conf/selinux_policies/out/audisp_mdatp.pp
/opt/microsoft/mdatp/conf/selinux_policies/out/audisp_mdatp_mariner.pp
/opt/microsoft/mdatp/conf/selinux_policies/out/audisp_mdatp_rhel77.pp
/opt/microsoft/mdatp/conf/selinux_policies/out/mdatp_service.pp
/opt/microsoft/mdatp/conf/setup_iptable_rules.sh
/opt/microsoft/mdatp/conf/syscalls.conf
/opt/microsoft/mdatp/conf/wdnissrv
/opt/microsoft/mdatp/conf/wdnissrv_info
/opt/microsoft/mdatp/conf/wdnissrv_net
/opt/microsoft/mdatp/definitions
/opt/microsoft/mdatp/definitions/libmpengine.so
/opt/microsoft/mdatp/definitions/libmpengine.so.sig
/opt/microsoft/mdatp/definitions/mpasbase.vdm
/opt/microsoft/mdatp/definitions/mpasdlta.vdm
/opt/microsoft/mdatp/definitions/mpavbase.vdm
/opt/microsoft/mdatp/definitions/mpavdlta.vdm
/opt/microsoft/mdatp/lib
/opt/microsoft/mdatp/lib/libatomic.so.1
/opt/microsoft/mdatp/lib/libazure-storage-lite.so
/opt/microsoft/mdatp/lib/libboost_atomic.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_chrono.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_context.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_date_time.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_filesystem.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_locale.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_log.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_log_setup.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_program_options.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_random.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_regex.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_serialization.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_system.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_thread.so.1.83.0
/opt/microsoft/mdatp/lib/libboost_wserialization.so.1.83.0
/opt/microsoft/mdatp/lib/libc++.so.1
/opt/microsoft/mdatp/lib/libc++abi.so.1
/opt/microsoft/mdatp/lib/libcpprest.so.2.10
/opt/microsoft/mdatp/lib/libcrypto.so.3
/opt/microsoft/mdatp/lib/libcurl.so.4
/opt/microsoft/mdatp/lib/libebpf_loader.so
/opt/microsoft/mdatp/lib/libfuse.so.2.9.2
/opt/microsoft/mdatp/lib/libminizip.so.2.5
/opt/microsoft/mdatp/lib/libseccomp.so.2
/opt/microsoft/mdatp/lib/libselinux.so.1
/opt/microsoft/mdatp/lib/libssl.so.3
/opt/microsoft/mdatp/lib/libtvm_interop.so
/opt/microsoft/mdatp/lib/libuuid.so.1
/opt/microsoft/mdatp/lib/libwdavdaemon_core.so
/opt/microsoft/mdatp/lib/libwdavdaemon_edr_dylib.so
/opt/microsoft/mdatp/resources
/opt/microsoft/mdatp/resources/ThirdPartyNotice
/opt/microsoft/mdatp/resources/mdatp_completion.bash
/opt/microsoft/mdatp/resources/mdatp_completion.zsh
/opt/microsoft/mdatp/sbin
/opt/microsoft/mdatp/sbin/SenseImdsCollector
/opt/microsoft/mdatp/sbin/crashpad_handler
/opt/microsoft/mdatp/sbin/curltool
/opt/microsoft/mdatp/sbin/install_helper
/opt/microsoft/mdatp/sbin/libmpengine.so
/opt/microsoft/mdatp/sbin/libnprep.so
/opt/microsoft/mdatp/sbin/libwdnissrv.so
/opt/microsoft/mdatp/sbin/osqueryi
/opt/microsoft/mdatp/sbin/sensecm
/opt/microsoft/mdatp/sbin/senseir
/opt/microsoft/mdatp/sbin/telemetryd_v2
/opt/microsoft/mdatp/sbin/tvm_agent
/opt/microsoft/mdatp/sbin/wdavdaemon
/opt/microsoft/mdatp/sbin/wdavdaemon_network_protection
/opt/microsoft/mdatp/sbin/wdavdaemonclient
/usr/lib/.build-id
/usr/lib/.build-id/3c
/usr/lib/.build-id/3c/c5b46c0d1e082a1775072e0ff83c966f4f192d
/usr/lib/.build-id/71
/usr/lib/.build-id/71/dab188982351a7a24d490e96010d9b4f4d637e
10

I have also tried installing Wazuh agent to Silverblue (40 running in VM on Boxes). The installation (running sudo rpm-ostree install wazuh-agent) fails during post-install scripts. The errors look similar to those with mdatp, outputs below.

I am able to create all the mentioned files and folders with sudo, so it’s not a question of the filesystem being read-only :thinking:

evakkuri@silverblue40-2 ~> journalctl -t 'rpm-ostree(wazuh-agent.post)'
Oct 20 11:37:25 silverblue40-2 rpm-ostree(wazuh-agent.post)[3570]: /proc/self/fd/5: line 2: /var/ossec/bin/wazuh-control: No such file or directory
Oct 20 11:37:25 silverblue40-2 rpm-ostree(wazuh-agent.post)[3571]: touch: cannot touch '/var/ossec/logs/active-responses.log': No such file or directory
Oct 20 11:37:25 silverblue40-2 rpm-ostree(wazuh-agent.post)[3573]: chown: cannot access '/var/ossec/logs/active-responses.log': No such file or directory
Oct 20 11:37:25 silverblue40-2 rpm-ostree(wazuh-agent.post)[3575]: chmod: cannot access '/var/ossec/logs/active-responses.log': No such file or directory
Oct 20 11:37:25 silverblue40-2 rpm-ostree(wazuh-agent.post)[3568]: /proc/self/fd/5: line 21: /var/ossec/packages_files/agent_installation_scripts/src/init/dist-detect.sh>
11

OK, so this is installing stuff in /opt. rpm-ostree will “move it” to /usr/opt after installation. We still need the scripts from the RPM package (rpmbuild - how to extract the instructions provided by the rpm spec file - Unix & Linux Stack Exchange).

12

Ah sorry, forgot that!

I now ran rpm -qp --scripts mdatp-101.24082.0004_insiderfast-1.x86_6.rpm and that produces just over 200kB of script :smiley: Here’s a link to a gist: rpm -qp --scripts mdatp-101.24082.0004-1.x86_64.rpm · GitHub

Is there something that I should look for in the script?

13

At this point, it’s going to require a lot of time to review that, but this looks like a really badly packaged app. From a quick look, this does curl requests in those scripts, which will never work (rpm-ostree runs scriptlets without access to the internet).

You should ask them to move all of that into proper systemd units or other setup scripts that do things at the right time and not at install time which is not the right time.

14

Ok thanks for checking, we can forget about that then, I’m not too hopeful about Microsoft’s response times in this case. :smiley:

If I can still bother you for a bit, how about Wazuh agent then - this fails in postinstall stage. Gist here: rpm -q --scripts wazuh-agent · GitHub

I posted results from trying to install Wazuh agent earlier: Endpoint protection / antivirus solutions compatible with Fedora Atomic? - #10 by eliasvakkuri

15

It’s less horrible but still has bad stuff: systemctl calls, managing files in /var trying to insert SELinux policies, etc.

16

Note that in both cases, what you can likely do it repackage all of this properly to make this less horrible. Place only the files in the RPM (as it should be) and then try to run a subset of the scripts from the RPM scriptlets on your system.

17

Thanks again for your comments! I might take a look at repackaging as a longer-term goal. Would you possibly have some link where I could start looking into RPM repackaging topic?

18

To create RPM packages quickly from non classical (i.e. source code) sources, I recommend using fpm: GitHub - jordansissel/fpm: Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.

Someone recently used that in How do I get my thermal printer to work on silverblue? - #8 by lena1000

1 Like
19

Thank you!

1 Like
20

Did you get anywhere with this, @eliasvakkuri? I’m in the same boat; long time silverblue user, and my IT department wants me to use Defender (i.e. the poorly packaged mdatp-bin rpm package). I’ve never packaged an RPM before, so not much help.