Support

Support for business applications

Kaspersky Industrial CyberSecurity for Linux Nodes

Installing the application

Configuring permissive rules in the SELinux system

Kaspersky Industrial CyberSecurity for Linux Nodes
Нет результатов
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

Configuring permissive rules in the SELinux system

February 8, 2024

ID 237183

If automatic configuration of SELinux is not possible during the initial setup of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes.

To configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX = permissive parameter in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python* package.
  3. If you are using a custom SELinux policy that is different from the default targeted policy, assign a label to the following Kaspersky Industrial CyberSecurity for Linux Nodes source executable files in accordance with the SELinux policy in use:
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/bin/kics-control
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics-gui
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/shared/kics
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/bin/aushape
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/libexec/aushape-audispd-plugin
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation timestamp>/opt/kaspersky/kics/lib64/agent/libaushape.so.0
  4. Run the following tasks:
    • File Threat Protection task:

      kics-control --start-task 1

    • The Critical Areas scan task:

      kics-control --start-task 4 -W

    • Kaspersky Industrial CyberSecurity for Networks Integration task

      kics-control --start-task 23

    It is recommended to run all tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.

  5. Start the graphical user interface if you plan to use it.
  6. Make sure there are no errors in the audit.log file:

    grep kics /var/log/audit/audit.log

  7. If there are errors in the audit.log file, create and load a new rules module based on blocking entries to resolve the errors, and rerun the tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.

    If new audit messages related to Kaspersky Industrial CyberSecurity for Linux Nodes appear, you need to update the rules module file.

  8. Switch SELinux to blocking mode:

    # setenforce Enforcing

If you use a custom SELinux policy, after installing application updates, manually assign a label to the original executable files of Kaspersky Industrial CyberSecurity for Linux Nodes (follow steps 1, 3–8).

For additional information, please refer to the documentation on the relevant operating system.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.