Running the application on ALT SP in closed software environment mode

This section describes how to start the application in the ALT SP operating system in closed software environment mode.

To run the application on the ALT SP operating system:

  1. Disable the closed software environment mode, if enabled, by running the following command:

    integrity-remover

  2. Create a kesl group for further changes to the IMA policy by running the following command:

    groupadd kesl

  3. Find out the unique identifier (GUID) of the created group by running the following command:

    cat /etc/group | grep kesl

  4. Edit the IMA policy to exclude the kesl group. To do so:
    1. Copy the /usr/share/integrity/policy file by running the following command:

      cp /usr/share/integrity/policy /etc/integrity/policy

    2. Edit the /etc/integrity/policy file using a text editor (for example, vim) by running the following command:

      vim /etc/integrity/policy

    3. After the line dont_measure fsmagic=0xf97cff8c (usually this is the last line in the dont_measure section), add the line dont_measure fgroup=<GUID>, where <GUID> is the unique identifier of the group created at step 2 of these instructions).
    4. After the line dont_appraise fsmagic=0x27e0eb (usually this is the last line in the dont_appraise section), add the line dont_appraise fgroup=<GUID>, where <GUID> is the unique identifier of the group created at step 2 of these instructions).
    5. Save your changes.
  5. In the /usr/sbin/integrity-sign file, edit the list_all_files function to include the Kaspersky Endpoint Security application in the allowlist of applications that are allowed to run in the closed environment mode. To do so:
    1. Edit the /usr/sbin/integrity-sign file using a text editor (for example, vim) by running the following command:

      vim /usr/sbin/integrity-sign

    2. Find the list_all_files function and in the body of the function, in lines starting with find -P, add the directories of the Kaspersky Endpoint Security application under /var/opt and /opt to the end of each enumeration of directories.
    3. Save your changes.
  6. Install the Kaspersky Endpoint Security application. To make sure that the application database update works correctly after the installation, at the initial configuration stage, refuse to start the application database update (to do this, enter 'no' at the application database update step).
  7. Assign the inheritance of the kesl group and directory permissions for the updatable components of the Kaspersky Endpoint Security application by running the following commands:

    cd /var/opt/kaspersky/kesl/<build number_*>/var/opt/kaspersky/kesl/private

    chown -R root:kesl updates/

    find updates -type d -exec chmod g+s {} \;

    cd /opt/kaspersky/kesl/lib64

    chown -R root:kesl updatable_modules/

    find updatable_modules -type d -exec chmod g+s {} \;

    cd /var/opt/kaspersky/kesl/common/

    chown -R root:kesl temp/

    find temp -type d -exec chmod g+s {} \;

  8. Assign the inheritance of the kesl group and directory permissions for the updatable components of the Network Agent by running the following commands:

    cd /var/opt/kaspersky/

    chown -R root:kesl klnagent/

    find klnagent/ -type d -exec chmod g+s {} \;

    cd /opt/kaspersky/

    chown -R root:kesl klnagent64/

    find klnagent64/ -type d -exec chmod g+s {} \;

  9. Enable the closed software environment mode by initiating the signing of the system using the following command:

    integrity-applier -i -A

  10. Make sure that the IMA subsystem is activated by running the following command:

    cat /proc/cmdline

    The command output should contain the lines lsm=integrity ima_hash=sha512 ima_appraise=enforce.

  11. Start the database update task by running the following command:

    kesl-control --start 6 -W

    If the output contains the EventType=BasesApplied event, it means the database update was performed correctly.

    If the application is used in Light Agent mode to protect virtual environments, wait until the application databases are automatically updated. You can view information about the database update using the kesl-control --app-info command. The output includes information about whether the application databases were loaded and the time of the last release of the application databases.

  12. Restart the application by running the following command:

    systemctl restart kesl

Page top