Configuring permissive rules in the SELinux system

To configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes, do the following:

  1. Put SELinux in permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX = permissive parameter in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python * package.
  3. Install the Kaspersky Industrial CyberSecurity for Linux Nodes package.

    Once the package is installed, labeling of the original executables will be done automatically.

  4. If you are using a custom SELinux policy that is different from the default targeted policy, assign a label to the following Kaspersky Industrial CyberSecurity for Linux Nodes source executable files in accordance with the SELinux policy in use:
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/bin/kics-control
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics-gui
    • /var/opt/kaspersky/kics/1.3.0.<build number>_<installation time stamp>/opt/kaspersky/kics/shared/kics-supervisor
  5. Run the configuration script of Kaspersky Industrial CyberSecurity for Linux Nodes:

    # /opt/kaspersky/kics/bin/kics-setup.pl

  6. Run the following tasks:
    • File Threat Protection task:

      kics-control --start-task 1

    • The Critical Areas scan task:

      kics-control --start-task 4 -W

    It is recommended to run all tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.

  7. Make sure there are no errors in the audit.log file:

    grep kics /var/log/audit/audit.log

  8. If there are errors in the audit.log file, create and load a new rules module based on blocking entries to resolve the errors, and rerun the tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.

    If new audit messages related to Kaspersky Industrial CyberSecurity for Linux Nodes appear, you need to update the rules module file.

  9. Put SELinux into forced mode:

    # setenforce Enforcing

If you are using a custom SELinux policy, after installing application updates, you need to manually assign a label to the original executable files of Kaspersky Industrial CyberSecurity for Linux Nodes (follow steps 1, 4, 6, 7, 8, and 9).

You can find more information in the documentation for your operating system.

Page top