Kaspersky Endpoint Security for Linux
11.3.0
English

Contents

KESL container

Kaspersky Endpoint Security distribution kit contains files for creating a container application ("KESL container") for embedding into external systems in order to scan container images from image repositories.

After deploying, activating and configuring the KESL container, the following functionality is available in it:

  • Scanning images of the containers located in repositories.
  • Transferring scanned images that do not contain infected objects to a trusted repository.

Interaction with the KESL container is performed using REST API. It is also possible to configure KESL container settings using Kaspersky Security Center.

KESL containers cannot be managed using the command line.

In this Help section

Deploying and activating KESL container

Configuring KESL container

Working with REST API
Page top
[Topic 213821]

Deploying and activating KESL container

Distribution package description

The distribution package contains the following files:

  • docker-service-<version>.tgz – Archive with files necessary to create the image
  • kesl-<version>.rpm – Kaspersky Endpoint Security installation package
  • klnagent.rpm – Kaspersky Security Center Network Agent installation package

The docker-service-<version>.tgz archive contains the following files:

  • kesl-service – directory of the container application files.
  • Dockerfile – file for building a docker image of a version below 18.06.
  • Dockerfile.1809 – file for building a docker image of a version later than 18.05.
  • build.sh.example – example of a script for building an image.
  • run.sh.example – example of a script for launching a KESL container.
  • kesl-service.config.example – example of a container application configuration file.
  • klnagent.conf.example – example of a configuration file for connecting to Kaspersky Security Center.
  • readme.md – quick reference.

KESL container deployment and activation

To prepare a KESL container for use:

  1. Unpack the tar -xvf docker-service-<version>.tgz archive.
  2. If you want to configure the KESL container settings using Kaspersky Security Center, do the following:
    1. In the klnagent.conf.example file, specify the values ​​of the Network Agent variables. For more information, refer to Kaspersky Security Center documentation (the "Installing Network Agent for Linux in silent mode (with an answer file)" section).
    2. Copy klnagent.conf.example to kesl-service/klnagent.conf.
  3. Build the KESL container Docker image using the build.sh.example installation script:
    1. If you use a proxy server, specify the desired values ​​for the COMMON_AGRS variable.
    2. If necessary, change the name of the target kesl-service image to the desired one.
    3. Copy build.sh.example to build.sh and assign an executable file attribute to it.
    4. Run build.sh.
  4. Make sure that the build completed successfully by executing the docker images -a command.

    The following command execution result is displayed:

    REPOSITORY TAG IMAGE ID CREATED SIZE

    kesl-service latest <hex> <creation time> <size>

  5. Activate the KESL container in one of the following ways:
  6. Configure the KESL container.
  7. Start the KESL container using the following command docker run --privileged --init -p < <KESL container_port>:<device_port> \

    -e <variable_1> -e <variable_2> ... -e <variable_n> \

    -v <mount point_1> -v <mount point_2> ... -v <mount point_n> \

    <image name>

    where:

    <KESL container port> is the port of the KESL container, which must be accessible by the network from outside the KESL container.

    <device_port> –is the port of the device where the KESL container is installed.

    You can see an example of the run command in the file run.sh.example.

  8. If you want to activate the KESL container using an environment variable, do one of the following:
    • If you want to specify an activation code, add the following setting when starting the KESL container (see step 7): KRAS4D_ACTIVATION ='<activation code>':

      docker run ... -e KRAS4D_ACTIVATION='<activation code>'

    • If you want to apply the key file, add the following options when starting the KESL container (see step 7): KRAS4D_ACTIVATION ='<key file>' and KRAS4D_KEYPATH=/root/kesl-service/keys:

      docker run ... -e KRAS4D_ACTIVATION='<key file>' -e KRAS4D_KEYPATH=/root/kesl-service/keys -v <path to the directory with keys>:/root/kesl-service/keys

Page top

[Topic 213822]

Configuring KESL container

KESL container settings are initialized in several ways:

  • By default (unless otherwise specified).
  • From the configuration file. In this case, the values ​​from the configuration file have a higher priority than the default values.
  • The values can be passed ​​to the KESL container upon startup as environment variables. Environment variables have a higher priority than the settings from the configuration file.
  • In the scan request body. The settings in the request body have the highest priority, but they are valid only within a single request.

In this section

KESL container settings

Environment variables

Configuration file

Available mount points
Page top
[Topic 213823]

KESL container settings

KESL container settings and their default values ​​are described in the following table.

KESL container settings

Setting description

Available values

Default value

Port for listening to REST API

 

8085

Event severity level

debug

info

warning

error

critical

noset

noset

Authorization key

If the KRAS4D_XAPIKEY setting is specified, each request is verified for the presence of the x-api-key header and if its content matches the value of the KRAS4D_XAPIKEY setting. If these conditions are not met, the request is rejected. If this setting is missing, verification is not performed.

 

Activation code or key file

To activate a KESL container using an activation code, when running the KESL container specify the activation code in the configuration file or pass the activation code in an environment variable:

docker run ... -e KRAS4D_ACTIVATION='<activation code>'

To activate a KESL container using a key file, when running the KESL container specify the key file in the configuration file or pass the key file in an environment variable:

docker run ... -e KRAS4D_ACTIVATION='<key file>' -e KRAS4D_KEYPATH=/root/kesl-service/keys -v <path to the directory with keys>:/root/kesl-service/keys

To activate a KESL container using a key file, the /root/kesl-service/keys mount point is required.

 

Additional scan settings

The optional KRAS4D_SCANOPTIONS setting allows you to configure the settings of the Container Scan task:

docker run ... -e KRAS4D_SCANOPTIONS='<settings>'

where <settings> are the settings of the Container Scan task.

 

Additional update settings

The optional KRAS4D_UPDATEOPTIONS setting allows you to configure the settings of the Update task.

docker run ... -e KRAS4D_UPDATEOPTIONS='<settings>'

where <settings> are the Update task settings SourceType and ApplicationUpdateMode, as well as the settings in the CustomSources.item_# section.

 

Update the application databases when KESL container starts

By default, the application databases are downloaded to the /var/opt/kaspersky/kesl/common/updates directory when the KESL container is started.

To implement the joint operation of several KESL containers with one instance of the application databases and to speed up the launch of the KESL container, it is recommended to move this directory to the device where the KESL container is installed by means of mounting:

docker run ... -v <path to the database directory>:/var/opt/kaspersky/kesl/common/updates

True

Do not process the image if it already exists in the target repository.

 

False

Maximum time to wait for application commands to run, in seconds

 

600

Maximum time to wait for application database update tasks to run, in seconds

 

600

Name of the settings configuration file.

 

kesl-service.config

Page top

[Topic 234815]

Environment variables

The following environment variables can be used to configure a KESL container:

  • KRAS4D_PORT – port for listening to REST API.
  • KRAS4D_LOGLEVEL – event severity level.
  • KRAS4D_XAPIKEY – request authorization key.
  • KRAS4D_ACTIVATION – activation code or key file name.
  • KRAS4D_SCANOPTIONS – additional scan settings.
  • KRAS4D_UPDATEOPTIONS – additional update settings.
  • KRAS4D_FORCEUPDATE – update the application databases when KESL container starts.
  • KRAS4D_SKIPIMAGEIFEXISTS – do not process the image if it already exists in the target repository.
  • KRAS4D_GENERALTIMEOUT – maximum time to wait for application commands to run.
  • KRAS4D_UPDTASKTIMEOUT – maximum time to wait for application database update tasks to run.
  • KRAS4D_CFGNAME: name of the KESL container configuration file.
Page top
[Topic 234816]

Configuration file

The KESL container configuration file uses the yaml format. To read the settings from the file, mount the /root/kesl-service/config/ path on the device where the KESL container is installed, and specify the name of the configuration file if it differs from the default one. Thus, you can specify individual configuration file for each set of KESL containers.

Example: starting a KESL container

docker run ... \

-e KRAS4D_CFGNAME='unique_file_name' \

-v <HOST_PATH>:/root/kesl-service/config \

kesl-service

The table below shows the configuration file settings and the corresponding environment variables.

Correspondence between the settings and the environment variables

Configuration file setting

Environment variable

Common section

port: <port for listening>

# KRAS4D_PORT=8085

sqlpath: <full path to the database file that contains scan results>

# KRAS4D_SQLPATH

certdir: <path to the directory with registry certificates>

# KRAS4D_CERTDIR

keypath: <path to the directory with license keys>

# KRAS4D_KEYPATH

tmppath: <full path to the temporary directory>

# KRAS4D_TMPPATH

logpath: <full path to the event log>

# KRAS4D_LOGPATH

loglevel: [noset|debug|info|warning|error|critical]

# KRAS4D_LOGLEVEL

Control section

xapikey: <request authorization key>

# KRAS4D_XAPIKEY=None

forceupdate: <forced database update at container start [True|False]>

# KRAS4D_FORCEUPDATE

activation: <activation code or key file name from /root/kesl-service/config/>

# KRAS4D_ACTIVATION

detectaction: [delete|skip]

# KRAS4D_DETECTACTION

scanoptions: <scan settings [ScanArchived=yes ScanSfxArchived=yes ...]>

# KRAS4D_SCANOPTIONS

skipimageifexist: <do not scan the image if it already exists on the server to which the scanned image is to be copied>

# KRAS4D_SKIPIMAGEIFEXIST

generaltimeout: <maximum time to wait for application commands to run>

# KRAS4D_GENERALTIMEOUT

updtasktimeout: <maximum time to wait for application database update tasks to run>

# KRAS4D_UPDTASKTIMEOUT

Repositories section

<server>:<port>: address and port of the image registry that requires authorization when requesting for verification.

 

Credentials subsection

user: user name for authorization in the image registry

 

pass: password for authorization in the image registry

 

Example of a configuration file

Example of a configuration file

Page top

[Topic 234817]

Available mount points

The following mount points are available for working with the KESL container:

  • /root/kesl-service/data/scans.sqlite – path to the database file that contains scan results.
  • /var/opt/kaspersky/kesl/common/updates – path to the application databases.
  • /root/kesl-service/certificates – path to the directory that contains repository certificates.
  • /root/kesl-service/keys – path to the directory that contains license keys.
  • /var/log/kaspersky/ – path to the directory that contains event logs.
  • /root/kesl-service/config/ – path to the configuration files.
  • /var/lib/containers/vfs-storage – required mount point for the Podman utility to work correctly.
Page top
[Topic 213865]

Working with REST API

Interaction with the KESL container is implemented using the REST API.

Using the REST API, you can submit the following requests:

Page top

[Topic 214323]