Application components integrity check

Kaspersky Industrial CyberSecurity for Linux Nodes contains many different binary modules in the form of dynamic linked libraries, executable files, configuration files, and interface files. Hackers could potentially replace one or more application executable modules or files with other files containing malicious code. To prevent the replacement of modules and files, Kaspersky Industrial CyberSecurity for Linux Nodes can check the integrity of application components. The application checks modules and files for unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.

An integrity check is run for the following application components if installed on the device:

• application package
• Graphical user interface package
• Kaspersky Security Center Network Agent package
• Kaspersky Industrial CyberSecurity for Linux Nodes administration plug-in

The application checks integrity of the files in the special lists called manifest files. Each application component has its own manifest file that contains a list of application files whose integrity is important for correct operation of this application component. The name of the manifest file is the same for each component, but the content of the manifest files differs. The manifest files are digitally signed and their integrity is checked as well.

The integrity of the application components is checked using the integrity_checker utility.

The integrity check utility must be run under the account with root privileges.

To check integrity, you can use either the utility installed with the application or the utility distributed on a certified CD.

It is recommended to run the integrity check utility from a certified CD to ensure integrity of the utility. When running the utility from the CD, specify the full path to the manifest file.

The integrity check utility installed with the application is located at the following paths:

• To check the application package, graphical user interface package, and Network Agent: /opt/kaspersky/kics/bin/integrity_checker.
• To check Kaspersky Industrial CyberSecurity for Linux Nodes administration plug-in – the directory where the executable modules (DLL) of the administration plug-in are located:
  • C:\Program Files\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_checker.exe – for 32-bit operating systems.
  • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_checker.exe – for 64-bit operating systems.

The manifest files are located at the following paths:

• /opt/kaspersky/kics/bin/integrity_check.xml – to check the integrity of the application package.
• /opt/kaspersky/kics/bin/gui_integrity_check.xml – to check integrity of the graphical user interface package.
• /opt/kaspersky/klnagent/bin/kl_file_integrity_manifest.xml – to check the Network Agent in 32-bit operating systems.
• /opt/kaspersky/klnagent64/bin/kl_file_integrity_manifest.xml – to check the Network Agent in 64-bit operating systems.

To check integrity of the application components, run the following command:

• To check the application package and graphical user interface package:

  integrity_checker [<path to manifest file>] --signature-type kds-with-filename

• To check Kaspersky Industrial CyberSecurity for Linux Nodes administration plug-in and the Network Agent:

  integrity_checker [<path to manifest file>]

The default path is for a manifest file located in the same directory as the integrity checker utility.

You can run the utility with the following optional settings:

• --crl <directory> – path to the directory containing the Certificate Revocation List.
• --version – display the version of the utility.
• --verbose – display detailed information about performed actions and their results. If you do not specify this setting, only errors, objects that did not pass the check, and scan statistics summary will be displayed.
• --trace <file name>, where <file name> is the name of the file where events that happen during scans will be logged at the DEBUG level of detail.
• --signature-type kds-with-filename – the type of the signature to be checked (this setting is required for checking the application package, graphical user interface package, and Network Agent).
• --single-file <file> – scan only one file in the manifest; ignore the other objects in the manifest.

You can view description of all available integrity check utility settings in the help on the utility options by running the integrity_checker --help command.

The result of checking the manifest files is displayed as follows:

• SUCCEEDED — integrity of the files has been confirmed (return code 0).
• FAILED – integrity of the files has not been confirmed (return code is not 0).

If a breach in the integrity of the application or Network Agent is detected when the application starts, Kaspersky Industrial CyberSecurity for Linux Nodes generates the IntegrityCheckFailed event in the event log and in Kaspersky Security Center.