Support

Support for business applications

Kaspersky Industrial CyberSecurity for Linux Nodes

Installation and initial configuration of the application

Configuring permissive rules in the SELinux system

Kaspersky Industrial CyberSecurity for Linux Nodes
Нет результатов
Online Help
FAQ Solution overview Forum Contact support Product videos

Configuring permissive rules in the SELinux system

August 5, 2024

ID 263929

Manually configuring SELinux for working with the application

If SELinux could not be configured automatically during the initial configuration of Kaspersky Industrial CyberSecurity for Linux Nodes, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Industrial CyberSecurity for Linux Nodes.

To manually configure SELinux to work with the application:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
  3. If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of Kaspersky Industrial CyberSecurity for Linux Nodes in accordance with the SELinux policy being used; to do so, run the following commands:

    # semanage fcontext -a -t bin_t <executable file>

    # restorecon -v <executable file>

    where <executable file> is:

    • /var/opt/kaspersky/kics/1.5.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics
    • /var/opt/kaspersky/kics/1.5.0.<build number>_<installation time stamp>/opt/kaspersky/kics/bin/kics-control
    • /var/opt/kaspersky/kics/1.5.0.<build number>_<installation time stamp>/opt/kaspersky/kics/libexec/kics-gui
    • /var/opt/kaspersky/kics/1.5.0.<build number>_<installation timestamp>/opt/kaspersky/kics/shared/kics
  4. Run the following tasks:
    • File Threat Protection task:

      kics-control --start-task 1

    • The Critical Areas scan task:

      kics-control --start-task 4 -W

    It is recommended to run all tasks that you plan to run when using Kaspersky Industrial CyberSecurity for Linux Nodes.

  5. Start the graphical user interface if you plan to use it.
  6. Ensure that there are no errors in the audit.log file:

    # grep kics /var/log/audit/audit.log

  7. If the audit.log file contains errors, create and load a new rules module based on blocking records to resolve the errors, and restart the tasks that you want to run when using Kaspersky Industrial CyberSecurity for Linux Nodes:

    # grep kics /var/log/audit/audit.log | audit2allow -M kics

    # semodule -i kics.pp

    If new audit messages related to Kaspersky Industrial CyberSecurity for Linux Nodes appear, you need to update the rules module file.

  8. Switch SELinux to blocking mode:

    # setenforce Enforcing

If you use a custom SELinux policy, after installing application updates, manually assign a label to the original executable files of Kaspersky Industrial CyberSecurity for Linux Nodes (follow steps 1, 3 through 8).

You can find more information in the documentation for your operating system.

Configuring SELinux to run the "Start process" task

If SELinux is installed in your operating system in Enforcing mode, starting the Start process task requires additional configuration of SELinux.

To configure SELinux to run the "Start process" task

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, run the following command:

      # setenforce Permissive

    • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
  2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
  3. Start the "Start process" task.
  4. Ensure that there are no errors in the audit.log file:

    # grep kics /var/log/audit/audit.log

  5. If errors are present in the audit.log file, create and load a new rules module based on blocking rules to fix the errors, then run the "Start process" task again.

    # grep kics /var/log/audit/audit.log | audit2allow -M kics

    # semodule -i kics.pp

  6. Switch SELinux to blocking mode:

    # setenforce Enforcing

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.