Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Device Control task (Device_Control, ID:15)

When the Device Control task is running, Kaspersky Embedded Systems Security manages user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks.

By default, the Device Control task starts automatically when the application starts. You can stop the task at any moment if necessary.

The Device Control task manages user access to devices using the access rules. You can select the action to be performed by the Device Control task: apply rules or test rules.

Device Control task manages user access at the following levels:

  • Device type. For example, printers, removable drives, or CD/DVD drives.
  • Connection bus. Connection bus is an interface used to connect devices to the client device (USB or FireWire).
  • Trusted devices. Trusted devices are devices to which users have full access.

    You can add devices to a list of trusted devices by ID. Each device has a unique DeviceId. You can view the IDs of the connected devices by executing the kess-control --get-device-list command.

When a device, access to which is denied by the Device Control task, connects to a client device, the application denies the users specified in the rule access to this device and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

If the Device Control task stops running, the application unblocks access to blocked devices.

In the general application settings, if the InterceptorProtectionMode setting is set to Notify, it is not possible to block access to devices using a device access schedule (the [Schedules.item_#] section).

Kaspersky Embedded Systems Security ignores the excluded mount points for the Device Control task. The access rules apply to devices mounted in a globally excluded mount point.

In this Help section

About access rules

Device Control task settings

Viewing the list of connected devices on the command line
Page top
[Topic 233753]

About access rules

Device access rule is the setting that determines which users can access devices that are installed on the client device or connected to it For each device type, you can specify the following access rules: Allow, Block, or DependsOnBus. If the DependsOnBus value is specified, access to the device is defined by the connection bus access rule.

A connection bus access rule allows or blocks access to the connection bus (USB or FireWire). For each connection bus, you can specify the following access rules: Allow or Block. For example, you can allow or block connection of all USB devices. You can also limit access to specific USB devices or only to USB drives; access to other USB devices is denied.

Examples:

To deny access to all USB devices except the specified one, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=<device ID>

To deny access to all USB devices, but allow access to all USB drives, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=USBSTOR*

By default, device access rules are created for all types of devices according to the classification of the Device Control component. Such rules grant users full access to devices if access to the connection buses of the respective device types is allowed.

You can edit device access rules and connection bus access rules.

Page top
[Topic 198019]

Device Control settings

The table describes all available values and the default values of all the settings that you can specify for the Device Control task.

Device Control task settings

Setting

Description

Values

RulesAction

Action performed by the application upon an attempt to access a device protected by the access rules.

ApplyRules (default value): the Application Control rules are applied and the action specified in the rules is performed.

TestRules: the application tests the rules, allows access, and generates an event about the detection of a device that meets the rule.

The [DeviceClass] section contains access modes for devices depending on their type.

HardDrive

Access mode for the hard drives connected to a client device.

Allow — Users are allowed access to hard drives.

DependsOnBus (default value) — Access to the hard drives depends on the connection bus access rule.

Block — Access to all hard drives (except system hard drives, which are never blocked by the Device Control task) is blocked for users.

ByRule — Access to the hard drives depends on the access rules.

RemovableDrive

Access mode for the removable drives connected to a client device.

Allow — Access to the removable drives is allowed for users.

DependsOnBus (default value) — Access to the removable drives depends on the connection bus access rule.

Block — Access to the removable drives is blocked for users.

ByRule — Access to the removable drives depends on the access rules.

FloppyDrive

Access mode for the floppy disks connected to a client device.

The application does not block floppy disks connected to the client device using the ISA bus.

Allow — Users are allowed access to floppy disks.

DependsOnBus (default value) — Access to floppy disks depends on the connection bus access rule.

Block — Access to floppy disks is blocked for users.

ByRule — Access to floppy disks depends on the access rules.

OpticalDrive

Access mode for the CD/DVD drives connected to a client device.

Allow — Users are allowed access to CD/DVD drives.

DependsOnBus (default value) — Access to CD/DVD drives depends on the connection bus access rule.

Block — Access to CD/DVD drives is blocked for users.

ByRule — Access to CD/DVD drives depends on the access rules.

SerialPortDevice

Access mode for the devices connected to a client device via a serial port.

The application does not block the devices connected to a client device via a serial port using the ISA bus.

Allow — Users are allowed access to devices connected through a serial port.

DependsOnBus (default value) — Access to devices connected through a serial port depends on the connection bus access rule.

Block — Access to devices connected through a serial port is blocked for users.

ParallelPortDevice

Access mode for the devices connected to a client device via a parallel port.

Allow — Users are allowed access to devices connected through a parallel port.

DependsOnBus (default value) — Access to devices connected through a parallel port depends on the connection bus access rule.

Block — Access to devices connected through a parallel port is blocked for users.

Printer

Access mode for the printers connected to a client device.

Allow — Users are allowed access to printers.

DependsOnBus (default value) — Access to printers depends on the connection bus access rule.

Block — Access to printers is blocked for users.

Modem

Access mode for the modems connected to a client device.

Allow — Users are allowed access to modems.

DependsOnBus (default value) — Access to modems depends on the connection bus access rule.

Block — Access to modems is blocked for users.

TapeDrive

Access mode for the tape devices connected to a client device.

Allow — Users are allowed access to tape devices.

DependsOnBus (default value) — Access to tape devices depends on the connection bus access rule.

Block — Access to tape devices is blocked for users.

MultifuncDevice

Access mode for the multifunctional devices connected to a client device.

Allow — Users are allowed access to multifunctional devices.

DependsOnBus (default value) — Access to multifunctional devices depends on the connection bus access rule.

Block — Access to multifunctional devices is blocked for users.

SmartCardReader

Access mode for the smart card readers connected to a client device.

Allow — Access to smart card readers is allowed for users.

DependsOnBus (default value) — Access to smart card readers depends on the connection bus access rule.

Block — Access to smart card readers is blocked for users.

WiFiAdapter

Access mode for the Wi-Fi adapters connected to a client device.

Allow — Users are allowed access to Wi-Fi adapters.

DependsOnBus (default value) — Access to Wi-Fi adapters depends on the connection bus access rule.

Block — Access to the Wi-Fi adapters is blocked for users.

NetworkAdapter

Access mode for the external network adapters connected to a client device.

Allow — Users are allowed access to external network adapters.

DependsOnBus (default value) — Access to external network adapters depends on the connection bus access rule.

Device Control does not allow denying access to external network adapters in order to avoid disconnecting the client device from the network.

PortableDevice

Access mode for the portable devices connected to a client device.

Allow — Users are allowed access to portable devices.

DependsOnBus (default value) — Access to portable devices depends on the connection bus access rule.

Block — Access to portable devices is blocked for users.

BluetoothDevice

Access mode for the Bluetooth devices connected to a client device.

Allow — Users are allowed access to Bluetooth devices.

DependsOnBus (default value) — Access to Bluetooth devices depends on the connection bus access rule.

Block — Access to Bluetooth devices is blocked for users.

ImagingDevice

Access mode for the imaging devices connected to a client device.

Allow—Access to all imaging devices is allowed for users.

DependsOnBus (default value) — Access to imaging devices depends on the connection bus access rule.

Block—Access to all imaging devices is blocked for users.

SoundAdapter

Access mode for the sound adapters connected to a client device.

Allow—Access to all sound adapters is allowed for users.

DependsOnBus (default value) — Access to sound adapters depends on the connection bus access rule.

Block—Access to all sound adapters is blocked for users.

InputDevice

Access mode for the input devices (keyboards, mouse, touchpad, and others) connected to a client device.

Allow — Users are allowed access to input devices.

DependsOnBus (default value) — Access to input devices depends on the connection bus access rule.

Block — Access to input devices is blocked for users.

The [DeviceBus] section contains connection bus access rules that determine whether the connection of devices is allowed or blocked.

USB

Connection bus access rules for the devices connected to a client device via USB interface.

Allow (default value) — Users are allowed access to USB-devices.

Block — Access to USB-devices is blocked for users.

FireWire

Connection bus access rules for the devices connected to a client device via FireWire interface.

Allow (default value) — Users are allowed access to devices connected via the FireWire interface.

Block — Access to devices connected via the FireWire interface is blocked for users.

The [TrustedDevices.item_ #] section contains trusted devices.

DeviceId

Specifies ID or ID mask of a trusted device.

You can use the masks * (any sequence of characters) or ? (any single character) to indicate the device ID.

Comment

Comment to the specified trusted device.

The [Schedules.item_#] section contains the device access schedule. You can configure a schedule only for hard drives, removable drives, floppy disks, and CD/DVD drives.

ScheduleName

Specifies a schedule name.

The schedule name must be unique.

The default value: Default.

The Default schedule provides users full access to devices at any time if the connection bus is allowed to access the corresponding device type.

You cannot delete the Default schedule.

DaysHours

Specifies time intervals for a schedule.

All (default value) — The schedule is valid 24/7 (no time limitation).

<week_day> — Days of the week. You can use either the full week day names or abbreviations (for example, for Monday, you can specify Mo, or Mon, or Monday). For week days, you can specify intervals or specific days. The week starts from Sunday.

<hour> — Hours [0:24]. You can specify only intervals for hours.

Examples:

Schedule_1 is valid from Sunday till Saturday from 0 a.m. to 11 a.m., from 12 p.m. to 3 p.m., and from 4 p.m. to 12 a.m.:

[Schedules.item_0001]

ScheduleName=schedule_1

DaysHours=Su-Sa:0..11,12..15,16..24

Schedule_2 is valid for the following intervals: on Thursdays from 12 p.m. to 2 p.m. and on Fridays from 2 a.m. to 3 p.m. and from 4 p.m. to 12 a.m.:

[Schedules.item_0002]

ScheduleName=schedule_2

DaysHours=Th:12..14;Fr:2..15,16..24

Schedule_3 is valid 24 hours 7 days a week:

[Schedules.item_0003]

ScheduleName=schedule_3

DaysHours=All

 

The [HardDrivePrincipals.item_#] section contains hard drive access rules.

For hard drives, at least one schedule must always be enabled. You can assign several access rules to a hard drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of the user to whom the access rule applies.

@<group name> — Name of the group of users to whom the access rule applies.

[HardDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to hard drives is allowed.

Block — Access to hard drives is blocked.

The [RemovableDrivePrincipals.item_#] section contains the access rules for removable drives.

For removable drives, at least one schedule must always be enabled. You can assign several access rules to a removable drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of the user to whom the access rule applies.

@<group name> — Name of the group of users to whom the access rule applies.

[RemovableDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to removable drives is allowed.

Block — Access to removable drives is blocked.

The [FloppyDrivePrincipals.item_#] section contains access rules for floppy drives.

For floppy drives, at least one schedule must always be enabled. You can assign several access rules to a floppy drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of the user to whom the access rule applies.

@<group name> — Name of the group of users to whom the access rule applies.

[FloppyDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to floppy drives is allowed.

Block — Access to floppy drives is blocked.

The [OpticalDrivePrincipals.item_#] section contains the access rules for CD/DVD drives.

For CD/DVD drives, at least one schedule must always be enabled. You can assign several access rules to a CD/DVD drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of the user to whom the access rule applies.

@<group name> — Name of the group of users to whom the access rule applies.

[OpticalDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to CD/DVD drives is allowed.

Block — Access to CD/DVD drives is blocked.

Page top

[Topic 233755]

Viewing the list of connected devices on the command line

Only users with the admin and audit roles can view the list of connected devices.

To view the list of connected devices, execute the following command:

kess-control [-D] --get-device-list

Kaspersky Embedded Systems Security displays the following information about connected devices:

  • Device type. Type of the connected device. For example, OpticalDrive or HardDrive.
  • Identifier. ID of the connected device.
  • Name. Name of the connected device.
  • Path. Path to the device in the sysfs virtual operating system.
  • System drive. The setting indicates whether the connected device is a system drive (Yes or No).
  • Bus. Connection bus. Possible values: UnknownBus, USB, FireWire.
  • Driver. Name of the driver read by the sysfs virtual operating system.

Page top

[Topic 198021]