Kaspersky Embedded Systems Security for Linux
- Kaspersky Embedded Systems Security 3.4 for Linux Help
- Kaspersky Embedded Systems Security 3.4 for Linux
- What's new
- Preparing to install Kaspersky Embedded Systems Security
- Installation and initial configuration of Kaspersky Embedded Systems Security
- The installation and initial configuration of Kaspersky Security Center Network Agent
- Installing the Kaspersky Embedded Systems Security management plug-ins
- Installing and initially configuring the application using Kaspersky Security Center
- Creating an installation package in the Web Console
- Creating an installation package in the Administration Console
- Preparing an archive with application databases in order to create an installation package with integrated databases
- Autoinstall.ini configuration file parameters
- Getting started using Kaspersky Security Center
- Installing and initially configuring the application using the command line
- Installing the application using the command line
- Post-installation configuration of the application in interactive mode
- Selecting the locale
- Viewing the End User License Agreement and the Privacy Policy
- Accepting the End User License Agreement
- Accepting the Privacy Policy
- Using Kaspersky Security Network
- Removing users from privileged groups
- Assigning the Administrator role to a user
- Determining the file operation interceptor type
- Enabling automatic configuration of SELinux
- Configuring the update source
- Configuring proxy server settings
- Starting an application database update
- Enabling automatic application database update
- Application activation
- Post-installation configuration of the application in automatic mode
- Settings in the configuration file for post-installation configuration
- Configuring permissive rules in the SELinux system
- Running the application on Astra Linux OS in closed software environment mode
- Updating the application from a previous version
- Uninstalling the application
- Application licensing
- Data provision
- Application management concept
- Managing the application using Kaspersky Security Center
- About Kaspersky Embedded Systems Security management plug-ins
- Kaspersky Security Center policies
- Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center
- Logging in and out of the Web Console and Cloud Console
- Managing policies in the Web Console
- Managing policies in the Administration Console
- Managing tasks in the Web Console
- Managing tasks in the Administration Console
- Managing the application using the command line
- Enabling automatic addition of kess-control commands (bash completion)
- Task management in the command line
- Displaying task settings in the command line
- Editing task settings in the command line
- Configuring task schedule in the command line
- Managing general application settings in the command line
- Using filters to limit results of queries
- Exporting and importing application settings
- Managing user roles using the command line
- Managing the application using Kaspersky Security Center
- Starting and stopping the application
- Viewing the protection status of a device and information about application performance
- Viewing the protection status of a device in the Web Console
- Viewing the protection status of a device in the Administration Console
- Viewing information about the operation of an application in the Web Console
- Viewing information about the operation of an application in the Administration Console
- Viewing information about the operation of an application in the command line
- Viewing application statistics
- Viewing application statistics in the Web Console
- Viewing application statistics in the Administration Console
- Viewing a list of mount points in the Web Console
- Viewing the list of mount points in the Administration Console
- Viewing application statistics and the list of mount points in the command line
- Collecting system performance metrics
- Updating application databases and modules
- Updating databases and modules
- Updating sources and update scenarios
- Updating application databases and modules in the Web Console
- Updating application databases and modules in the Administration Console
- Updating application databases and modules in the command line
- Updating using Kaspersky Update Utility
- Rolling back application database and module updates
- File Threat Protection
- Malware Scan
- Critical Areas Scan
- Removable Drives Scan
- Firewall Management
- Web Threat Protection
- Encrypted connections scan
- Network Threat Protection
- Protection against remote malicious encryption
- Managing blocked devices
- Application Control
- Inventory
- Device Control
- System Integrity Monitoring
- Real-time System Integrity Monitoring
- System Integrity Check
- Behavior Detection
- Using Kaspersky Security Network
- Advanced application settings
- Configuring a proxy server
- Configuring global exclusions
- Exclude process memory from scans
- Selecting the interception mode for file operations
- Configuring detection of applications that hackers can use to harm
- Enabling application stability monitoring
- Configuring application startup settings
- Limiting the use of resident memory by the application
- Limiting the use of memory and processor resources
- Limiting the number of Custom Scan tasks
- Configuring the transfer of data to Kaspersky Security Center storage
- Configuring permissions for task management
- Enabling or disabling monitoring of namespaces
- Backup
- Viewing events and reports
- Application management via the graphical user interface
- Application components integrity check
- Contact Technical Support
- Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Commands for managing Kaspersky Embedded Systems Security
- Commands for managing application tasks and settings
- Statistics commands
- Commands for displaying events
- Commands for managing application events
- Commands for managing license keys
- Commands for Firewall Management
- Commands used to manage blocked devices
- Commands for managing Device Control
- Commands for managing Application Control
- Commands for managing Backup
- Commands for managing users and roles
- Commands for managing system performance metrics
- Appendix 3. Configuration files and default application settings
- Rules for editing application task configuration files
- Preset configuration files
- Default settings for command line tasks
- Default settings for the File_Threat_Protection task (ID:1)
- Default settings for the Scan_My_Computer task (ID:2)
- Default settings for the Scan_File task (ID:3)
- Default settings for the Critical_Areas_Scan task (ID:4)
- Default settings for the Update task (ID:6)
- Default settings for the System_Integrity_Monitoring task (ID:11)
- Default settings for the Firewall_Management task (ID:12)
- Default settings for the Anti_Cryptor task (ID:13)
- Default settings for the Web_Threat_Protection task (ID:14)
- Default settings for the Device_Control task (ID:15)
- Default settings for the Removable_Drives_Scan task (ID:16)
- Default settings for the Network_Threat_Protection task (ID:17)
- Default settings for the Behavior_Detection task (ID:20)
- Default settings for the Application_Control task (ID:21)
- Default settings for the Inventory_Scan task (ID:22)
- General application settings
- Encrypted connections scan settings
- Tasks schedule settings
- Appendix 4. Command line return codes
- Sources of information about Kaspersky Embedded Systems Security
- Glossary
- Active key
- Active policy
- Administration group
- Administration Server
- Application activation
- Application databases
- Application settings
- Database of malicious web addresses
- Database of phishing web addresses
- Exclusion
- False positive
- File mask
- Group policy
- Group task
- Infected object
- Kaspersky update servers
- License
- License certificate
- Object disinfection
- Policy
- Proxy server
- Reserve key
- Startup objects
- Subscription
- Trusted device
- Information about third-party code
- Trademark notices
Installation and initial configuration of Kaspersky Embedded Systems Security > Configuring permissive rules in the SELinux system
Configuring permissions in the SELinux system
Configuring permissions in the SELinux system
If SELinux could not be configured automatically during the post-installation configuration of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Embedded Systems Security.
To manually configure SELinux to work with the application:
- Switch SELinux to permissive mode:
- If SELinux has been activated, run the following command:
# setenforce Permissive - If SELinux was disabled, set the
SELINUX=permissivesetting in the configuration file / etc / selinux / config and restart the operating system.
- If SELinux has been activated, run the following command:
- Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
- If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of Kaspersky Embedded Systems Security in accordance with the SELinux policy being used; to do so, run the following commands:
# semanage fcontext -a -t bin_t <executable file># restorecon -v <executable file>where
<executable file>is:- /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess
- /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/bin/kess-control
- /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess-gui
- /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/shared/kess
- Run the following tasks:
- File Threat Protection task:
kess-control --start-task 1 - Critical Areas Scan task:
kess-control --start-task 4 -W
It is recommended to run all the tasks that you plan to run while using Kaspersky Embedded Systems Security.
- File Threat Protection task:
- Start the graphical user interface if you plan to use it.
- Ensure that there are no errors in the audit.log file:
# grep kess /var/log/audit/audit.log - If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Embedded Systems Security; to do so, run the following commands:
# grep kess /var/log/audit/audit.log | audit2allow -M kess# semodule -i kess.ppIf new audit messages related to Kaspersky Embedded Systems Security appear, the file with the rule module file must be updated.
- Switch SELinux to blocking mode:
# setenforce Enforcing
If you use a custom SELinux policy, manually assign a label to Kaspersky Embedded Systems Security source executable files after installing application updates (follow steps 1, 3–8).
For additional information, please refer to the documentation on the relevant operating system.
Article ID: 263929, Last review: Mar 10, 2025