Kaspersky Embedded Systems Security for Linux

Managing the application using the command line

Using the command line, you can install, uninstall, start, and stop Kaspersky Embedded Systems Security on the device, and also manage the application locally.

The functional components of the application are supported by Kaspersky Embedded Systems Security local tasks that run in the operating system. You can enable or disable functional components of the application on a device by starting or stopping Kaspersky Embedded Systems Security tasks in the command line. One-time device scans are also performed by starting Kaspersky Embedded Systems Security tasks. You can define the settings for functional components on the device and the device scan settings by configuring the Kaspersky Embedded Systems Security task settings.

In addition to the task settings, the following settings are provided for configuring the application:

On the command line, Kaspersky Embedded Systems Security can be managed using Kaspersky Embedded Systems Security management commands.

In this section

Enabling automatic addition of kess-control commands (bash completion)

Task management in the command line

Displaying task settings in the command line

Editing task settings in the command line

Configuring task schedule in the command line

Managing general application settings in the command line

Using filters to limit results of queries

Exporting and importing application settings

Managing user roles using the command line

Page top
[Topic 264003]

Enabling automatic addition of kess-control commands (bash completion)

Kess-control commands can be automatically added for the bash shell.

To enable automatic addition of kess-control commands in the current bash shell session, run the following command:

source /opt/kaspersky/kess/shared/bash_completion.sh

To enable automatic addition for all new bash shell sessions, run the following command:

echo "source /opt/kaspersky/kess/shared/bash_completion.sh" >> ~/.bashrc

Page top
[Topic 238601]

Task management in the command line

The following application tasks are provided for managing Kaspersky Embedded Systems Security using the command line:

  • File Threat Protection. This task allows you to enable or disable File Threat Protection in real time and defines the settings for the File Threat Protection component. The task starts automatically when the application starts.
  • Malware Scan. This task allows you to scan file system objects for malware on demand and defines the settings for the scan. You can use this task to perform a full or custom scan of the device.
  • Critical Areas Scan. This task allows you to run a critical areas scan of the operating system on demand and defines the settings for the scan.
  • Custom file scan. This task is designed for configuring and storing settings that are used when scanning the specified files and directories using the kess-control --scan-file command. As a result of the command execution, the application creates and starts a temporary file scan task.
  • Removable Drives Scan. This task allows you to monitor the connection of removable media to the device in real time and defines the settings of the Removable Drives Scan and the scan of its boot sectors for malware.
  • Web Threat Protection. This task allows you to enable or disable Web Threat Protection and defines the settings for the Web Threat Protection component.
  • Network Threat Protection. This task allows you to enable or disable Network Threat Protection and defines the settings for the Network Threat Protection component.
  • Anti-Cryptor. This task allows you to enable or disable the protection of files from remote malicious encryption and defines the settings for the Anti-Cryptor component.
  • Firewall Management. This task allows you to enable or disable firewall management and defines the network connection control settings on the device.
  • Application Control. This task allows you to enable or disable Application Control and defines the settings of the Application Control component.
  • Inventory. The task allows you to obtain information about all the application executable files stored on the device.
  • Device Control. This task allows you to enable or disable Device Control and defines the settings for the Device Control component. The task starts automatically when Kaspersky Embedded Systems Security starts.
  • Behavior Detection. This task allows you to monitor malicious activity of applications in the operating system. The task starts automatically when Kaspersky Embedded Systems Security starts.
  • System Integrity Monitoring. This task allows you to perform real-time monitoring of the actions performed with objects from the monitoring scope specified in the System Integrity Monitoring component settings.
  • System Integrity Check. This task allows you to check for changes in files and directories that you have included in the monitoring scope, by comparing the current state of the monitored object with a previously recorded state.
  • Licensing. This task provides the capability to activate an application installed on the device. The task starts automatically when the application starts, and it resides in the device operating memory. The task has no settings; license keys are managed using special management commands. The task cannot be started, stopped, or deleted.
  • Update. You can use this task to perform scheduled and on-demand application database and module updates and edit update settings.
  • Rollback. You can use this task to roll back the last update of application databases and modules.

Each application task has a name used on the command line, an ID, and a type (see the table below).

IDs are unique for all tasks, including deleted tasks. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.

Task names are not case-sensitive.

During installation of the application, predefined tasks are created. These tasks cannot be deleted. Each predefined task has a name and ID.

Tasks that you create while working with the application are called user tasks. When you create the task, you specify the name for it. IDs for user tasks are defined and assigned by the application when the task is created. IDs for user tasks are starting from 100.

During operation, the application creates temporary scan tasks. Temporary task names and IDs are assigned by the application. Temporary tasks are automatically deleted when completed.

Application tasks

Task

Task name in command line

Task ID

Task type

File Threat Protection

File_Threat_Protection

1

OAS

Malware Scan

Scan_My_Computer

2

ODS

Malware Scan (user task)

user-defined

starting from 100

ODS

Custom file scan

Scan_File

3

ODS

Critical Areas Scan

Critical_Areas_Scan

4

ODS

Update

Update

6

Update

Update (user task)

user-defined

starting from 100

Update

Rollback

Rollback

7

Rollback

Rollback (user task)

user-defined

starting from 100

Rollback

Licensing

License

9

License

System Integrity Monitoring

System_Integrity_Monitoring

11

OAFIM

System Integrity Monitoring (user task)

user-defined

starting from 100

ODFIM

Firewall Management

Firewall_Management

12

Firewall

Anti-Cryptor

Anti_Cryptor

13

AntiCryptor

Web Threat Protection

Web_Threat_Protection

14

WTP

Device Control

Device_Control

15

DeviceControl

Removable Drives Scan

Removable_Drives_Scan

16

RDS

Network Threat Protection

Network_Threat_Protection

17

NTP

Behavior Detection

Behavior_Detection

20

BehaviorDetection

Application Control

Application_Control

21

AppControl

Inventory

Inventory_Scan

22

InventoryScan

Inventory (user task)

user-defined

starting from 100

InventoryScan

You can perform the following actions with tasks:

In this section

Viewing a list of tasks in the command line

Viewing the status of a task in the command line

Creating a task in the command line

Starting, stopping, pausing, and resuming tasks in the command line

Deleting a task in the command line

Page top
[Topic 264195]

Viewing a list of tasks in the command line

To view the list of application tasks, execute the following command:

kess-control --get-task-list [--json]

where:

--json – output format for the list of application tasks. If a file format is not specified, the output will be an INI file.

The list of Kaspersky Embedded Systems Security tasks will be displayed.

The following information will be displayed for each task:

  • Name: the task name
  • ID: the task ID
  • Type: the task type
  • State: the current state of the task

If the Kaspersky Security Center policy prohibits users from viewing and editing local tasks, information about the Scan_My_Computer, Critical_Areas_Scan, Inventory_Scan, Update, and Rollback tasks is not available.

Page top

[Topic 264317]

Viewing the status of a task in the command line

To view a task state, execute the following command:

kess-control --get-task-state <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format.

Application tasks can take the following main states:

  • Started—Task is running.
  • Starting—Task is being launched.
  • Stopped—Task has been stopped.
  • Stopping—Task is stopping.

The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:

  • Pausing — Task is pausing.
  • Suspended — Task is suspended.
  • Resuming — Task is resuming.

Page top

[Topic 264963]

Creating a task in the command line

You can create the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can create tasks with default settings or with settings specified in a configuration file.

To create a task with default settings, execute the following command:

kess-control -create-task <task name> --type <task name>

where:

  • <task name> is the name that you specify for the new task.
  • <task type> is the identifier for the type of the created task.

To create a task with the settings specified in the configuration file, execute the following command:

kess-control --create-task <task name> --type <task type> --file <configuration file path> [--json]

where:

  • <task name> is the name that you specify for the new task.
  • <task type> is the identifier for the type of the created task.
  • <path to file> is the full path to the configuration file with the settings that will be used for creating the task.
  • --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

Page top

[Topic 264321]

Starting, stopping, pausing, and resuming tasks in the command line

You can start and stop predefined and user tasks, except for tasks of the License type.

You can suspend and resume tasks of ODS, ODFIM, and InventoryScan types.

To start a task, execute the following command:

kess-control --start-task <task ID/name> [-W] [--progress]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • [-W] is a command used in conjunction with the task start command to enable the display of current events associated with this task.
  • Specify the [--progress] option if you want to display the progress of the task.

    Example:

    Start the task with ID 1 and enable the display of current events associated with the task:

    kess-control --start-task 1 -W

If an error occurs when starting a task and the task does not start, then after the application is restarted, an attempt is made to start the task again.

To stop a task, execute the following command:

kess-control --stop-task <task ID/name> [-W]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • [-W] is a command used in conjunction with the stop task command to enable the display of current events associated with this task.

To suspend a task, execute the following command:

kess-control --suspend-task <task ID/name>

To resume a task, execute the following command:

kess-control --resume-task <task ID/name>

Page top

[Topic 264322]

Deleting a task in the command line

You can delete only user tasks. Predefined tasks cannot be deleted.

To delete a task, execute the following command:

kess-control --delete-task <task ID/name>

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

Page top
[Topic 264323]

Displaying task settings in the command line

You can display the current values of settings for all user tasks and all predefined tasks, except for Rollback and License tasks (these tasks have no settings).

You can output the current values of task settings to the console or to a configuration file that you can use to change task settings.

To output the current values of task settings to the console, execute the following command:

kess-control --get-settings <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of task settings to a configuration file, execute the following command:

kess-control --get-settings <task ID/name> --file <path to configuration file> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --file <configuration file path> is the path to the configuration file into which the task settings will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
Page top
[Topic 264157]

Editing task settings in the command line

You can edit the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.

On the command line, you can edit the settings of tasks using the kess-control --set-settings command:

You can add or remove scan scopes and exclusion scopes using a configuration file that contains task settings or command line options. Configuring scan scopes and exclusion scopes is available for tasks with the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/.

For some tasks, separate management commands are also provided that allow you to edit task settings.

In this section

Editing task settings using a configuration file

Editing task settings using the command line options

Restoring default task settings in the command line

Page top
[Topic 265721]

Editing task settings using a configuration file

To edit values of task settings using a configuration file:

  1. Output the task settings to the configuration file using the command kess-control --get-settings.
  2. Open the configuration file and edit the values of the necessary settings.

    For tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types, you can add or remove scan scopes and exclusion scopes.

    If you want to add a scan scope, add a [ScanScope.item_ #] section with the following settings to the file:

    • AreaDesc is a description of the scan scope, which contains additional information about this scope.
    • UseScanArea enables scanning of the specified scope.
    • Path is a path to the directory with the objects to be scanned. You can specify a path to a local directory or enable scanning of remote directories mounted on a client device.
    • AreaMask.item_# is a limitation of the scan scope. You can specify a mask for the name of the files to be scanned. Scanning is enabled by default for all objects in the scan scope. You can specify multiple AreaMask.item_# items.

    If you want to add an exclusion scope, add an [ExcludedFromScanScope.item_#] section with the following settings to the file:

    • AreaDesc – a description of the exclusion scope, which contains additional information about the exclusion scope.
    • UseScanArea enables exclusion of the specified scope.
    • Path is a path to the directory with the objects to be excluded. You can specify a path to a local directory or exclude remote directories mounted on a client device. Possible values for the setting depend on the type of task.
    • AreaMask.item_# is a limitation of the exclusion scope. You can specify a mask for the name of the files that you want to exclude from the scan scope. By default, all objects in the scope are excluded.

      Example:

      [ExcludedFromScanScope.item_0000]

      AreaDesc=

      UseScanArea=Yes

      Path=/tmp/notchecked

      AreaMask.item_0000=*

    You can specify multiple [ScanScope.item_#] and [ExcludedFromScanScope.item_#] sections. The application processes the scopes by index in ascending order.

  3. Save the configuration file.
  4. Execute the command:

    kess-control --set-settings <task ID/name> --file <path to configuration file> [--json]

    where:

    • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
    • --file <configuration file path> is the full path to the configuration file from which the task settings will be imported.
    • Specify the --json option if you are importing settings from a JSON configuration file. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of task settings defined in the file will be imported into the application.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Page top
[Topic 197633]

Editing task settings using the command line options

Using the kess-control --set-settings command line options, you can edit individual values of task settings, as well as add or remove scan scopes and exclusion scopes for tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

Configuring individual task settings

To modify individual values of task settings using command line options, run the following command:

kess-control --set-settings <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • <setting name>=<setting value> is the name and value of one of the task settings. You can get the current values of task settings using the command for displaying task settings.

The values of the specified task settings will be changed.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Adding and removing a scan scope

To add a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-path <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --add-path <path> adds the path to the directory with the objects to be scanned.

A new [ScanScope.item_#] section will be added to the task settings. The application scans the objects in the directory specified by the Path setting. The remaining settings of the scan scope take default values.

If the task settings already contain a [ScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be scanned.

Example:

Adding a scan scope for a task with ID=100:

kess-control --set-settings 100 ScanScope.item_0001.UseScanArea=Yes ScanScope.item_0001.Path=/home

The following scan scope settings will be added to the task:

[ScanScope.item_0001]

AreaDesc=

UseScanArea=Yes

Path=/home

AreaMask.item_0000=*

To delete a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-path <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --del-path <path> deletes the path to the directory with the objects to be scanned.

The [ScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not scan the objects in the specified directory.

Adding and removing an exclusion scope

To add an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-exclusion <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --add-exclusion <path> adds the path to the directory with the objects that you want to exclude from the scan.

A new [ExcludedFromScanScope.item_#] section will be added to the task settings. The application will exclude objects in the directory specified by the Path setting from scans. The remaining settings of the exclusion scope take default values.

If the task settings already contain an [ExcludedFromScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be excluded from scans.

To delete an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-exclusion <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --del-exclusion <path> deletes the path to the directory with the objects to be excluded.

The [ExcludedFromScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not exclude the objects in the specified directory from the scan.

Page top
[Topic 197627]

Restoring default task settings in the command line

You can restore the default settings for all user tasks and all predefined tasks, except for tasks of the Rollback and License types (these tasks have no settings).

To reset task settings to their default values, execute the following command:

kess-control --set-settings <task ID/name> --set-to-default

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

The application changes the setting values to their defaults.

Page top

[Topic 264194]

Configuring task schedule in the command line

You can configure the schedule for running the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can output the current values of the settings for the task run schedule to the console or to a configuration file.

To output the current settings for the task run schedule to the console, execute the following command:

kess-control --get-schedule <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current settings for the task run schedule to a configuration file, execute the following command:

kess-control --get-schedule <task ID/name> --file <path to configuration file> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --file <path to configuration file> is the path to the configuration file in which the settings for the task run schedule will be output. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

    Examples:

    Save the update task settings to a file named update_schedule.ini and save the created file in the current directory:

    kess-control --get-schedule 6 --file update_schedule.ini

    Display the update task schedule in the console:

    kess-control --get-schedule 6

You can edit the settings for the task run schedule in the following ways:

  • Import the settings from a configuration file that contains all schedule settings.
  • Using the command line, specify the individual settings for the task run schedule in the format <setting name >=<setting value >.

To edit the values of the settings for task run schedule using a configuration file, perform the following actions:

  1. Output the task settings to the configuration file using the kess-control --get-schedule command.
  2. Edit the values of the necessary settings in the file and save the changes.
  3. Execute the command:

    kess-control --set-schedule <task ID/name> --file <configuration file path> [--json]

    where:

    • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
    • --file <configuration file path> is the full path to the configuration file from which the task schedule settings will be imported.
    • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of the settings for the task run schedule defined in the file will be imported into the application.

Example:

Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:

kess-control --set-schedule 2 --file /home/test/on_demand_schedule.ini

To edit the individual values of the settings for the task run schedule using the command line, execute the following command:

kess-control --set-schedule <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • <setting name>=<setting value> is the name and value of one of the settings for the task schedule.

The values of the specified settings for the task run schedule are modified.

Examples:

To schedule the task to start every ten hours, specify the following settings:

RuleType=Hourly

RunMissedStartRules=No

StartTime=2021/May/30 23:05:00;10

RandomInterval=0

To schedule the task to start every ten minutes, specify the following settings:

RuleType=Minutely

RunMissedStartRules=No

StartTime=23:10:00;10

RandomInterval=0

To schedule the task to start on the 15th of every month, specify the following settings:

RuleType=Monthly

RunMissedStartRules=No

StartTime=23:25:00;15

RandomInterval=0

To schedule the task to start on every Tuesday, specify the following settings:

RuleType=Weekly

StartTime=18:01:30;Tue

RandomInterval=99

RunMissedStartRules=No

To schedule the task to start every 11 days, specify the following settings:

RuleType=Daily

RunMissedStartRules=No

StartTime=23:15:00;11

RandomInterval=0

Page top

[Topic 264965]

Managing general application settings in the command line

General application settings define the operation of the application as a whole and the operation of individual functions.

You can manage general application settings using special management commands:

  • Output the current values of general application settings to the console or to a configuration file.
  • Edit general application settings using a configuration file containing all general settings, or using command line options in the <setting name>=<setting value> format.

Using general settings, you can:

In this section

Displaying general application settings

Editing general application settings

Page top
[Topic 264277]

Displaying general application settings

You can output the current values of general application settings to the console or to a configuration file that you can use to edit task settings.

To output the current values of general application settings to the console, execute the following command:

kess-control --get-app-settings [--json]

where --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of general application settings to a configuration file, execute the following command:

kess-control --get-app-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the path to the configuration file into which general settings of the application will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

    Example:

    Display the general application settings to a file named kess_config.ini. Save the created file in the current directory:

    kess-control --get-app-settings --file kess_config.ini

Page top

[Topic 265722]

Editing general application settings

On the command line, you can edit the general application settings using the command kess-control --set-app-settings:

  • You can edit all general settings using the configuration file that contains the general application settings. You can get the configuration file using the command for displaying general settings.
  • You can edit individual settings using command line options in the <setting name>=<setting value> format. You can get the current values of general application settings using the command for displaying general settings.

To edit values of general application settings using a configuration file:

  1. Output the general application settings to a configuration file.
  2. Edit the values of the necessary parameters in the file and save the changes.
  3. Execute the command:

    kess-control --set-app-settings --file <path to configuration file> [--json]

    where:

    • --file <path to configuration file> is the full path to the configuration file with the general application settings.
    • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All the values of the general settings defined in the file will be imported into the application.

To edit general application settings using command line options, execute the following command:

kess-control --set-app-settings <setting name>=<setting value> [<setting name>=<setting value>]

where <setting name>=<setting value> is the name and value of one of the general application settings.

The values of the specified general settings will be changed.

Examples:

Import general settings into the application from the configuration file /home/test/kess_config.ini:

kess-control --set-app-settings --file /home/test/kess_config.ini

Set the detail level for the trace file to low:

kess-control --set-app-settings TraceLevel=NotDetailed

Add a mount point that you want to exclude from interception of file operations:

kess-control --set-app-settings ExcludedMountPoint.item_0000="/data"

Page top

[Topic 265724]

Using filters to limit results of queries

A filter allows you to limit the query results when executing application management commands.

Filter conditions are specified using one or more logical expressions, which are combined using the logical operator and. Filter conditions must be enclosed in quotation marks:

"<field> <comparison operator> '<value>'"

"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"

where:

  • <field> is the name of the field for the database.
  • <comparison operator> is one of the following comparison operators:
    • > is "greater than"
    • < is "less than"
    • like matches the specified value When specifying a value, you can use % masks: for example, the logical expression "FileName like '%etc%'" sets the limitation "contains the text "etc" in the FileName field"
    • == is "equal to"
    • != is "not equal to"
    • >= is "greater than or equal to"
    • <= is "less than or equal to"
  • <value> is the value of the field. The value must be enclosed in single quotation marks (').

    You can specify a date value as UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.

You can use a filter in the following application management commands:

  • Display information about certain current events of the application:

    kess-control -W --query "<filter conditions>"

  • Display information about certain application events in the event log:

    kess-control -E --query "<filter conditions>"

  • Display information about certain objects in the Backup:

    kess-control -B --query "<filter conditions>"

  • Delete certain objects from the Backup:

    kess-control -B --mass-remove --query "<filter conditions>"

    Examples:

    Get information about events that contain the text "etc" in the FileName field:

    kess-control -E --query "FileName like '%etc%'"

    Display information about events with the ThreatDetected type:

    kess-control -E --query "EventType == 'ThreatDetected'"

    Display information about events with the ThreatDetected type, created by tasks of the ODS type:

    kess-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'"

    Get information about the events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):

    kess-control -E --query "Date > '1583425000'"

    Get information about the events generated after the date specified in YYYY-MM-DD hh:mm:ss format:

    kess-control -E --query "Date > '2022-12-22 18:52:45'"

    Get information about files in the Backup storage that have the High severity level:

    kess-control -B --query "DangerLevel == 'High'"

Page top

[Topic 264094]

Exporting and importing application settings

If Kaspersky Embedded Systems Security is managed via Kaspersky Security Center, importing settings is not supported.

Kaspersky Embedded Systems Security allows you to export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices. When exporting settings, all application settings (including encrypted connections scan settings, general application settings, and task settings) are saved in a configuration file. You can use this configuration file to import settings into the application.

The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.

When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.

To export the application settings, execute the following command:

kess-control --export-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the full path to the configuration file where the application settings will be saved.
  • --json is specified to export the settings to the configuration file in JSON format. If the --json options is not specified, the settings will be exported to an INI file.

To import the application settings from the file, execute the following command:

kess-control --import-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
  • --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

When you import application settings from a file, the UseKSN and CloudMode settings are set to No. To start or resume the use of Kaspersky Security Network, set the value of the UseKSN setting to Basic or Extended. To enable cloud mode, you must set the CloudMode setting to Yes. Cloud mode is available if use of KSN is enabled.

After application settings are imported, internal task IDs may change. It is recommended to use task names to manage tasks.

Page top

[Topic 265009]

Managing user roles using the command line

Access to Kaspersky Embedded Systems Security functions via the command line is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.

The four groups of system users are created in the operating system: kessadmin, kessuser, kessaudit, and nokess. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.

If no application role is assigned to a system user, that user belongs to a separate group of users without rights.

Thus, the roles correspond to the four groups of operating system users:

  • kessadmin – the Administrator role
  • kessuser – the User role
  • kessaudit – the Auditor role
  • nokess is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges

    User roles

    Role name

    Role in application

    OS user

    Permissions

    Administrator

    admin

    kessadmin

    Manage application settings and task settings.

    Manage application licensing.

    Assigning roles to users.

    Revoking user roles (the administrator has no right to revoke the admin role from himself).

    View and manage users' Storages.

    User

    user

    kessuser

    Manage only user file scan tasks.

    Start and stop Update tasks.

    View reports for the tasks created by this user.

    View specific events that are common for all application users.

    Auditor

    audit

    kessaudit

    Viewing application settings

    View application status.

    View all tasks, their settings, and start schedules.

    View all events.

    View all objects in Backup.

    nokess

    No role is assigned in the application, no permissions.

In this section

Viewing a list of users and roles

Assigning a role to a user

Revoking a user role

Page top
[Topic 264128]

Viewing a list of users and roles

To view a list of users and their roles, execute the following command:

kess-control [-U] --get-user-list

Page top
[Topic 197944]

Assigning a role to a user

To assign a role to a specific user, execute the following command:

kess-control [-U] --grant-role <role> <user>

Example:

To assign the audit role to the user test15:

kess-control --grant-role audit test15

Page top

[Topic 197945]

Revoking a user role

To revoke a role from a specific user, execute the following command:

kess-control [-U] --revoke-role <role> <user>

Example:

To revoke the audit role from the user test15:

kess-control --revoke-role audit test15

Page top

[Topic 197946]