Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Device Control

The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). Access management lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks.

The Device Control component is enabled automatically with the default settings when Kaspersky Embedded Systems Security is started.

Device Control manages user access on the following levels:

  • Device type as classified by Device Control, such as printers, removable drives, or CD/DVD drives. One of the following access modes can be applied to each device type:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type.
    • Depends on bus: allow or block access to devices depending on the access mode set for the bus through which the device is connected.
    • By rule: allow or block access to devices depending on the access rules. A device access rule is a set of options that determine which users can access devices that are installed on the client device or connected to it, and at what time.

      When a forbidden device is connected, the application denies access to the device to the users specified in the rule and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

      If you try to perform an operation with a device whose access mode is set to By rule, but no rule active at the time of access is found, the operation will be blocked.

  • Connection bus. Connection bus is an interface that devices use to connect to the client device, such as USB or FireWire. One of the following access modes can be applied to connection buses:
    • Allow: grant access to devices connected through this connection bus.
    • Block: deny access to devices connected using this connection bus.

    For example, access may be denied to all devices connected via USB.

By default, the Depends on connection bus access mode is selected for all device types. The Allow access mode is selected for connection buses. Device Control grants users full access to all devices accordingly.

Device Control does not block system drives. If the application cannot automatically detect the system drive, the Device Control component terminates with an error.

Blocking devices by device type or connection bus via the system device driver is not supported on the following Linux kernels: 3.10, 5.14, 5.15, 5.17, 6.1, 6.8. On these kernels and in the By rule access mode, only the opening of files and reading of directories (that is, getting the names of files and directories) are blocked. On systems that do not support fanotify, blocking the reading of directories is also not supported.

When Device Control is enabled for the first time, it generates a DeviceAllowed event for all detected devices with a known device or bus type. No repeat events are generated upon subsequent component runs unless there were changes in the control settings for these devices.

When Device Control is disabled, the application unblocks access to blocked devices.

You can enable, disable, and configure Device Control:

  • Select the application's operation mode when there is an attempt to access a device to which access is prohibited by Device Control settings: block or only notify about the attempt to access the device.
  • Select a device access mode depending on the type.
  • Select an access mode for the bus through which the devices are connecting.
  • Remove individual devices from the scope of Device Control by adding them to the list of trusted devices. Trusted devices are devices to which users have full access. You can add devices to a list of trusted devices by identifier or identifier mask. For example, you can limit access to specific USB devices or only to USB drives; access to other USB devices is denied.

    If you are managing the application on the command line, you can view the IDs of connected devices by running kess-control --get-device-list on the client device.

    If you are managing the application via Kaspersky Security Center, information about devices installed on, or connected to, the client devices can be sent to the Administration Server. The information sharing is enabled by default.

    Information about devices is transferred if the client device is under the control of an active policy and synchronized with Network Agent (performed with the frequency specified in the Network Agent policy properties, by default – every 15 minutes).

  • Define an access schedule for devices: only hard drives, removable drives, floppy disks, and CD/DVD drives.

    In general application settings, if blocking access to files during scans is disabled, you cannot use a device access schedule to block access to devices.

  • You can define access rules for devices depending on their type. Allow or block access for specified users at a specified time.

Device Control ignores mount point exclusions. Access to a device mounted at an excluded point can be limited with Device Control settings.

In this Help section

Configuring Device Control in the Web Console

Configuring Device Control in the Administration Console

Configuring Device Control on the command line
Page top
[Topic 264143]

Configuring Device Control in the Web Console

In the Web Console, you can configure Device Control settings in the policy properties (Application settingsSecurity ControlsDevice Control)

Device Control settings

Setting

Description

Device Control enabled / disabled

This toggle button enables or disables Device Control.

The check toggle button is switched on by default.

Configure trusted devices

Clicking this link opens the Trusted devices window. In this window, you can add devices to a list of trusted devices by ID or by selecting them from the list of devices detected on the client devices.

Device Control operating mode

Response to attempts to access a device that is restricted according to Device Control rules:

  • Inform. If you select this option, Kaspersky Embedded Systems Security tests the selected access mode and generates an event about detection of an attempt to access a device.
  • Block (default value). When this option is selected, Kaspersky Embedded Systems Security applies the access mode defined for the device or bus.

Configure access settings for device types

Clicking this link opens the Device types window. In this window, you can configure access to devices by type.

Configure access settings for connection buses

Clicking this link opens the Connection buses window. In this window, you can configure access settings for connection buses.

Page top

[Topic 197634]

Trusted devices window

The table contains a list of trusted devices. The table is empty by default.

Trusted device settings

Setting

Description

Device ID

Trusted device ID.

Device name

Trusted device name.

Device type

Trusted device type (for example, Hard drive or Smart card reader).

Host name

Name of the client device the trusted device is connected to.

Comment

Comment related to a trusted device.

You can add a device to the list of trusted devices by the device ID or by selecting the required device in the list of devices detected on the user device.

You can edit and delete trusted devices in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

You can also import the list of devices from a file by clicking Import and export the list of added devices to a file in JSON format by clicking Export. When importing, you will be prompted to replace the list of trusted devices or add the devices to the existing list.

Page top
[Topic 276351]

Trusted device (Device ID) window

In this window, you can add a device to the list of trusted devices by its identifier.

Adding device by ID

Setting

Description

Device ID

Entry field for a device ID or device ID mask. You can manually specify the device ID or copy the ID of the required device from the Devices detected on hosts list.

To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives.

Comment

Entry field for a comment (optional). This field is available after you enter the device ID, and click the Next button.

Page top

[Topic 246347]

Trusted device window (List of detected devices)

In this window you can add a device to the list of trusted devices by selecting it in the list of existing managed devices.

Information about existing devices is available only if an active policy exists and synchronization with the Network Agent has been completed (the synchronization interval is specified in the Network Agent policy properties; the default setting is 15 minutes). If you create a new policy and there are no other active ones, the list will be empty.

Adding device from list

Setting

Description

Device type

In this drop-down list, you can select type of devices to be displayed in the Devices detected on hosts table.

Device ID mask

Entry field for a device ID mask.

Comment

Entry field for a comment (optional). This field is available after you select the devices, and click the Next button.

Clicking the Filter button opens the window, where you can set up the filtering of displayed information about devices.

Page top
[Topic 246348]

Device types window

In this window, you can configure access rules for various types of devices.

Access rules for device types

Setting

Description

Settings for access to data storage devices

The table contains the following columns:

  • Type represents device types (for example, Hard drives, Printers).
  • Access mode represents the access mode for this type of device. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type.
    • Depends on bus (default value), to allow or block access to devices depending on the access mode for a bus used for connecting a device.
    • By rule – allow or block access to devices, depending on the access rule and schedule. You can configure the access rule and its schedule by clicking the required device type.

Settings for access to other devices

The table contains the following columns:

  • Type – type of device (for example, Input devices, Sound adapters).
  • Access mode represents the access mode for this type of device. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type. The Block access mode cannot be selected for network adapters.
    • Depends on bus (default value), to allow or block access to devices depending on the access mode for a bus used for connecting a device.

Page top

[Topic 271073]

Device access settings window

In this window, you can configure the access mode and access rules for the selected type of device.

Device access settings

Setting

Description

Device access mode

Access mode for devices of the selected type:

  • Allow: allow access to devices of the selected type.
  • Block: prohibit access to devices of the selected type.
  • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
  • By rule – allow or block access to devices, depending on the access rule and schedule.

Device access rules

The table contains a list of access rules and consists of the following columns:

  • Access schedule – names of existing access schedules.
  • Users and/or user groups – names of users or names of user groups, to which the access rule will apply.
  • Access – access mode for the schedule:
    • Allow (provides access to devices of the selected type).
    • Block (prohibits access to devices of the selected type).
  • Status – status of the access rule:
    • Enabled – the rule is enabled; Application Control applies this rule when it runs.
    • Disabled – the rule is disabled and is not used when Application Control is running.

By default, the table contains the Default schedule access schedule, which provides all users with full access to devices (the \Everyone option is selected in the list of users and groups) at any time, if access by the connection bus is allowed for this type of device.

You can add, edit, and delete access rules.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top

[Topic 197646]

Device access rules window

In this window, you can configure the device access rule.

Device access rule

Setting

Description

Device access rule settings

Access mode for devices of the selected type:

  • Allow (default value) – provide access to the devices of the selected type.
  • Block: prohibit access to devices of the selected type.

Users and/or user groups

Name of the user or user group to which the rule applies.

The default value is \All (all users).

You can add, edit, and delete users or user groups.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Status

Access rule status:

  • Enabled – the rule is enabled; Application Control applies this rule when it runs.
  • Disabled – the rule is disabled and is not used when Application Control is running.

Schedule for access to devices

Schedule for the specified users' access to devices. The default value is Default schedule. You can set a different schedule.

Page top

[Topic 247148]

Select user or group window

In this window, you can specify a local or domain user or user group for which you want to configure an access rule.

Configuring an access rule

Setting

Description

Manually

If you select this option, in the field below, you need to enter the name of a local or domain user (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name>) format, or the name of a group of users to which the device access rule must apply.

List of users and groups

If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the device access control rule will apply, or you can select the name of the user group in the list below.

Page top

[Topic 247150]

Schedules window

In this window, you can specify the schedule for the selected device access rule.

You can add, edit, and delete access schedule.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You cannot delete the Default schedule.

Page top

[Topic 276264]

Access schedule window

In this window, you can configure the device access schedule. You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives.

In the General settingsApplication settings section, if the Block access to files during scans check box is cleared, then it is not possible to block access to devices using an access schedule.

Schedule for access to devices

Setting

Description

Name

Entry field for the access schedule name. The schedule name must be unique.

Time intervals

The table where you can select time intervals for the schedule (days and hours).

Intervals highlighted in green are included to the schedule.

To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray.

By default, all intervals (24/7) are included to the schedule.

Page top

[Topic 275540]

Connection buses window

In this window, you can configure access mode for connection buses.

Access mode for connection buses

Setting

Description

Connection bus

Connection bus used by devices to connect to the client device:

  • FireWire
  • USB

Access mode

This toggle switch sets the access mode for devices that use this bus:

  • Allow (default): provide access to devices connected through this bus.
  • Block: deny access to devices connected using this connection bus.

Page top

[Topic 271074]

Configuring Device Control in the Administration Console

In the Administration Console, you can configure Device Control settings in the policy properties (Security ControlsDevice Control).

Device Control settings

Setting

Description

Enable Device Control

This check box enables or disables Device Control.

The check box is selected by default.

Trusted devices

This group of settings contains the Configure button. Clicking this button opens the Trusted devices window. In this window, you can add a device to a list of trusted devices by the device ID or by selecting it from the list of devices detected on the client devices.

Device Control operating mode

Response to attempts to access a device that is restricted according to Device Control rules:

  • Inform. If you select this option, Kaspersky Embedded Systems Security tests the selected access mode and generates an event about detection of an attempt to access a device.
  • Block (default value). When this option is selected, Kaspersky Embedded Systems Security applies the access mode defined for the device or bus.

Device Control settings

This group of settings contains buttons that open windows where you can configure access mode for devices by type and connection buses.

Page top

[Topic 197272]

Trusted devices window

The table contains a list of trusted devices. The table is empty by default.

Trusted device settings

Setting

Description

Device ID

ID of a trusted device.

Device name

Name of a trusted device.

Device type

Trusted device type (for example, Hard drive or Smart card reader).

Host name

Name of the client device the trusted device is connected to.

Comment

Comment related to a trusted device.

You can add a device to the list of trusted devices by ID or by mask or by selecting the required device in the list of devices detected on the user device.

You can edit and delete trusted devices in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

You can also import the list of devices from a file by clicking Advanced -> Import and export the list of added devices to a file in JSON format by clicking Advanced -> Export selected or Advanced -> Export all. When importing, you will be prompted to replace the list of trusted devices or add the devices to the existing list.

Page top
[Topic 246336]

Trusted device window

In this window, you can add a device to the list of trusted devices by its identifier.

Adding device by ID

Setting

Description

Device ID

The field for entering the identifier or the identifier mask of the device that you want to add to the list of trusted devices.

To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives.

Find on hosts

Clicking the button displays the devices found on the connected client devices using the specified ID or mask. The button is available if the Device ID field is not empty.

Devices found

The table contains the following columns:

  • Device type – type of device found (for example, Hard drive or Smart card reader).
  • Device ID – ID of the device found.
  • Device name – name of the device found.
  • Host name — name of the client device that the found device is connected to.

Comment

The field for entering a comment for the device that you want to add to the list of trusted devices (optional).

Page top

[Topic 246337]

Device window on client devices

In this window you can add a device to the list of trusted devices by selecting it in the list of existing devices detected on client devices.

Information about existing devices is available only if there is an active policy and there has been synchronization with the Network Agent (performs within the limits specified in the Network Agent policy, 15 minutes by default). If you create a new policy and there are no other active ones, the list will be empty.

Adding device from list

Setting

Description

Host name

Field for entering the name or the name mask for the managed device for which you want to find connected devices. The default mask is * – all managed devices.

Device type

In this drop-down list, you can select the type of connected device to search for (for example, Hard drives or Smart card readers). The All devices option is selected by default.

Device ID

Field for entering the identifier or identifier mask for the device you want to find. The default mask is * – all devices.

Find on hosts

When you click this button, the application searches the device with the specified settings. The search results are displayed in the table below.

Page top

[Topic 246338]

Device type window

In this window, you can configure access mode for various types of devices.

Access mode for device types

Setting

Description

Device type

Device type (for example, Hard drives, Printers).

Access mode

Device access mode. Right-clicking with the mouse opens a context menu where you can select one of the following options:

  • Allow: allow access to devices of the selected type.
  • Block: prohibit access to devices of the selected type.
  • Depends on bus (default value): allow or block access to the devices depending on the access mode for a connection bus.
  • By rule – allow or block access to devices, depending on the access rule and schedule.

You can configure access rules and schedules in the Configure device access rule window, which opens when you double-click the device type.

Page top
[Topic 271075]

Configure device access rule window

In this window, you can configure access rules and schedules for the selected device type.

This window is opened by double-clicking the device type in the Device type window.

Device access rules and schedules

Setting

Description

Users and/or user groups

The list contains users and groups for which you can configure access schedule.

By default, the table contains the \Everyone item (all users).

You can add, edit, and delete users or user groups.

Device access rules

This table contains access schedules for users and user groups. It consists of the following columns:

  • Access schedule – names of existing access schedules. The check box next to the schedule indicates whether this schedule is used by the component.
  • Access – access type for the schedule: Allow (grant access to devices of the selected type) or Block (deny access to devices of the selected type).

You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives. By default, the table contains the Default access schedule, which provides all users with full access to devices (the \Everyone item is selected in the Users and/or user groups list) at any time if access via the connection bus is allowed for this type of device.

You can add, edit, and delete access schedules for selected users. The Default schedule cannot be modified or removed.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top

[Topic 210761]

User or group window

In this window, you can specify a user or group of users to which the device access rule applies.

Configure device access rule

Setting

Description

Type

The User or Group to which the Application Control rule applies.

User or group name

Name of a local or domain user (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name>) format, or the name of a group of users to which the rule applies.

Page top

[Topic 247137]

Access schedule window

In this window, you can configure the device access schedule.

Schedule for access to devices

Setting

Description

Name

Entry field for the access schedule name.

Time intervals

The table where you can select time intervals for the schedule (days and hours).

Intervals highlighted in green are included to the schedule.

To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray.

By default, all intervals (24/7) are included to the schedule.

Page top

[Topic 275999]

Connection buses window

In this window, you can configure access mode for connection buses.

Access mode for connection buses

Setting

Description

Connection bus

Connection bus used by devices to connect to the client device:

  • FireWire
  • USB

Access mode

Connection bus access mode. Right-clicking opens a context menu where you can select one of the following options:

  • Allow (default): provide access to devices connected through this bus.
  • Block: deny access to devices connected using this connection bus.

Page top

[Topic 271076]

Configuring Device Control on the command line

You can manage Device Control in the command line with the help of the Device Control predefined task (Device_Control).

The Device Control task is not running by default. You can start and stop the task manually.

You can configure Device Control by editing the settings of the Device Control predefined task.

You can also view the list of connected devices using Device Control commands.

In this section

Device Control task settings

Viewing the list of connected devices on the command line
Page top
[Topic 276245]

Device Control task settings

The table describes all available values and the default values of all the settings that you can specify for the Device Control task.

Device Control task settings

Setting

Description

Values

OperationMode

Response to attempts to access a device that is restricted according to Device Control rules.

Block (default value) – the application applies the access mode defined for the device or bus.

Notify – the application tests the selected access mode and generates an event about the detection of an attempt to access a device.

The [DeviceClass] section contains access modes for devices depending on their type.

HardDrive

Access mode for the hard drives connected to a client device.

Allow — Users are allowed access to hard drives.

DependsOnBus (default): access to the hard drive depends on the access mode defined for the bus through which it is connected.

Block — Access to all hard drives (except system hard drives, which are never blocked by the Device Control) is blocked for users.

ByRule — Access to the hard drives depends on the access rules.

RemovableDrive

Access mode for the removable drives connected to a client device.

Allow — Access to the removable drives is allowed for users.

DependsOnBus (default): access to the removable drive depends on the access mode defined for the bus through which it is connected.

Block — Access to the removable drives is blocked for users.

ByRule — Access to the removable drives depends on the access rules.

FloppyDrive

Access mode for the floppy disks connected to a client device.

The application does not block floppy disks connected to the client device using the ISA bus.

Allow — Users are allowed access to floppy disks.

DependsOnBus (default): access to the floppy disk depends on the access mode defined for the bus through which it is connected.

Block — Access to floppy disks is blocked for users.

ByRule — Access to floppy disks depends on the access rules.

OpticalDrive

Access mode for the CD/DVD drives connected to a client device.

Allow — Users are allowed access to CD/DVD drives.

DependsOnBus (default): access to the CD/DVD drive depends on the access mode defined for the bus through which it is connected.

Block — Access to CD/DVD drives is blocked for users.

ByRule — Access to CD/DVD drives depends on the access rules.

SerialPortDevice

Access mode for the devices connected to a client device via a serial port.

The application does not block the devices connected to a client device via a serial port using the ISA bus.

Allow — Users are allowed access to devices connected through a serial port.

DependsOnBus (default): access to a device connected through a serial port depends on bus access mode.

Block — Access to devices connected through a serial port is blocked for users.

ParallelPortDevice

Access mode for the devices connected to a client device via a parallel port.

Allow — Users are allowed access to devices connected through a parallel port.

DependsOnBus (default): access to a device connected through a parallel port depends on bus access mode.

Block — Access to devices connected through a parallel port is blocked for users.

Printer

Access mode for the printers connected to a client device.

Allow — Users are allowed access to printers.

DependsOnBus (default): access to a printer depends on the access mode defined for the bus through which it is connected.

Block — Access to printers is blocked for users.

Modem

Access mode for the modems connected to a client device.

Allow — Users are allowed access to modems.

DependsOnBus (default): access to a modem depends on the access mode defined for the bus through which it is connected.

Block — Access to modems is blocked for users.

TapeDrive

Access mode for the tape devices connected to a client device.

Allow — Users are allowed access to tape devices.

DependsOnBus (default): access to a tape device depends on the access mode defined for the bus through which it is connected

Block — Access to tape devices is blocked for users.

MultifuncDevice

Access mode for the multifunctional devices connected to a client device.

Allow — Users are allowed access to multifunctional devices.

DependsOnBus (default): access to a multifunctional device depends on the access mode defined for the bus through which it is connected.

Block — Access to multifunctional devices is blocked for users.

SmartCardReader

Access mode for the smart card readers connected to a client device.

Allow — Access to smart card readers is allowed for users.

DependsOnBus (default): access to a smart card reader depends on the access mode defined for the bus through which it is connected.

Block — Access to smart card readers is blocked for users.

WiFiAdapter

Access mode for the Wi-Fi adapters connected to a client device.

Allow — Users are allowed access to Wi-Fi adapters.

DependsOnBus (default): access to a Wi-Fi adapter depends on connection bus access mode.

Block — Access to the Wi-Fi adapters is blocked for users.

NetworkAdapter

Access mode for the external network adapters connected to a client device.

Allow — Users are allowed access to external network adapters.

DependsOnBus (default): access to an external network adapter depends on the access mode defined for the bus through which it is connected.

Device Control does not allow denying access to external network adapters to avoid disconnecting the client device from the network.

PortableDevice

Access mode for the portable devices connected to a client device.

Allow — Users are allowed access to portable devices.

DependsOnBus (default): access to a portable device depends on the access mode defined for the bus through which it is connected.

Block — Access to portable devices is blocked for users.

BluetoothDevice

Access mode for the Bluetooth devices connected to a client device.

Allow — Users are allowed access to Bluetooth devices.

DependsOnBus (default): access to a Bluetooth device depends on the access mode defined for the bus through which it is connected.

Block — Access to Bluetooth devices is blocked for users.

ImagingDevice

Access mode for the imaging devices connected to a client device.

Allow—Access to all imaging devices is allowed for users.

DependsOnBus (default): access to an imaging device depends on the access mode defined for the bus through which it is connected.

Block—Access to all imaging devices is blocked for users.

SoundAdapter

Access mode for the sound adapters connected to a client device.

Allow—Access to all sound adapters is allowed for users.

DependsOnBus (default): access to a sound adapter depends on the access mode defined for the bus through which it is connected.

Block—Access to all sound adapters is blocked for users.

InputDevice

Access mode for the input devices (keyboards, mouse, touchpad, and others) connected to a client device.

Allow — Users are allowed access to input devices.

DependsOnBus (default): access to an input device depends on the access mode defined for the bus through which it is connected.

Block — Access to input devices is blocked for users.

The [DeviceBus] section contains access modes for connection buses.

USB

Access mode for devices connected to the client device via USB.

Allow (default value) — Users are allowed access to USB-devices.

Block — Access to USB-devices is blocked for users.

FireWire

Access mode for devices connected to the client device via FireWire.

Allow (default value) — Users are allowed access to devices connected via the FireWire interface.

Block — Access to devices connected via the FireWire interface is blocked for users.

The [TrustedDevices.item_ #] section contains trusted devices.

DeviceId

Specifies ID or ID mask of a trusted device.

You can use the masks * (any sequence of characters) or ? (any single character) to indicate the device ID.

Examples:

To deny access to all USB devices except the specified one, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=<device ID>

To deny access to all USB devices, but allow access to all USB drives, specify the following settings:

In the [DeviceBus] section, specify USB=Block

In the [TrustedDevices.item_#] section, specify DeviceId=USBSTOR*

 

Comment

Comment to the specified trusted device.

The [Schedules.item_#] section contains the device access schedule. You can configure a schedule only for hard drives, removable drives, floppy disks, and CD/DVD drives.

ScheduleName

Specifies a schedule name.

The schedule name must be unique.

The default value: Default.

The Default schedule provides users full access to devices at any time if the connection bus is allowed to access the corresponding device type.

You cannot delete the Default schedule.

DaysHours

Specifies time intervals for a schedule.

All (default value) — The schedule is valid 24/7 (no time limitation).

<week_day> — Days of the week. You can use either the full week day names or abbreviations (for example, for Monday, you can specify Mo, or Mon, or Monday). For week days, you can specify intervals or specific days. The week starts from Sunday.

<hour> — Hours [0:24]. For hours, you can specify only intervals.

Examples:

Schedule_1 is valid from Sunday till Saturday from 0 a.m. to 11 a.m., from 12 p.m. to 3 p.m., and from 4 p.m. to 12 a.m.:

[Schedules.item_0001]

ScheduleName=schedule_1

DaysHours=Su-Sa:0..11,12..15,16..24

Schedule_2 is valid for the following intervals: on Thursdays from 12 p.m. to 2 p.m. and on Fridays from 2 a.m. to 3 p.m. and from 4 p.m. to 12 a.m.:

[Schedules.item_0002]

ScheduleName=schedule_2

DaysHours=Th:12..14;Fr:2..15,16..24

Schedule_3 is valid 24 hours 7 days a week:

[Schedules.item_0003]

ScheduleName=schedule_3

DaysHours=All

 

The [HardDrivePrincipals.item_#] section contains hard drive access rules.

For hard drives, at least one schedule must always be enabled. You can assign several access rules to a hard drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of a local or domain user to which the access rule applies (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name> format).

@<group name> — Name of the (local or domain) group of users to which the access rule applies.

[HardDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to hard drives is allowed.

Block — Access to hard drives is blocked.

The [RemovableDrivePrincipals.item_#] section contains the access rules for removable drives.

For removable drives, at least one schedule must always be enabled. You can assign several access rules to a removable drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of a local or domain user to which the access rule applies (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name> format).

@<group name> — Name of the (local or domain) group of users to which the access rule applies.

[RemovableDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to removable drives is allowed.

Block — Access to removable drives is blocked.

The [FloppyDrivePrincipals.item_#] section contains access rules for floppy drives.

For floppy drives, at least one schedule must always be enabled. You can assign several access rules to a floppy drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of a local or domain user to which the access rule applies (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name> format).

@<group name> — Name of the (local or domain) group of users to which the access rule applies.

[FloppyDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to floppy drives is allowed.

Block — Access to floppy drives is blocked.

The [OpticalDrivePrincipals.item_#] section contains the access rules for CD/DVD drives.

For CD/DVD drives, at least one schedule must always be enabled. You can assign several access rules to a CD/DVD drive. Also, multiple schedules can be specified for a user or group of users. If an access rule conflict occurs for a user or group, the minimum access rights are granted.

Principal

Specifies a user or group of users for whom the access rule is applied.

\Everyone (default value) — The access rule applies to all users.

<user name> — Name of a local or domain user to which the access rule applies (without specifying the full name with the domain, if the system allows entering user names in this format, or in the <domain name>\<user name> or <user name>@<domain name> format).

@<group name> — Name of the (local or domain) group of users to which the access rule applies.

[OpticalDrivePrincipals.item_#.AccessRules.item_#]

Access rule settings.

UseRule

Specifies whether the rule is enabled or disabled.

Yes (default value) — The access rule is enabled.

No — The access rule is disabled.

ScheduleName

Schedule specified in the [Schedules.item_#] section.

The default value: Default.

Access

Specifies access type.

Allow (default value) — Access to CD/DVD drives is allowed.

Block — Access to CD/DVD drives is blocked.

Page top

[Topic 197632]

Viewing the list of connected devices on the command line

Only users with the admin and audit roles can view the list of connected devices.

To view the list of connected devices, execute the following command:

kess-control [-D] --get-device-list

Kaspersky Embedded Systems Security displays the following information about connected devices:

  • Device type. Type of the connected device. For example, OpticalDrive or HardDrive.
  • Identifier. ID of the connected device.
  • Name. Name of the connected device.
  • Path. Path to the device in the sysfs virtual operating system.
  • System drive. The setting indicates whether the connected device is a system drive (Yes or No).
  • Bus. Connection bus. Possible values: UnknownBus, USB, FireWire.
  • Driver. Name of the driver read by the sysfs virtual operating system.

Page top

[Topic 198021]