Data of Kaspersky Endpoint Agent for Linux

Kaspersky Endpoint Agent for Linux stores and processes data locally to provide base functionality and audit capability, as well as to improve the speed with which Kaspersky Technical Support can solve potential problems.

Computers with Kaspersky Endpoint Agent for Linux store data prepared to be sent automatically to Kaspersky Anti Targeted Attack Platform servers and Kaspersky Security Center.

This data may include personal data of the user or confidential data of your organization.

Transmission of data from computers with Kaspersky Endpoint Agent for Linux to the server with the Central Node component cannot be disabled.

Do not use Kaspersky Endpoint Agent for Linux on computers from which data transfer is forbidden by your corporate policy.

Data received from Kaspersky Endpoint Agent for Linux is stored in a database on the server hosting the Central Node component and is rotated as disk space is filled.

Files that are prepared to be sent by Endpoint Agent for Linux to the server with the Central Node component are stored on computers hosting Endpoint Agent for Linux in plain unencrypted form in the same directory that is used as the default directory for storing files on each computer with Kaspersky Endpoint Agent before they are sent.

Files from computers with Kaspersky Endpoint Agent for Linux are only sent to the server with the Central Node component via a secure SSL connection.

The Kaspersky Anti Targeted Attack Platform administrator must take steps to ensure the security of computers with Kaspersky Endpoint Agent for Linux and Kaspersky Anti Targeted Attack Platform servers with the data listed above. The administrator of Kaspersky Anti Targeted Attack Platform is responsible for access to this information.

This section contains the following information about user data that is stored on computers with Endpoint Agent for Linux:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data in Kaspersky Endpoint Agent for Linux requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent for Linux installed:

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

1. In the synchronization requests:
   • Unique ID of Kaspersky Endpoint Agent for Linux.
   • Device name.
   • Local time on the device.
   • Name and version of the operating system that is installed on the device.
   • Version of Kaspersky Endpoint Agent for Linux.
   • Versions of program settings and task settings.
   • Task statuses in Kaspersky Endpoint Agent for Linux: identifiers of running tasks, execution statuses, execution error codes.
2. Data on running processes:
   • Information about the executable file of the process. For the scope of data about the file, see below.
   • Process autorun settings.
   • Values of environment variables.
   • Process ID.
   • Parent process ID.
   • Logon session code.
   • Logon session name.
   • IDs of users and groups that started the process.
   • Date and time when the process started.
   • Information about stopped processes:
     • Process ID.
     • Date and time when the process was stopped.
   • Data on files:
     • Path to the file.
     • File name.
     • File size.
     • File attributes.
     • File creation date and time.
     • Date and time of the last modification of the file.
     • Names and unique IDs of the user and group that own the file.
     • Access rights of the file.
     • Unique identifier of the file.
   • Information about file modifications:
     • Unique identifier of the file.
     • Type of operation performed on the file (writing, reading, attribute modification, renaming, deletion).
   • Information about the logon session:
     • Date and time when the logon session began.
     • Type of the session.
     • Name of the user that initiated the session.
     • Type of the user that initiated the session.
     • Remote computer IP address.
   • Information about alerts on the computer with Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux.
     • Type of detected object.
     • Name of the object and full path to the object.
     • Name of the alert.
     • MD5 hash of the object.
     • URL from which the object was downloaded.
     • Remote computer IP address.
     • IP address of the local computer.
     • Alert processing result.

   Before it is sent, data is stored in the /var/opt/kaspersky/epagent/data/cache/queue directory in plain unencrypted form. By default, only users with root permissions have access to the files.

3. Settings of tasks received by Kaspersky Endpoint Agent for Linux from the Central Node:
   • Task types.
   • Task schedule settings.
   • Names and passwords of the accounts under which the tasks can be run.
   • Versions of settings.
   • Paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Command line to start the process together with the arguments.
   • Information about the individual task is stored on the device until Kaspersky Endpoint Agent receives a deletion request from the Central Node or until Kaspersky Endpoint Agent itself is removed from the device.

   Task data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

4. In the reports on task execution results sent by Kaspersky Endpoint Agent for Linux to the Central Node:
   • Task execution errors and return codes.
   • Task completion statuses.
   • Task completion time.
   • Versions of settings used for task execution.
   • Information about objects sent to the server (paths to objects, MD5 and SHA256 hashes of objects).
   • Files requested by the server.
   • Content of the process standard output.
   • Content of the process standard error stream.
   • Kaspersky Endpoint Agent for Linux sends task execution result reports to the Central Node.

   Task execution result data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

   Information with the task execution report is deleted after the information is sent to the Central Node.

Service data of Kaspersky Endpoint Agent for Linux

Service data of Kaspersky Endpoint Agent for Linux includes data that is stored in configuration files as a result of an administrator configuring settings locally or using the Kaspersky Security Center plug-in.

Service data is stored in the /var/opt/kaspersky/epagent/settings and /var/opt/kaspersky/epagent/policy directories. The data is stored until Kaspersky Endpoint Agent for Linux is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with root permissions have access to the files.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Kaspersky Endpoint Agent for Linux stores the following data:

• Address of the Central Node server.
• Public key of the server certificate for integration with the Central Node.
• Container with the client certificate for integration with the Central Node.
• Authorization credentials for the proxy server.
• Addresses of custom update sources.
• Configuring the frequency of synchronization and sending telemetry to the Central Node server.

Data contained in Kaspersky Endpoint Agent for Linux trace files and dumps

Data contained in trace files

Users are responsible for the security of data stored on their computers, in particular for monitoring and restricting access to the data before it is sent to Kaspersky.

Trace files are stored on the computer during the entire period the program is used and are permanently deleted when the program is removed.

By default, trace files are saved in the /var/log/kaspersky/epagent/ directory. You can view data in trace files. Accessing the default trace file directory requires root permissions.

All trace files contain the following general data:

• Time when the event occurred.
• Number of the thread of execution.
• Program component that initiated the event.
• Event importance level (information, warning, critical, error).
• Description of the event that occurred in connection with a program component running a command, and the result of the command.

In addition to general information, trace files can contain the following data:

• Kaspersky Endpoint Agent component statuses and their working data
• Information about all operating system objects and events including user activity information
• Data contained in operating system objects (for example, contents of files that can include personal data of users)
• Network traffic data (for example, contents of website forms that can include bank card data or other confidential data)
• Data received from Kaspersky servers (for example, version of the program databases)

Trace data is recorded to the lena2021-01-18T052236.log file. When the file size reaches 10 MB, the file is saved in the /var/log/kaspersky/epagent/ directory. A new file with a timestamp is created to record current data. Up to 10 files with trace data can be stored in the directory. When the size of the last created file reaches 10 MB, the oldest file is deleted.

Trace files of other programs are stored on the computer until the program is removed.

Data contained in dump files

Stored dump files can contain personal data. To monitor and restrict access to data, you must take steps to ensure the security of dump files.

Dump files are generated automatically whenever the program crashes, and are stored on the computer during the entire period when the program is used. Dump files are permanently deleted when the program is removed.

Dump files are stored in the /var/opt/kaspersky/epagent/dumps/ directory.

A dump file contains the entire memory dump of Kaspersky Endpoint Agent for Linux processes for the moment when the dump file is created. The dump file can also contain personal data.

Accessing dump files requires root permissions.