Kaspersky Endpoint Security for Linux

Configuring KESL container

KESL container settings are initialized in several ways:

  • By default (unless otherwise specified).
  • From the configuration file. In this case, the values ​​from the configuration file have a higher priority than the default values.
  • The values can be passed ​​to the KESL container upon startup as environment variables. Environment variables have a higher priority than the settings from the configuration file.
  • In the scan request body. The settings in the request body have the highest priority, but they are valid only within a single request.

In this section

KESL container settings

Environment variables

Configuration file

Available mount points

Page top
[Topic 213823]

KESL container settings

KESL container settings and their default values ​​are described in the following table.

KESL container settings

Setting description

Available values

Default value

Port for listening to REST API

 

8085

Event severity level

debug

info

warning

error

critical

noset

noset

Authorization key

If the KRAS4D_XAPIKEY setting is specified, each request is verified for the presence of the x-api-key header and if its content matches the value of the KRAS4D_XAPIKEY setting. If these conditions are not met, the request is rejected. If this setting is missing, verification is not performed.

 

Activation code or key file

To activate a KESL container using an activation code, when running the KESL container specify the activation code in the configuration file or pass the activation code in an environment variable:

docker run ... -e KRAS4D_ACTIVATION='<activation code>'

To activate a KESL container using a key file, when running the KESL container specify the key file in the configuration file or pass the key file in an environment variable:

docker run ... -e KRAS4D_ACTIVATION='<key file>' -e KRAS4D_KEYPATH=/root/kesl-service/keys -v <path to the directory with keys>:/root/kesl-service/keys

To activate a KESL container using a key file, the /root/kesl-service/keys mount point is required.

 

Additional scan settings

The optional KRAS4D_SCANOPTIONS setting allows you to configure the settings of the Container Scan task:

docker run ... -e KRAS4D_SCANOPTIONS='<settings>'

where <settings> are the settings of the Container Scan task.

 

Additional update settings

The optional KRAS4D_UPDATEOPTIONS setting allows you to configure the settings of the Update task.

docker run ... -e KRAS4D_UPDATEOPTIONS='<settings>'

where <settings> are the Update task settings SourceType and ApplicationUpdateMode, as well as the settings in the CustomSources.item_# section.

 

Update the application databases when KESL container starts

By default, the application databases are downloaded to the /var/opt/kaspersky/kesl/private/updates directory when the KESL container is started.

To implement the joint operation of several KESL containers with one instance of the application databases and to speed up the launch of the KESL container, it is recommended to move this directory to the device where the KESL container is installed by means of mounting:

docker run ... -v <path to database directory>:/var/opt/kaspersky/kesl/private/updates

True

Do not process the image if it already exists in the target repository.

 

False

Maximum time to wait for application commands to run, in seconds

 

600

Maximum time to wait for application database update tasks to run, in seconds

 

600

Name of the settings configuration file.

 

kesl-service.config

Page top
[Topic 234815]

Environment variables

The following environment variables can be used to configure a KESL container:

  • KRAS4D_PORT – port for listening to REST API.
  • KRAS4D_LOGLEVEL – event severity level.
  • KRAS4D_XAPIKEY – request authorization key.
  • KRAS4D_ACTIVATION – activation code or key file name.
  • KRAS4D_SCANOPTIONS – additional scan settings.
  • KRAS4D_UPDATEOPTIONS – additional update settings.
  • KRAS4D_FORCEUPDATE – update the application databases when KESL container starts.
  • KRAS4D_SKIPIMAGEIFEXISTS – do not process the image if it already exists in the target repository.
  • KRAS4D_GENERALTIMEOUT – maximum time to wait for application commands to run.
  • KRAS4D_UPDTASKTIMEOUT – maximum time to wait for application database update tasks to run.
  • KRAS4D_CFGNAME: name of the KESL container configuration file.
Page top
[Topic 234816]

Configuration file

The KESL container configuration file uses the yaml format. To read the settings from the file, mount the /root/kesl-service/config/ path on the device where the KESL container is installed, and specify the name of the configuration file if it differs from the default one. Thus, you can specify individual configuration file for each set of KESL containers.

Example: starting a KESL container

docker run ... \

-e KRAS4D_CFGNAME='unique_file_name' \

-v <HOST_PATH>:/root/kesl-service/config \

kesl-service

The table below shows the configuration file settings and the corresponding environment variables.

Correspondence between the settings and the environment variables

Configuration file setting

Environment variable

Common section

port: <port for listening>

# KRAS4D_PORT=8085

sqlpath: <full path to the database file that contains scan results>

# KRAS4D_SQLPATH

certdir: <path to the directory with registry certificates>

# KRAS4D_CERTDIR

keypath: <path to the directory with license keys>

# KRAS4D_KEYPATH

tmppath: <full path to the temporary directory>

# KRAS4D_TMPPATH

logpath: <full path to the event log>

# KRAS4D_LOGPATH

loglevel: [noset|debug|info|warning|error|critical]

# KRAS4D_LOGLEVEL

Control section

xapikey: <request authorization key>

# KRAS4D_XAPIKEY=None

forceupdate: <forced database update at container start [True|False]>

# KRAS4D_FORCEUPDATE

activation: <activation code or key file name from /root/kesl-service/config/>

# KRAS4D_ACTIVATION

detectaction: [delete|skip]

# KRAS4D_DETECTACTION

scanoptions: <scan settings [ScanArchived=yes ScanSfxArchived=yes ...]>

# KRAS4D_SCANOPTIONS

skipimageifexist: <do not scan the image if it already exists on the server to which the scanned image is to be copied>

# KRAS4D_SKIPIMAGEIFEXIST

generaltimeout: <maximum time to wait for application commands to run>

# KRAS4D_GENERALTIMEOUT

updtasktimeout: <maximum time to wait for application database update tasks to run>

# KRAS4D_UPDTASKTIMEOUT

Repositories section

<server>:<port>: address and port of the image registry that requires authorization when requesting for verification.

 

Credentials subsection

user: user name for authorization in the image registry

 

pass: password for authorization in the image registry

 

Example of a configuration file

Example of a configuration file

Page top
[Topic 234817]

Available mount points

The following mount points are available for working with the KESL container:

  • /root/kesl-service/data/scans.sqlite – path to the database file that contains scan results.
  • /var/opt/kaspersky/kesl/private/updates – path to the application databases.
  • /root/kesl-service/certificates – path to the directory that contains repository certificates.
  • /root/kesl-service/keys – path to the directory that contains license keys.
  • /var/log/kaspersky/ – path to the directory that contains event logs.
  • /root/kesl-service/config/ – path to the configuration files.
  • /var/lib/containers/vfs-storage – required mount point for the Podman utility to work correctly.
Page top
[Topic 213865]