Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Real-time System Integrity Monitoring

System Integrity Monitoring detects each change to an object within the monitoring scope by intercepting file operations in real time.

When System Integrity Monitoring runs, the application monitors changes in the following file settings:

  • Content (write (), truncate (), etc.)
  • Metadata (possession rights (chmod/chown))
  • Time stamps (utimensat)
  • Extended attributes ((setxattr) and others)

A file checksum is not calculated.

The technical limitations of the Linux operating system prevent the application from identifying the user or process that made the changes to the file.

System Integrity Monitoring is disabled by default. You can enable, disable, and configure System Integrity Monitoring:

  • Define monitoring scopes for System Integrity Monitoring The application monitors operations on files within the monitoring scopes defined in the System Integrity Monitoring settings. You have to specify at least one monitoring scope for the component to work. The Kaspersky internal objects (/opt/kaspersky/kess/) monitoring scope is defined by default.

    You can specify several monitoring scopes. You can change monitoring scopes in real-time mode.

    The application task does not monitor changes in files (attributes and content) with hard links that are outside the monitoring scope.

  • You can configure exclusion of objects from monitoring with the help of name masks.
  • Set up exclusion scopes for System Integrity Monitoring. Exclusions are defined for each individual monitoring scope and only work for the indicated scope. You can specify several monitoring exclusions.

    An exclusion has a higher priority than a monitoring scope; an excluded object is skipped even if within the monitoring scope. If the monitoring scope is defined on a lower level than the excluded directory, the application skips this monitoring scope during system integrity monitoring.

When a directory is added to a monitoring or exclusion scope, the application does not check whether that directory exists.

In this section

Configuring System Integrity Monitoring in the Web Console

Configuring System Integrity Monitoring in the Administration Console

Configuring System Integrity Monitoring in the command line
Page top
[Topic 197263]

Configuring System Integrity Monitoring in the Web Console

In the Web Console, you can configure System Integrity Monitoring settings in the policy properties (Application settingsSecurity ControlsSystem Integrity Monitoring).

System Integrity Monitoring settings

Setting

Description

System Integrity Monitoring enabled / disabled

This toggle switch enables or disables the System Integrity Monitoring component.

The toggle button is switched off by default.

Monitoring scopes

Clicking the Configure monitoring scopes link opens the Monitoring scopes window.

Exclusion scopes

Clicking the Configure monitoring exclusion scopes link opens the Exclusion scopes window.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window.

Page top

[Topic 197280]

Monitoring scopes window

The table contains monitoring scopes for the System Integrity Monitoring component. The application monitors files and directories located in the paths specified in the table. By default, the table contains the Kaspersky internal objects (/opt/kaspersky/kess/) monitoring scope.

Monitoring scope settings for System Integrity Monitoring

Setting

Description

Scope name

Monitoring scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes, in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top

[Topic 202280]

Add monitoring scope window

In this window, you can add and configure monitoring scope for the System Integrity Monitoring component.

Monitoring scope settings

Setting

Description

Scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Monitoring scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to include in the monitoring scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 218554]

Exclusion scopes window

The table contains monitoring exclusion scopes for the System Integrity Monitoring component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from monitoring.

Status

Indicates whether the application excludes this scope from monitoring during the component operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202410]

Add exclusion scope window

In this window, you can add or configure the monitoring exclusion scope for the System Integrity Monitoring component.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the component operation.

If this check box is cleared, the application monitors this scope during the component operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to add to the exclusion scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 219604]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202412]

Configuring System Integrity Monitoring in the Administration Console

In the Administration Console, you can configure System Integrity Monitoring settings in the policy properties (Security ControlsSystem Integrity Monitoring).

System Integrity Monitoring settings

Setting

Description

Enable System Integrity Monitoring

This check box enables or disables System Integrity Monitoring.

This check box is cleared by default.

Monitoring scopes

The group of settings contains the Configure button. Clicking this button opens the Scan scopes window.

Monitoring exclusions

This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window.

Exclusions by mask

This group of settings contains the Configure button, which opens the Exclusions by mask window.

Page top

[Topic 197640]

Scan scopes window

The table contains monitoring scopes for the System Integrity Monitoring component. The application monitors files and directories located in the paths specified in the table. By default, the table contains one monitoring scope, Kaspersky internal objects (/opt/kaspersky/kess/).

Monitoring scope settings

Setting

Description

Scope name

Monitoring scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes, in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202408]

<New scan scope> window

In this window, you can add and configure monitoring scopes for the System Integrity Monitoring component.

Monitoring scope settings

Setting

Description

Scan scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Scan scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the application's operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to include in the monitoring scope.

The field must not be blank. The default path is /opt/kaspersky/kess.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 202409]

Exclusion scopes window

The table contains monitoring exclusion scopes for the System Integrity Monitoring component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from monitoring.

Status

Indicates whether the application excludes this scope from monitoring during the component operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 276441]

<Exclusion scope name> window

In this window, you can add or configure the monitoring exclusion scope for the System Integrity Monitoring component.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the component operation.

If this check box is cleared, the application monitors this scope during the component operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to add to the exclusion scope. The field must not be blank.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 202411]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 276442]

Configuring System Integrity Monitoring in the command line

You can manage system integrity monitoring in real time in the command line by using the System Integrity Monitoring predefined task (System_Integrity_Monitoring). Task type: OAFIM.

The System Integrity Monitoring task does not run by default. You can start and stop the task manually.

You can configure System Integrity Monitoring on the device by editing the settings of the System Integrity Monitoring predefined task.

On-access File Integrity Monitoring task settings

Setting

Description

Values

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeThreats.item_# setting from the monitoring scope.

This setting applies only if the ExcludeMasks.item_# setting is specified.

Yes — Exclude the objects specified by the ExcludeMasks.item_# setting from the monitoring scope.

No (default value) — Do not exclude the objects specified by the ExcludeMasks.item_# setting from the monitoring scope.

ExcludeMasks.item_#

Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

Before specifying a value for this setting, make sure that the UseExcludeMasks setting is enabled.

You can specify several masks. Each mask must be specified on a new line with a new index.

The default value is not defined.

The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of monitoring scope; contains additional information about the monitoring scope.

The default value is not defined.

UseScanArea

Enables monitoring of the specified scope.

Yes (default value) — Monitor the specified scope.

No — Do not monitor the specified scope.

Path

Path to the monitoring directory.

You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Default value: /opt/kaspersky/kess/

AreaMask.item_#

Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (all objects are monitored)

[ExcludedFromScanScope.item_#] contains objects to be excluded from all [ScanScope.item_#] sections. You can specify multiple [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from monitoring.

Yes (default value) — Exclude the specified scope from monitoring.

No — Do not exclude the specified scope from monitoring.

Path

Path to the directory with objects excluded from monitoring.

You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The default value is not defined.

AreaMask.item_#

Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (exclude all objects from monitoring)

Page top

[Topic 197226]