Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

System Integrity Check

When the System Integrity Check task is running, a change in each object is found by comparing the current state of the monitored object with its original state. The following comparison criteria can be used:

  • File hash
  • File change time
  • File size

The initial state of monitored objects is recorded as a baseline. The baseline contains paths to monitored objects and their metadata.

A baseline may also contain personal data.

A system baseline is created when a System Integrity Check task runs on the device for the first time. If you have created multiple System Integrity Check tasks, a separate baseline is created for each. The task is only executed if the baseline contains information about objects that belong to the monitoring scope defined for the task. If the baseline does not match the monitoring scope, Kaspersky Embedded Systems Security generates a system integrity violation event.

A baseline is rebuilt when task settings change, for example, if a new monitoring scope is added.

The application creates a baseline storage on the protected device. By default, the storage for baselines is located in /var/opt/kaspersky/kess/private/fim.db. Root privileges are required to access a database that contains baselines.

You can delete a baseline by deleting the appropriate System Integrity Check task.

You can run a system integrity check on demand and configure the scan settings:

  • Enable or disable baseline rebuild every time a system integrity check task finishes.
  • Select criteria for comparing the current state of the monitored file with the original state: use the file hash and change time, or only the file size.
  • Configure monitoring scopes for checking system integrity.
  • Configure exclusion scopes from the system integrity check. You can specify paths to excluded files and directories, and exclude individual objects by name mask.

In this section

Configuring System Integrity Check in the Web Console

Configuring System Integrity Check in the Administration Console

Configuring System Integrity Check in the command line
Page top
[Topic 197623]

Configuring System Integrity Check in the Web Console

You can run a system integrity check in the Web Console with the help of the System Integrity Check task.

You can create and run user system integrity check tasks. You can configure the scan settings by editing the settings of the tasks.

System Integrity Check task settings

Setting

Description

Rebuild baseline on each task start

This check box enables or disables the reestablishment of a system baseline upon every start of the System Integrity Check task.

This check box is cleared by default.

Check SHA256 hash

This check box enables or disables the use of the file hash as a criterion when comparing the current state of the file with its original state.

If this check box is cleared, the application compares only the file size (if the file size has not changed, then the modification time is not considered a critical parameter).

This check box is cleared by default.

Track directories in monitoring scopes

This check box enables or disables directory monitoring while system integrity check is running.

This check box is cleared by default.

Track the last time a file was accessed

This check box enables or disables tracking the file access time while the System Integrity monitoring runs.

This check box is cleared by default.

Monitoring scopes

The table that contains the monitoring scopes scanned by the task.

By default, the table contains the Kaspersky internal objects (/opt/kaspersky/kess/) monitoring scope.

You can add, configure, delete, move up, or move down monitoring scopes in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

Clicking the scan scope name opens the <Scan scope name> window. In this window, you can modify the settings of the selected scan scope.

Clicking the Add button opens the <New scan scope> window. In this window, you can define a new scan scope.

Page top

[Topic 197248]

Add scan scope window

In this window, you can add or configure the monitoring scope for the System Integrity Check task.

Monitoring scope settings

Setting

Description

Scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Scan settings section.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the application's operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to include in the monitoring scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The field must not be blank.

The / path is specified by default – the application scans all directories of the local file system.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 218702]

Exclusion scopes section

In the Exclusion scopes section for the System Integrity Check task, you can also configure exclusion scopes for the scan and exclusions by mask.

Page top
[Topic 246675]

Exclusion scopes window

The table contains monitoring exclusion scopes for the System Integrity Check component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from monitoring.

Status

Indicates whether the application excludes this scope from monitoring during the task operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 246676]

Add exclusion scope window

In this window, you can add and configure the monitoring exclusion scope for the System Integrity Check task.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the task operation.

If this check box is cleared, the application monitors this scope during the task operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The field must not be blank.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 246677]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202412_1]

Configuring System Integrity Check in the Administration Console

You can perform a system integrity check in the Administration Console, with the help of the System Integrity Check task.

You can create and run user system integrity check tasks. You can configure the scan settings by editing the settings of the tasks.

In the Settings section of the properties of the System Integrity Check task, you can edit the settings listed in the table below.

System Integrity Check task settings

Setting

Description

Rebuild baseline on each task start

This check box enables or disables the rebuilding of the system baseline every time the System Integrity Check task is started.

This check box is cleared by default.

Check SHA256 hash

This check box enables or disables the use of the file hash as a criterion when comparing the current state of the file with its original state.

If this check box is cleared, the application compares only the file size (if the file size has not changed, then the modification time is not considered a critical parameter).

This check box is cleared by default.

Track directories in monitoring scopes

This check box enables or disables scanning of directories within the specified monitoring scopes during a system integrity check.

This check box is cleared by default.

Track the last time a file was accessed

This check box enables or disables tracking the file access time while the System Integrity monitoring runs.

This check box is cleared by default.

Monitoring scopes

The group of settings contains the Configure button. Clicking this button opens the Scan scopes window.

Under Exclusion scopes in the properties of the System Integrity Check, you can define monitoring exclusions and exclusions by mask.

Page top
[Topic 197653]

Scan scopes window

The table contains monitoring scopes for the System Integrity Check task. The application monitors files and directories located in the paths specified in the table. By default, the table contains one monitoring scope, Kaspersky internal objects (/opt/kaspersky/kess/).

Monitoring scope settings

Setting

Description

Scope name

Monitoring scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes, in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 246670]

<New scan scope> window

In this window, you can add and configure monitoring scopes for the System Integrity Check task.

Monitoring scope settings

Setting

Description

Scan scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Scan scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the application's operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to include in the monitoring scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The field must not be blank.

The default path is /opt/kaspersky/kess.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 246671]

Exclusion scopes section

Settings of scan exclusions

Group of settings

Description

Monitoring exclusions

This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window. In this window, you can define the list of scopes to be excluded from monitoring.

Exclusions by mask

This group of settings contains the Configure button, which opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from monitoring by name mask.

Page top

[Topic 215327]

Exclusion scopes window

The table contains scan exclusion scopes for the System Integrity Check component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Scan exclusion scope settings for the System Integrity Check task

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

Indicates whether the application excludes this scope from monitoring during the component operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 246672]

<New exclusion scope> window

In this window, you can add and configure the monitoring exclusion scope for the System Integrity Check task.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the task operation.

If this check box is cleared, the application monitors this scope during the task operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The field must not be blank.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 246673]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 276469]

Configuring System Integrity Check in the command line

You can run a system integrity check on a device in the command line by using user System Integrity Check tasks (ODFIM tasks).

You can manually start, stop, pause, or resume user tasks and configure the task schedule. You can configure system integrity checking by editing the settings of these tasks.

System Integrity Check task settings

Setting

Description

Values

RebuildBaseline

Enables baseline to rebuild after the System Integrity Check task finishes.

Yes: rebuild the baseline every time the System Integrity Check task finishes.

No (default): do not rebuild the baseline every time the System Integrity Check task finishes.

CheckFileHash

Use the file hash (SHA256) as a criterion when comparing the current state of the monitored file with its original state.

Yes: check the hash.

No (default value) — Disable hash check. If this check is disabled, the application compares only the file size (if the file size has not changed, then the modification time is not considered a critical parameter).

TrackDirectoryChanges

Enables directory monitoring.

Yes: monitor directories while checking system integrity.

No (default value) — Do not monitor directories.

TrackLastAccessTime

Enables tracking last file access time. In the Linux operating systems it is the noatime setting.

Yes — Track last file access time.

No (default value) — Do not track last file access time.

UseExcludeMasks

Enables monitoring scope exclusions for objects specified by the ExcludeMasks.item_# setting.

This setting only applies if a value is specified for the ExcludeMasks.item_# setting.

Yes — Exclude the objects specified by the ExcludeMasks.item_# setting from the monitoring scope.

No (default value) — Do not exclude the objects specified by the ExcludeMasks.item_# setting from the monitoring scope.

ExcludeMasks.item_#

Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

Before specifying a value for this setting, make sure that the UseExcludeMasks setting is enabled.

You can specify several masks. Each mask must be specified on a new line with a new index.

The default value is not defined.

The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Check. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of monitoring scope; contains additional information about the monitoring scope.

The default value is not defined.

UseScanArea

Enables monitoring of the specified scope.

Yes (default value) — Monitor the specified scope.

No — Do not monitor the specified scope.

Path

Path to the monitoring directory.

You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Default value: /opt/kaspersky/kess/

AreaMask.item_#

Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (all objects are monitored)

The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from monitoring.

Yes (default value) — Exclude the specified scope from monitoring.

No — Do not exclude the specified scope from monitoring.

Path

Path to the directory with objects excluded from monitoring.

You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The default value is not defined.

AreaMask.item_#

Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format.

You can specify several AreaMask.item_# items in any order. The application processes the scopes by index in ascending order.

Default value: * (exclude all objects from monitoring)

Page top

[Topic 197608]