Installation and initial configuration of Kaspersky Embedded Systems Security

You need to prepare for installation before installing Kaspersky Embedded Systems Security.

These scenarios describe the installation and post-installation configuration of Kaspersky Embedded Systems Security, the installation and configuration of Kaspersky Security Center Network Agent and the installation of Kaspersky Embedded Systems Security management plug-ins. The installation scenario depends on the mode in which you plan to use Kaspersky Embedded Systems Security.

The application installation procedure involves the following steps:

1. Installation and post-installation configuration of the Network Agent

   If you plan to manage Kaspersky Embedded Systems Security using Kaspersky Security Center, install and configure Kaspersky Security Center Network Agent on the protected device.

2. Installing the Kaspersky Embedded Systems Security management plug-in

   If you plan to manage Kaspersky Embedded Systems Security using Kaspersky Security Center, install the Kaspersky Embedded Systems Security management plug-in. Depending on the console used to manage Kaspersky Security Center, the following administration plug-ins are used:

   • The Kaspersky Embedded Systems Security administration web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console. The web plug-in is installed on the device that has the Kaspersky Security Center Web Console installed.
   • The Kaspersky Embedded Systems Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console. The MMC plug-in is installed on the device where Kaspersky Security Center Administration Console is installed.
3. Installing application packages and graphical user interface

   Kaspersky Embedded Systems Security is distributed in the DEB and RPM packages. There are separate packages for the application and for the graphical user interface. Install Kaspersky Embedded Systems Security and, if necessary, the graphical user interface from packages in the appropriate format.

   You can perform installation in one of the following ways:

   • Using Kaspersky Security Center.
   • Using the command line.
4. Kaspersky Embedded Systems Security post-installation configuration

   The application needs initial configuration to prepare it for operation and enable the protection of the client device.

   If you installed Kaspersky Embedded Systems Security using Kaspersky Security Center, the initial configuration was performed automatically during installation in accordance with the parameters specified in the installation package. After completing the installation, go through the Getting started procedure.

   If you installed Kaspersky Embedded Systems Security using the command line, run the initial configuration script or perform the initial configuration in automatic mode after installation is completed.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

In this Help section The installation and initial configuration of Kaspersky Security Center Network Agent Installing the Kaspersky Embedded Systems Security management plug-ins Installing and initially configuring the application using Kaspersky Security Center Installing and initially configuring the application using the command line Configuring allowing rules in the SELinux system Running the application on Astra Linux OS in closed software environment mode

Page top

The installation and initial configuration of Kaspersky Security Center Network Agent

Network Agent facilitates the client device's connection with the Kaspersky Security Center Administration Server. It must be installed on every client device that will be connected to Kaspersky Security Center, the centralized remote management system.

Before you begin installing the Network Agent on Linux devices, you must perform some preparatory steps. For instructions on how to prepare devices for installing Network Agent, please refer to the Kaspersky Security Center Help. The procedure depends on the operating system.

You can perform the installation and initial configuration of Network Agent:

• Remotely from the administrator's workstation using the Kaspersky Security Center Web Console or the Administration Console. The Network Agent
  installation package

  A set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit.

  A set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit.

  is used for remote installation.
• Using the command line:
  • In silent mode with an answer file. An answer file is a text file that contains a custom set of settings for the installation and initial configuration of Network Agent. For a description of installation options and initial configuration of Network Agent, please refer to the Kaspersky Security Center Help (the "Installing Network Agent for Linux in silent mode (with an answer file)" section).
  • Interactively from an RPM or DEB package depending on your package manager. In this case, after installation, you need to perform the initial configuration of the Network Agent using a script.

For details on how to install Network Agent, refer to the Kaspersky Security Center Help system.

Page top

Installing the Kaspersky Embedded Systems Security management plug-ins

The following Kaspersky Embedded Systems Security administration plug-ins are used to manage Kaspersky Embedded Systems Security using Kaspersky Security Center:

• The Kaspersky Embedded Systems Security administration web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console.
• The Kaspersky Embedded Systems Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console.

You can install management plug-ins for different versions of Kaspersky Embedded Systems Security simultaneously. This allows you to manage the application by using the policies created with different administration plug-in versions.

You can also convert policies and tasks created with previous versions of the administration plug-in to newer versions.

In this section Installing the Kaspersky Embedded Systems Security web plug-in Installing the Kaspersky Embedded Systems Security MMC plug-in

Page top

Installing the Kaspersky Embedded Systems Security web plug-in

The Kaspersky Embedded Systems Security administration web plug-in must be installed on the client device that has the Kaspersky Security Center Web Console installed. The functionality of the web plug-in is available to all administrators who have access to Kaspersky Security Center Web Console in a browser.

You can install the web plug-in as follows:

• Using the Quick Start Wizard for Kaspersky Security Center Web Console.

  Kaspersky Security Center Web Console automatically prompts you to run the Quick Start Wizard when connecting Kaspersky Security Center Web Console to the Administration Server for the first time. You can also run the Initial Configuration Wizard in the Kaspersky Security Center Web Console interface (Device discovery and deployment → Deployment and assignment → Quick Start Wizard). The Quick Start Wizard can also check if the installed web plug-ins are up to date and download the necessary updates. For more information on the Initial Configuration Wizard for Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help section.

• Manually, using a distribution kit from the list of Kaspersky Web plug-ins or from an external source.

To install the Kaspersky Embedded Systems Security web plug-in manually:

1. In the main window of the Kaspersky Security Center Web Console, select Settings → Web plug-ins.

   A list of installed web plug-ins opens.

2. Start the installation of the Kaspersky Embedded Systems Security web plug-in by one of the following ways:
   • Installation from the list of Kaspersky web plug-ins:
     1. Click Add.

        A list of all available Kaspersky Web plug-ins opens. The list is updated automatically after new versions of web plug-ins are released.

     2. Find the Kaspersky Embedded Systems Security <version number> for Linux web plug-in in the list and click its name.
     3. In the window that opens with a description of the web plug-in, click the Install plug-in button.
     4. Wait for the installation to complete and click OK in the information window.
   • Installation of the web plug-in from an external source (the archives required for installing the web plug-ins are included in the distribution kit):
     1. Click the Add from file button.
     2. In the window that opens, specify the path to the ZIP archive with the distribution kit for the web plug-in and the path to the signed file in TXT format. This file is in the archive with the web plug-in.
     3. Click Add.
     4. Wait for the installation to complete and click OK in the information window.

The new plug-in is displayed in the list of installed web plug-ins (Settings → Web Plug-ins).

If you select a language that is not included in Kaspersky Embedded Systems Security distribution package in the properties of Kaspersky Security Center Administration Server, the License Agreement and the entire Kaspersky Security Center Web Console interface will be displayed in English.

Page top

Installing the Kaspersky Embedded Systems Security MMC plug-in

The Kaspersky Embedded Systems Security administration MMC plug-in must be installed on the same client device where the Kaspersky Security Center Administration Console is installed.

Before installing the Kaspersky Embedded Systems Security administration MMC plug-in, make sure that Kaspersky Security Center and Redist C++ 2015 (Microsoft Visual C++ 2015 Redistributable) are installed.

To install the MMC plug-in,

on the device where the Kaspersky Security Center Administration Console is installed, run the executable file klcfginst.msi.

The file is included in the Kaspersky Embedded Systems Security distribution kit.

After installation, the administration MMC plug-in is displayed in the list of installed administration MMC plug-ins in the properties of the Kaspersky Security Center Administration Server.

To view the list of installed management MMC plug-ins:

1. In the Kaspersky Security Center Administration Console tree, select the Administration Server <server name> node and open the Administration Server properties window in one of the following ways:
   • using the Properties item in the Administration Server <server name> node context menu;
   • by clicking the Administration Server properties link located in the workspace of the Administration Server <server name> node in the Administration Server section.
2. In the list on the left, in the Advanced section, select the Information about the installed application administration plug-ins section.

   In the right part of the window, the list of installed management plug-ins displays the administration MMC plug-in for Kaspersky Embedded Systems Security: Kaspersky Embedded Systems Security <version number> for Linux.

Page top

Installing and initially configuring the application using Kaspersky Security Center

You can install Kaspersky Embedded Systems Security on a client device remotely from the administrator's workstation using the Kaspersky Security Center Web Console or the Administration Console.

Installation using Kaspersky Security Center involves the following steps:

1. Creating an installation package.

   For the remote installation, Kaspersky Embedded Systems Security installation package is used. The Kaspersky Embedded Systems Security installation package is the same for all supported operating systems and processor architecture types. You can create the installation package using the Kaspersky Security Center Web Console or the Administration Console.

   You can specify the initial configuration settings using the autoinstall.ini configuration file included in the installation package, or in the properties of the installation package (this method is available only in the Web Console).

   You can add the following to the installation package that you are creating:

   • License key for automatic activation of the application during installation
   • Pre-downloaded application databases to avoid having to update the databases after installation

   You can also activate the application and update the databases as part of the getting started procedure

2. Deploying the Kaspersky Embedded Systems Security application on devices in the corporate network.

   Kaspersky Security Center Web Console supports the following main deployment methods:

   • Installing the application using the Protection Deployment Wizard.
   • Installing the application using the remote installation task.

   The Kaspersky Security Center Administration Console supports the following main deployment methods:

   • Installing the application using the Remote Installation Wizard.
   • Installing the application using the remote installation task.

   For a description of the deployment procedures, see the Kaspersky Security Center Help.

   If necessary, you can view the application remote installation log by using remote diagnostics of the Kaspersky Security Center client device.

3. Getting started.

   Before using the application, you need to complete the initial configuration of the application and prepare the application for operation.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

To use Kaspersky Security Center to manage Kaspersky Embedded Systems Security installed on client devices, you need to put these devices in

. Before starting Kaspersky Embedded Systems Security installation, you can create Kaspersky Security Center administration groups to which you want to move the devices with the application installed, and configure the rules to automatically move the devices to these administration groups. If rules for moving devices to the administration groups are not configured, Kaspersky Security Center moves all the devices that have the Administration Agent installed and are connected to Administration Server to the Unassigned devices list. In this case, you need to manually move computers to the administration groups (refer to the Kaspersky Security Center Help for details).

In this section Creating an installation package in the Web Console Creating an installation package in the Administration Console Preparing an archive with application databases in order to create an installation package with integrated databases Autoinstall.ini configuration file settings Getting started using Kaspersky Security Center

Page top

Creating an installation package in the Web Console

In Kaspersky Security Center Web Console, you can create an installation package in one of the following ways:

• From an archive file that you have prepared previously.
• From a distribution kit hosted on Kaspersky servers.

To prepare an archive for creating an installation package:

1. Download the kess.zip archive from the application download page. It is located in the Kaspersky Embedded Systems Security for Linux -> Additional distribution → Files for Product remote installation section.
2. Unpack the kess.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
   • To install Kaspersky Embedded Systems Security:
     • kess-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess_3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess_3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess_3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
   • To install the graphical user interface of the application:
     • kess-gui-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess-gui-3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)

     If you do not want to install the graphical user interface, do not add these files to the folder; this will make the installation package smaller.

   If you do not plan to use the graphical interface, disable it by editing the appropriate setting (USE_GUI=No) in the properties of the created installation package or in the autoinstall.ini configuration file. Otherwise, the installation will fail.

   If you want to use the created installation package with different operating systems or package managers, place the files for all the types of operating systems and package managers that you need in the directory.

3. If you want to use offline application databases downloaded in advance:
   1. Place prepared archives with databases for all your operating system types into the folder.
   2. In initial configuration settings, disable the database update task after installing the application. You can configure the corresponding parameter in the properties of the created installation package or in the autoinstall.ini configuration file (UPDATE_EXECUTE=no). The autoinstall.ini file is located in the directory where you extracted the kess.zip archive.
4. If you want to perform the initial configuration of the application using a configuration file, open the autoinstall.ini configuration file and edit it as necessary.

   You can also perform the initial configuration of the application later in the properties of the created installation package on the Settings tab.

5. Place all prepared files in an archive in ZIP, CAB, TAR, or TAR.GZ format with any name.

To create an installation package for Kaspersky Embedded Systems Security in Kaspersky Security Center Web Console:

1. In the main Web Console window, select one of the following sections:
   • Device discovery and deployment → Deployment and assignment → Installation packages.
   • Operations → Repositories → Installation packages.

   A list of installation packages available on the Administration Server opens.

2. Click Add.

   The wizard for creating an installation package will start. Follow the instructions of the Wizard.

3. On the first page of the wizard, select the method for creating an installation package:
   • Create an installation package from a file. The installation package will be created from an archive that you have prepared in advance.
   • Create the installation package for a Kaspersky application. The installation package will be created from a distribution package located on Kaspersky servers.

   Kaspersky Security Center Cloud Console does not allow creation of installation packages from a file.

4. Depending on the selected package creation method:
   • Specify the package name, click the Browse button, and specify the path to the archive that you have prepared for creating the installation package.
   • Select Kaspersky Embedded Systems Security distribution package. In the window on the right, read the information about the distribution package and click the Download and create installation package button. The installation package creation process starts.
5. When prompted by the Wizard, read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data. To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy.
6. Complete the wizard.

   The installation package will be created and added to the list of installation packages. Using the installation package, you can install the application on devices in the corporate network or update the application version.

7. If necessary, edit initial configuration settings (see the table below). To do this, open the properties of the installation package and go to Settings tab.

   Initial configuration settings

   Section	Description
   Specify the locale.	Select this check box if you want to specify the locale to be used by the application. In the displayed field, enter the locale in the RFC 3066 format. If this setting is not specified, the default locale is used.
   Activate the application	Select this check box if you want to activate the application during installation. In the displayed field, enter the activation code. You can also activate the application after installation.
   Select the update source.	Select the update source for databases and application modules: Kaspersky update servers. Kaspersky Security Center. Other source in the local or global network. If you select this option, enter the address of the update source in the field that opens.
   Run the database update task after installation.	Select this check box if you want to run the databases and application modules update task after installing the application.
   Specify the proxy server settings.	Select this check box if you use a proxy server for internet access. In the displayed field, enter the proxy server address in one of the following formats: <connection protocol>://<IP address of the proxy server>:<port number> if the proxy server connection does not require authentication <connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number> if the proxy server connection requires authentication Connecting to a proxy server over HTTPS is not supported.
   Install kernel source	Select this check box to automatically start of kernel module compilation.
   Use the graphical user interface.	Select this check box if you plan to install the graphical user interface of the application (the files for installing the graphical interface are included in the installation package).
   Specify a user with the admin role	Select the check box to specify the user to be assigned the administrator (admin) role. In the displayed field, enter the user name.
   Configure SELinux automatically	Select the check box to automatically configure SELinux to work with Kaspersky Embedded Systems Security.
   Remove users from privileged groups	Select this check box to remove users from the 'kessadmin' and 'kessaudit' privileged groups before installing the application. If the check box is selected and the 'nogroup' group does not exist, the installation fails and you are prompted to manually remove users from privileged groups.
   Disable protection components and scan tasks when the application is started for the first time after installation.	Select this check box if, after completing the installation process, you want to run the application with protection components and scan tasks disabled. An installation with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file. If you enable the necessary components and tasks, the enabled components and tasks will continue to work after the application is restarted.

Page top

Creating an installation package in the Administration Console

Before creating an installation package for Kaspersky Embedded Systems Security, you need to prepare the files to be included in the package.

To prepare files for creating an installation package:

1. Download the kess.zip archive from the application download page. It is located in the Kaspersky Embedded Systems Security for Linux -> Additional distribution → Files for Product remote installation section.
2. Unpack the kess.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
   • To install Kaspersky Embedded Systems Security:
     • kess-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess_3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess_3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess_3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
   • To install the graphical user interface of the application:
     • kess-gui-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess-gui-3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)

     If you do not want to install the graphical user interface, do not add these files to the folder; this will make the installation package smaller.

   If you do not plan to install the graphical interface, you need to opt out by setting USE_GUI=No in the autoinstall.ini configuration file. Otherwise, the installation will fail.

   If you want to use the created installation package with different operating systems or package managers, place the files for all the types of operating systems and package managers that you need in the directory.

3. If you want to use offline application databases downloaded in advance:
   1. Place prepared archives with databases for all your operating system types into the folder.
   2. In initial configuration settings, disable the database update task after installing the application. To do this, open the autoinstall.ini configuration file and set UPDATE_EXECUTE=no. The autoinstall.ini file is located in the directory where you extracted the kess.zip archive.

   If you want to prepare the initial configuration settings of the application, open the autoinstall.ini configuration file and edit it as necessary.

To create an installation package for Kaspersky Embedded Systems Security in the Administration Console of Kaspersky Security Center:

1. In the console tree, select Additional → Remote installation → Installation packages.
2. Click the Create installation package button.

   The wizard for creating an installation package will start.

3. In the wizard window that opens, click the Create installation package for a Kaspersky application button.
4. Enter the name of the new installation package and proceed to the next step.
5. Select Kaspersky Embedded Systems Security distribution package. To do this, open a standard Windows browsing window using the Browse button and specify the path to the kess.kud file. The file is located in the directory where you extracted the kess.zip archive.

   The application name is displayed in the window.

   Proceed to the next step.

6. Read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data.

   To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy. To confirm, in the window that opens, select both check boxes.

   Proceed to the next step.

7. The wizard downloads the files required to install the application to Kaspersky Security Center Administration Server. Wait for the download to finish.
8. Complete the wizard.

The created installation package is located in the tree of the Administration Console of Kaspersky Security Center in the Additional → Remote installation → Installation packages folder. You can use the same installation package many times.

Page top

Preparing an archive with application databases in order to create an installation package with integrated databases

You can create an installation package for remote installation and include pre-downloaded application databases in it. This may be useful, for example, if you are installing the application on a device with the Astra Linux Special Edition operating system. If you are using an installation package with integrated databases, the application is installed with the databases already functional; in this case, you do not need to update the databases immediately after installation.

To create an archive with databases for installing the application:

1. Install and perform the initial configuration of Kaspersky Embedded Systems Security on the device using the command line or using Kaspersky Security Center.
2. Update the application databases. You can update the databases during the initial configuration of the application or after installation by running a task of an Update type in the command line or an Update task in the Kaspersky Security Center Administration Console or the Kaspersky Security Center Web Console.
3. Copy the contents of the /var/opt/kaspersky/kess/private/updates/ directory to one of the following subdirectories, depending on the architecture of the operating system for which you are creating the installation package with integrated databases: /i386/ or /x86_64/.
4. Place the directories with the databases into a kess-bases.tgz archive, preserving the structure of nested directories. You can place only one subdirectory with databases for the required architecture of the operating system in the archive, or if you plan to create an installation package for installation on several operating systems with different architectures, you can place all the subdirectories with databases (/i386/ or /x86_64/) into a single archive for different architectures.
5. You can use the created archive with application databases when creating an installation package in the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.

Page top

Autoinstall.ini configuration file settings

In the autoinstall.ini configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Autoinstall.ini configuration file settings

If you want to change the settings in the autoinstall.ini configuration file, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

Getting started using Kaspersky Security Center

After deploying Kaspersky Embedded Systems Security through Kaspersky Security Center, you must prepare the application for operation. To do so:

1. Activate the application if activation was not performed using the key added to the installation package of the application.

   You can create and execute an activation task using the Administration Console or Kaspersky Security Center Web Console, as well as distribute the license key from the Kaspersky Security Center key storage to the devices.

2. Update the databases and application modules if you did not add pre-downloaded application databases to the installation package of the application. You can use the Update task, which is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the administration MMC plug-in or the Kaspersky Embedded Systems Security administration web plug-in.

   Kaspersky Embedded Systems Security protects the device only after the application databases are updated.

3. Configure a
   policy

   A policy determines the application settings and manages the access to configuration of an application installed on devices within an administration group. An individual policy must be created for each application. You can create an unlimited number of various policies for applications installed on the devices in each administration group, but only one policy can be applied to each application at a time within an administration group.

   for centralized management of the application using Kaspersky Security Center Administration Console or Web Console. You can use a policy that is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the administration MMC plug-in or the Kaspersky Embedded Systems Security administration web plug-in.

   You can also configure the application management tasks using the Administration Console or the Web Console.

Page top

Installing and initially configuring the application using the command line

You can install the Kaspersky Embedded Systems Security application on a client device using the command line.

Installation using the command line involves the following steps:

1. Installing the application and the graphical interface of the application. You can choose one of the following installation options:
   • Install the application with the graphical interface.
   • Install the application without the graphical interface.
   • Install the graphical interface on the device where the application is installed.

     It is not possible to install the graphical interface on a device on which the application is not installed.

   If the version of the apt package manager is lower than 1.1.X, use the dpkg/rpm package manager (depending on the operating system) for installation.

2. Initial configuration of the application

   The application needs initial configuration to prepare it for operation and enable the protection of the client device.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

   Initial configuration of the application is performed by running the special initial configuration script from the distribution kit of Kaspersky Embedded Systems Security. You can perform the initial configuration of the application in interactive mode or in automatic mode.

In this section Installing the application using the command line Post-installation configuration of the application in interactive mode Post-installation configuration of the application in automatic mode Settings in the configuration file for post-installation configuration

Page top

Installing the application using the command line

Installing the application without the graphical interface.

To install Kaspersky Embedded Systems Security from an RPM package on a 32-bit operating system, execute the following command:

# rpm -i kess-3.4.0-<build number>.i386.rpm

To install Kaspersky Embedded Systems Security from an RPM package on a 64-bit operating system, execute the following command:

# rpm -i kess-3.4.0-<build number>.x86_64.rpm

To install Kaspersky Embedded Systems Security from a DEB package on a 32-bit operating system, execute the following command:

# apt-get install ./kess_3.4.0-<build number>_i386.deb

To install Kaspersky Embedded Systems Security from a DEB package on a 64-bit operating system, execute the following command:

# apt-get install ./kess_3.4.0-<build number>_amd64.deb

Installing the graphical interface of the application

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kess-gui-3.4.0-<build number>.i386.rpm

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kess-gui-3.4.0-<build number>.x86_64.rpm

To install the graphical interface from the DEB package to a 32-bit operating system, execute the following command:

# apt-get install ./kess-gui_3.4.0-<build number>_i386.deb

To install the graphical interface from the DEB package to a 64-bit operating system, execute the following command:

# apt-get install ./kess-gui_3.4.0-<build number>_amd64.deb

Page top

Post-installation configuration of the application in interactive mode

To perform initial configuration of the application in interactive mode, you need to run the initial configuration script of the Kaspersky Embedded Systems Security application.

You must run the initial configuration script as root.

To run the initial configuration script, execute the following command:

# /opt/kaspersky/kess/bin/kess-setup.pl

The script requests the values of Kaspersky Embedded Systems Security settings step-by-step. The script finishing and the console being released indicate that the post-installation configuration is completed.

To check the return code, execute the following command:

echo $?

If the command returns code 0, the initial configuration of the application has finished successfully.

Kaspersky Embedded Systems Security can protect the device only after the application databases are updated.

In this section Selecting the locale Viewing the End User License Agreement and the Privacy Policy Accepting the End User License Agreement Accepting the Privacy Policy Using Kaspersky Security Network Removing users from privileged groups Assigning the Administrator role to a user Determining the file operation interceptor type Enabling automatic configuration of SELinux Configuring the update source Configuring proxy server settings Starting an application database update Enabling automatic application database update Application activation

Page top

Selecting the locale

At this step, the application displays the list of supported locale identifiers in RFC 3066 format.

Specify the locale in the format as identified in this list. This locale will be used for application events sent to Kaspersky Security Center, as well as for the texts of the License Agreement, Privacy Policy, and Kaspersky Security Network Statement.

The locale of the graphical interface and the application command line depends on the value of the LANG environment variable. If the locale that is not supported by Kaspersky Embedded Systems Security is specified as the value of the LANG environment variable, the graphical interface and the command line are displayed in English.

Page top

Viewing the End User License Agreement and the Privacy Policy

At this step, read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

Page top

Accepting the End User License Agreement

At this step, you must either accept or decline the terms of the End User License Agreement.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the End User License Agreement.
• no (or n), if you do not accept the terms of the End User License Agreement.

If you did not accept the terms and conditions of the End User License Agreement, the Kaspersky Embedded Systems Security setup process is aborted.

Page top

Accepting the Privacy Policy

At this step, you must either accept or decline the terms of the Privacy Policy.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the Privacy Policy.
• no (or n), if you do not accept the terms of the Privacy Policy.

If you did not accept the terms and conditions of the Privacy Policy, the Kaspersky Embedded Systems Security setup process is aborted.

Page top

Using Kaspersky Security Network

At this step, you must either accept or decline the terms of use of the Kaspersky Security Network Statement. The file ksn_license.<language ID> containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kess/doc/.

Enter one of the following values:

• yes (or y), if you accept the terms of the Kaspersky Security Network Statement. This enables the extended KSN mode.
• no (or n), if you do not accept the terms of the Kaspersky Security Network Statement.

Refusal to participate in Kaspersky Security Network does not interrupt the initial configuration of Kaspersky Embedded Systems Security. You can enable, disable, or change the Kaspersky Security Network mode at any time.

If Kaspersky Security Network is enabled, the cloud mode is automatically enabled, in which Kaspersky Embedded Systems Security uses the lightweight version of malware databases.

Page top

Removing users from privileged groups

This step is displayed only if users are detected in the kessadmin group and/or in the kessaudit group.

At this step, specify whether or not to remove users from the kessadmin and kessaudit privileged groups. Users included in the kessadmin and kessaudit groups get privileged access to the application's functions.

Enter yes to remove all detected users from the kessadmin and/or kessaudit group. Users whose primary group is kessadmin or kessaudit are moved to the nogroup group. If there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups.

Enter no if you do not want the application to remove users from the privileged groups.

Page top

Assigning the Administrator role to a user

At this step, you can grant the administrator (admin) role to the user.

Enter the name of the user to whom you want to grant the administrator role.

You can grant the administrator role to the user later at any time.

Page top

Determining the file operation interceptor type

At this step, the file operation interceptor type for the utilized operating system is determined. For operating systems that do not support fanotify technology, kernel module compilation will begin.

If all the required packages are available, the kernel module will be automatically compiled when the File Threat Protection task starts.

If, during the compilation of the kernel module, any dependencies are not found on the device, the Kaspersky Embedded Systems Security application suggests installing the relevant packages. If the package download fails, an error message will be displayed.

Page top

Enabling automatic configuration of SELinux

This step is displayed only if SELinux is installed on your operating system.

At this step, you can enable automatic configuration of SELinux for working with Kaspersky Embedded Systems Security.

Enter yes to enable automatic configuration of SELinux. If SELinux cannot be configured automatically, the application displays an error message and prompts the user to configure SELinux manually.

Enter no if you do not want the application to automatically configure SELinux.

By default, the application suggests yes.

If necessary, you can manually configure SELinux to work with the application later, after completing the post-installation configuration of Kaspersky Embedded Systems Security.

Page top

Configuring the update source

At this step, you must specify the update source for databases and application modules. The application databases contain descriptions of the threat signatures and methods of countering them. The application uses these records when searching and neutralizing threats. Kaspersky virus analysts regularly add new records about threats.

Enter one of the following values:

• KLServers: the application receives updates from one of the Kaspersky update servers.
• SCServer: the application downloads updates to the protected device from Kaspersky Security Center Administration Server installed in your organization. You can select this update source if you use Kaspersky Security Center for centralized administration of device protection in your organization.
• <URL>: the application downloads updates from a custom source. You can specify the address of the custom source of updates in the local area network or on the Internet.
• <path> – the application receives updates from the specified directory.

Page top

Configuring proxy server settings

At this step, you must specify the proxy server settings if you are using a proxy server to access the Internet. Internet connection is required to download the application databases from the update servers.

To configure proxy server settings, perform one of the following actions:

• If you use a proxy server to connect to the Internet, specify the address of the proxy server using one of the following formats:
  • <connection protocol>://<IP address of the proxy server>:<port number> if the proxy server connection does not require authentication
  • <connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number> if the proxy server connection requires authentication

    Connecting to a proxy server over HTTPS is not supported.

    When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

• If you do not use a proxy server to connect to the Internet, enter no as your answer.

By default, the application suggests no.

You can configure the proxy server settings later, without using the post-installation configuration script.

Page top

Starting an application database update

At this step, you can run the application database update task on the client device.

If you do not want to start to download the application databases, enter no.

If you want to start the database update task on the device, enter yes.

By default, the application suggests yes.

If yes is selected, the application will be automatically restarted after the databases are updated.

Kaspersky Embedded Systems Security protects the device only after the application databases are updated.

You can start the Update task later without using the initial configuration script.

Page top

Enabling automatic application database update

At this step, you can enable automatic update of the application databases.

Enter yes to enable automatic application database update. By default, the application checks for available database updates every 60 minutes. If updates are available, the application downloads the updated databases.

Enter no if you do not want the application to automatically update the databases.

You can enable automatic database update later without using the post-installation configuration by configuring the update task schedule.

Page top

Application activation

At this step, you can activate the application using an activation code or a key file.

To activate the application using an activation code, enter the activation code.

To activate the application using a key file, specify the full path to the key file.

If no activation code or key file is specified, the application is activated using a trial key for one month.

You can activate the application later without using the initial configuration script.

Page top

Post-installation configuration of the application in automatic mode

To perform the initial configuration of the application in automatic mode:

1. Prepare a configuration file that contains the initial configuration settings. You can create this file or copy the necessary structure from the autoinstall.ini configuration file used for remote installation of the application using Kaspersky Security Center.
2. Pass the path to the configuration file to the initial configuration script of the Kaspersky Embedded Systems Security application.

   You must run the initial configuration script as root.

To start the post-installation configuration of the application in automatic mode, run the following command:

# /opt/kaspersky/kess/bin/kess-setup.pl --autoinstall=<post-installation configuration file>

where <initial configuration file> is the path to the configuration file that contains the initial configuration settings.

When the post-installation configuration script is finished and releases the console, the post-installation configuration of the application is complete.

To check the return code, execute the following command:

echo $?

If the command returns code 0, the initial configuration of the application has finished successfully.

Kaspersky Embedded Systems Security can protect the device only after the application databases are updated.

To correctly update application modules after the script has finished, you may need to restart the application. Check the status of updates for the application using the kess-control --app-info command.

Page top

Settings in the configuration file for post-installation configuration

In the post-installation configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Settings in the configuration file for post-installation configuration

If you want to change the settings in the configuration file for initial setup of the application, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

Configuring permissions in the SELinux system

If SELinux could not be configured automatically during the post-installation configuration of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Embedded Systems Security.

To manually configure SELinux to work with the application:

1. Switch SELinux to permissive mode:
   • If SELinux has been activated, run the following command:

     # setenforce Permissive

   • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
3. If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of Kaspersky Embedded Systems Security in accordance with the SELinux policy being used; to do so, run the following commands:

   # semanage fcontext -a -t bin_t <executable file>

   # restorecon -v <executable file>

   where <executable file> is:

   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/bin/kess-control
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess-gui
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/shared/kess
4. Run the following tasks:
   • File Threat Protection task:

     kess-control --start-task 1

   • Critical Areas Scan task:

     kess-control --start-task 4 -W

   It is recommended to run all the tasks that you plan to run while using Kaspersky Embedded Systems Security.

5. Start the graphical user interface if you plan to use it.
6. Ensure that there are no errors in the audit.log file:

   # grep kess /var/log/audit/audit.log

7. If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Embedded Systems Security; to do so, run the following commands:

   # grep kess /var/log/audit/audit.log | audit2allow -M kess

   # semodule -i kess.pp

   If new audit messages related to Kaspersky Embedded Systems Security appear, the file with the rule module file must be updated.

8. Switch SELinux to blocking mode:

   # setenforce Enforcing

If you use a custom SELinux policy, manually assign a label to Kaspersky Embedded Systems Security source executable files after installing application updates (follow steps 1, 3–8).

For additional information, please refer to the documentation on the relevant operating system.

Page top

Running the application on Astra Linux OS in closed software environment mode

This section describes how to start the application in the Astra Linux Special Edition operating system.

For Astra Linux Special Edition (operational update 1.7) and Astra Linux Special Edition (operational update 1.8)

To start the application on the Astra Linux Special Edition operating system (update 1.7 or 1.8):

1. Specify the following setting in the /etc/digsig/digsig_initramfs.conf file:

   DIGSIG_ELF_MODE=1

2. Install the compatibility package:

   apt install astra-digsig-oldkeys

3. Create a directory for the application key:

   mkdir -p /etc/digsig/keys/legacy/kaspersky/

4. Locate the application key (/opt/kaspersky/kess/shared/kaspersky_astra_pub_key.gpg) in the directory created at the previous step:

   cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/

5. Update the initramfs image:

   update-initramfs -u -k all

The application graphical user interface can be used during mandatory access control sessions.

Page top