Kaspersky Embedded Systems Security for Linux

Print Support Send link

Inventory

Inventory

The Inventory task provides information about all applications executable files stored on the client devices. Obtaining information about the applications installed on the devices can be useful, for example, for creating Application Control rules.

You can configure the following inventory settings:

Select the types of objects that the application will detect on the device during inventory (files, scripts).
Configure inventory scopes (paths to directories in which to search for executable application files).
Configure exclusions from the inventory.
Select the action that Kaspersky Embedded Systems Security must perform with the "Golden Image" application category upon completion of the Inventory task. You can add applications that the task discovers on the device to the category, leave the category unchanged, or delete it.
Enable or disable the transmission of information about applications that the Inventory task discovers on the device to the Kaspersky Security Center Administration Server. If information about applications on the device is transmitted to the Administration Server, it can be used to configure application categories for Application Control rules using the Kaspersky Security Center.

In this Help section

Configuring Inventory in the Web Console

Configuring Inventory in the Administration Console

Configuring Inventory on the command line

Page top

Configuring Inventory in the Web Console

In the Web Console, you can perform an inventory of the applications for the protected device using the Inventory task.

You can create and run Inventory user tasks. You can configure inventory settings by editing the settings of these tasks.

The Kaspersky Security Center database can store information for up to 150,000 processed files. When this number of records is reached, new files will not be processed. To resume the Inventory task, delete the files registered in the Kaspersky Security Center database as a result of previous inventories, from the device where Kaspersky Embedded Systems Security is installed.

Inventory task settings

Setting	Description
Action to perform on the "Golden image" category upon task completion	In the drop-down list, you can select the action that Kaspersky Embedded Systems Security must perform with the "Golden Image" application category upon completion of the Inventory task: No changes – do not change the "Golden Image" application category after completing the inventory. This is the default. Update or create (if does not exist) – add applications that the Inventory task discovers on the device to the "Golden Image" category. If the category does not exist, it is created. If the category exists, the list of applications in the category is updated. Delete – delete the "Golden Image" category after completing the inventory. You can use the "Golden Image" category in Application Control rules.
Scan all executables	This check box enables or disables of executable file scans. The check box is selected by default.
Scan binaries	The check box enables or disables scans of binary files (files with the extensions .elf, .java and .pyc). The check box is selected by default.
Scan scripts	This check box enables or disables script scans. The check box is selected by default.
Inventory scopes	The table contains the inventory scopes scanned by the application. The application will scan files and directories located in the paths specified in the table. By default, the table contains one inventory scope – /usr/bin. You can add, configure, delete, move up, or move down inventory scan scopes in the table. Clicking the Move down button moves the selected item down in the table. Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table. This button is available if a scope is selected in the table. Clicking the Move up button moves the selected item up in the table. Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table. This button is available if a scope is selected in the table. Clicking the Delete button excludes the selected scope from scans. This button is available if at least one scan scope is selected in the table. Clicking the scan scope name opens the <Scan scope name> window. In this window, you can modify the settings of the selected scan scope. Clicking the Add button opens the <New scan scope> window. In this window, you can define a new scan scope.

Page top

Add scan scope window

In this window, you can add and configure scan scope for the Inventory task.

Inventory scope settings

Setting	Description
Scope name	Field for entering the inventory scope name. This name will be displayed in the table in the Scan settings section. The entry field must not be blank.
Use this scope	This check box enables or disables the scan of this scope when the task is performed. If this check box is selected, the application processes this inventory scope while running the task. If this check box is cleared, the application does not process this inventory scope while running the task. You can later include this scope in task settings by selecting the check box. The check box is selected by default.
File system, access protocol, and path	Entry field for the path to the local directory that you want to include in the inventory scan scope. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The field must not be blank. The / path is specified by default – the application scans all directories of the local file system.
Masks	This list contains name masks of the objects that the application scans while running the task. By default the list contains the * mask (all objects). You can add, edit, or delete masks. Clicking the Delete button removes the selected item from the table. This button is available if at least one item is selected in the table. The selected element's settings are changed in a separate window. Clicking the Add button opens a window where you can specify the new item settings.

Page top

Exclusion scopes section

In the Exclusion scopes section for the Inventory task, you can configure the scopes to be excluded from scans.

Page top

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting	Description
Exclusion scope name	Exclusion scope name.
Path	Path to the directory excluded from scan.
Status	The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

Add exclusion scope window

In this window, you can add and configure scan exclusion scope for the Inventory task.

Exclusion scope settings

Setting	Description
Exclusion scope name	Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.
Use this scope	This check box enables or disables the exclusion of the scope when the task is executed. If this check box is selected, the application excludes this scope during task execution. If this check box is cleared, the application includes this scope during task execution. You can later exclude this scope from scanning by selecting the check box. The check box is selected by default.
File system, access protocol, and path	Entry field for the path to the local directory that you want to exclude from the inventory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The field must not be blank.
Masks	The list contains name masks of the objects that the application excludes from scan. You can add, edit, or delete masks. Clicking the Delete button removes the selected item from the table. This button is available if at least one item is selected in the table. The selected element's settings are changed in a separate window. Clicking the Add button opens a window where you can specify the new item settings.

Page top

Configuring Inventory in the Administration Console

In the Kaspersky Security Center Administration Console, you can perform an inventory of the applications for the protected device using the Inventory task.

You can create and run Inventory user tasks. You can configure the scan settings by editing the settings of the tasks.

The Kaspersky Security Center database can store information about up to 150,000 processed files. When this number of records is reached, new files will not be processed. To resume the Inventory task, delete the files registered in the Kaspersky Security Center database as a result of previous inventories, from the device where Kaspersky Embedded Systems Security is installed.

Inventory task settings

Setting	Description
Action to perform on the "Golden image" category upon task completion	In the drop-down list, you can select the action that Kaspersky Embedded Systems Security must perform with the "Golden Image" application category upon completion of the Inventory task: No changes – do not change the "Golden Image" application category after completing the inventory. This is the default. Update or create (if does not exist) – add applications that the Inventory task discovers on the device to the "Golden Image" category. If the category does not exist, it is created. If the category exists, the list of applications in the category is updated. Delete – delete the "Golden Image" category after completing the inventory. You can use the "Golden Image" category in Application Control rules.
Scan all executables	This check box enables or disables of executable file scans. The check box is selected by default.
Scan binaries	The check box enables or disables scans of binary files (files with the extensions .elf, .java and .pyc). The check box is selected by default.
Scan scripts	This check box enables or disables script scans. The check box is selected by default.
Inventory scopes	The group of settings contains the Configure button. Clicking this button opens the Scan scopes window.

In the Exclusions section for the Inventory task, you can also configure scopes to be excluded from scans.

Page top

Scan scopes window

The table contains the scan scopes. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope – /usr/bin.

Scan scope settings for the Inventory task

Setting	Description
Scope name	Scan scope name.
Path	Path to the directory that the application scans.
Status	The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top

<New scan scope> window

In this window, you can add and configure scan scope for the Inventory task.

Inventory scope settings

Setting	Description
Scan scope name	Field for entering the scan scope name. This name will be displayed in the table in the Scan scopes window. The entry field must not be blank.
Use this scope	This check box enables or disables the scan of this scope when the task is performed. If this check box is selected, the application processes this scan scope while running the task. If this check box is cleared, the application does not process this scan scope while running the task. You can later include this scope in task settings by selecting the check box. The check box is selected by default.
File system, access protocol, and path	Entry field for the path to the local directory that you want to include in the scan scope. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The field must not be blank.
Masks	This list contains name masks of the objects that the application scans while running the task. By default the list contains the * mask (all objects). You can add, edit, or delete masks. Clicking the Delete button removes the selected item from the table. This button is available if at least one item is selected in the table. The selected element's settings are changed in a separate window. Clicking the Add button opens a window where you can specify the new item settings.

Page top

Exclusions section

Settings of scan exclusions

Group of settings	Description
Exclusion scopes	This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window. In this window, you can define the list of scopes to be excluded from monitoring.

Page top

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting	Description
Exclusion scope name	Exclusion scope name.
Path	Path to the directory excluded from scan.
Status	The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

<New exclusion scope> window

In this window, you can add and configure scan exclusion scope for the Inventory task.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the task is executed.

If this check box is selected, the application excludes this scope during task execution.

If this check box is cleared, the application includes this scope during task execution. You can later exclude this scope from scanning by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to exclude from the inventory. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Masks

The list contains name masks of the objects that the application excludes from scan.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top

Configuring Inventory on the command line

You can use the command line to inventory applications on the protected device as follows:

With the help of the Inventory_Scan predefined task. You can manually start or stop this task, and configure the task run schedule. You can configure scan settings by editing the settings of this task.
With the help of user inventory tasks (InventoryScan-type tasks). You can manually start, stop, pause, or resume user tasks and configure the task schedule.

You can view the list of applications detected on the device as a result of the Inventory task by using Application Control management commands.

In this section

Inventory task settings

Viewing a list of detected applications

Page top

Inventory task settings

The table describes all available values and the default values of all the settings that you can specify for the Inventory task.

Inventory task settings

Setting	Description	Values

`ScanScripts`	Enables script scanning.	`Yes` (default value) — Scan scripts. `No` — Do not scan scripts.
`ScanBinaries`	Enables binary files scanning (elf, java, and pyc).	`Yes` (default value) — Scan binaries. `No` — Do not scan binaries.
`ScanAllExecutable`	Enables the scanning of files with an executable bit.	`Yes` (default value) — Scan files with an executable bit. `No` — Do not scan files with an executable bit.
`GoldenImageAction`	The action that Kaspersky Embedded Systems Security must perform with the "Golden Image" application category upon completion of the Inventory task: You can use the "Golden Image" category in Application Control rules.	`DoNothing` (default) – do not change the "Golden Image" application category after completing the inventory. `Create` – add detected applications to the "Golden Image" application category. If the category does not exist, it is created. If the category exists, the list of applications in the category is updated. `Remove` – delete the "Golden Image" category after completing the inventory.
The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the inventory scope. The maximum length of the string specified using this setting is 4096 characters.	Default value: `All objects`.
`UseScanArea`	Enables scans of the specified inventory scope. To run the task, enable scans of at least one inventory scope.	`Yes` (default value) — Scan the specified inventory scope. `No` — Do not scan the specified inventory scope.
`AreaMask.item_#`	Inventory scope limitation. In the inventory scan scope, the application scans only the files that are specified using the masks in the shell format. If this setting is not specified, the application scans all the objects in the inventory scope. You can specify several values for this setting.	The default value is `*` (scan all objects).
`Path`	Path to the directory with objects to be scanned.	`<path to local directory>` — Scan objects in the specified directory. Default value: `/usr/bin`
The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the inventory exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from the inventory.	`Yes` (default value) — Exclude the specified scope. `No` — Do not exclude the specified scope.
`AreaMask.item_#`	Limiting the inventory exclusion scope using shell masks. If this setting is not specified, the application excludes all the objects in the inventory scope. You can specify several values for this setting.	Default value: `*` (exclude all objects)
`Path`	Path to the directory with objects to be excluded.	`<path to local directory>` — Exclude objects in the specified directory from scan. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Page top

Viewing a list of detected applications

To view the list of applications detected on the device, execute the following command:

kess-control --get-app-list [--json]

where --json means output data in JSON format.

Kaspersky Embedded Systems Security displays the following information about the detected applications:

Date and time of inventory. Date and time when the Inventory task was performed
Number of applications. The number of applications detected on the device
The list of applications containing the following information:
- Path. Path to the application.
- Hash. Application hash sum.
- Type. Application type. For example, Script, Executable.
- Categories. Categories that the application belongs to (if they were previously created). You can view the list of created application categories using the kess-control --get-categories command.
When you add a new category, its information is not automatically updated in the application list. To update the application list, you need to restart the Inventory task.

Page top

Contents

Inventory

Configuring Inventory in the Web Console

Add scan scope window

Exclusion scopes section

Exclusion scopes window

Add exclusion scope window

Configuring Inventory in the Administration Console

Scan scopes window

<New scan scope> window

Exclusions section

Exclusion scopes window

<New exclusion scope> window

Configuring Inventory on the command line

Inventory task settings

Viewing a list of detected applications