In GNU/Linux distributions having the PARSEC security subsystem, the access of all applications to files depends on their privilege level. Thus, SpIDer Guard can intercept file access events by default to the extent allowed by its privilege level.
Moreover, if the user works at any privilege level other than the zero, the graphical interface of Dr.Web for Linux cannot interact with SpIDer Guard and the anti-virus service components if they operate at different privilege levels; moreover, access to the consolidated quarantine may become unavailable.
If your OS uses PARSEC and there are accounts of users working at privilege levels other than zeroth, you need to customize Dr.Web for Linux to ensure that its components can interact while running at different privilege levels.
This section covers the following PARSEC settings that enable correct operation of Dr.Web for Linux:
•Customizing the interaction of components running at different privilege levels.
•Customizing the automatic start of Dr.Web for Linux components with user privileges.
•Configuring SpIDer Guard to intercept file access events.
|
To perform these procedures, superuser (root) privileges are required. To gain superuser privileges, use the su command for changing the current user or the sudo command to run the specified command as another user. |
Customizing the interaction of components running at different privilege levels
The privsock mechanism is designed to enable the operation of system network services that do not process information using the mandatory context but interact with processes that operate in the mandatory context of an access subject. drweb-configd is the Dr.Web for Linux service component that is responsible for interaction of all anti-virus components among each other.
To grant the configuration management daemon of Dr.Web for Linux (drweb-configd) a privilege to use privsock, it is necessary to edit the /etc/parsec/privsock.conf system file. To change settings, we recommend that you use the drweb-configure configuration tool bundled with Dr.Web for Linux, or you can make manual changes to the required configuration files.
1. Using the drweb-configure tool
The required changes will be made automatically after running the following command:
# drweb-configure session <mode> |
where <mode> may have one of the following values:
•enable—use privsock;
•disable—do not use privsock.
|
Logging events of the drweb-session component (if it is active, that is, the enable mode is used) with syslog may not work in Astra Linux 1.5 as expected when components are run at higher privilege levels. To enable logging, restart rsyslogd as follows:
|
2. Manual modification of configuration files
For Astra Linux SE version 1.6 and later
1.Open the /etc/parsec/privsock.conf file in any text editor. Add the following lines to this file:
/opt/drweb.com/bin/drweb-configd |
2.Save the file and restart the operating system.
Customizing the automatic start of the components with user privileges
To make Dr.Web for Linux components with which the user interacts available in the user environment (when the user works at a privilege level other than zero), you need to make changes to the files containing PAM settings to ensure the automatic start of the required Dr.Web for Linux components at the beginning of the user session and their termination at the end of the session. The module (the custom pam_drweb_session.so PAM module by Doctor Web starts the drweb-session mediation component, which connects the local copies of components running in the user environment to the components operating with zero-level privileges and running automatically at the OS startup).
To change PAM settings, we recommend that you use the drweb-configure configuration tool bundled with Dr.Web for Linux, or you can make manual changes to the required configuration files.
1. Using the drweb-configure tool
To make configuring complex parameters of Dr.Web for Linux more convenient, we have developed a dedicated auxiliary tool drweb-configure.
1.To enable or disable the automated start of the required Dr.Web for Linux components in the environment of the user who has a privilege level other than zero, use the following command:
# drweb-configure session <mode> |
where <mode> may have one of the following values:
•enable—enable the automated start of the necessary components during the user session with user privileges.
•disable—disable the automated start of the required components during the user session with user privileges (this will render a number of Dr.Web for Linux functions unavailable).
2.Restart the operating system.
|
To use help on how to use drweb-configure for configuring PAM settings, run the following command:
|
2. Manual modification of PAM configuration
For Аstra Linux and other distributions using the pam_parsec_mac.so PAM module
1.To change PAM configuration, you need to modify all configuration files in /etc/pam.d directory that start the pam_parsec_mac.so PAM module. You can get the full list of such files by performing the following command:
# grep -R pam_parsec_mac.so /etc/pam.d |
Add the following records of the session type to all files from the list:
•Above the first record of the session type:
session optional pam_drweb_session.so type=close |
•After the last record of the session type:
session optional pam_drweb_session.so type=open |
2.Save the changed files.
3.Create a symbolic link to the pam_drweb_session.so file from the system directory containing PAM modules. The pam_drweb_session.so file is located in the Dr.Web for Linux library directory /opt/drweb.com/lib/ (for 64-bit operating systems, for instance, the path to the module is /opt/drweb.com/lib/x86_64-linux-gnu/pam/).
4.Restart the operating system.
Configuring SpIDer Guard to intercept file access events
To give the SpIDer Guard file monitor an ability to detect the attempts of accessing files, which have any level of access privileges, you need to switch SpIDer Guard to the Fanotify operating mode.
To switch SpIDer Guard to the Fanotify operating mode, run the following command:
# drweb-ctl cfset LinuxSpider.Mode Fanotify |
To get additional information, run the following command:
$ man drweb-spider |