Presence of the SELinux enhanced security subsystem in the OS as well as the use of mandatory access control systems, such as PARSEC—as opposed to the classical discretionary model used by Unix—causes problems in the work of Dr.Web Server Security Suite when its default settings are used. To ensure correct operation of Dr.Web Server Security Suite in this case, it is necessary to make additional changes to the settings of the security subsystem and/or to the settings of Dr.Web Server Security Suite.
This section discusses the following settings that ensure correct operation of Dr.Web Server Security Suite:
•configuring SELinux Security Policies;
•configuring the launch in the CSE (Closed Software Environment) mode (OS Astra Linux SE 1.6 and 1.7).
|
Configuring the permissions of the PARSEC mandatory access control system for Dr.Web Server Security Suite will allow the components of Dr.Web Server Security Suite to bypass the restrictions of the set security policies and to get access to the files that belong to different privilege levels. |
|
Even if you have not configured the permissions of the PARSEC mandatory access control system for Dr.Web Server Security Suite, you still will be able to launch file scanning directly from the command line. To do this, use the drweb-ctl command in standalone mode, by specifying the --Autonomous option in the command call. When scanning is launched this way, it is possible to scan only those files that can be accessed with the privileges not exceeding those of the user who launched the scanning. |
This mode has the following aspects:
•To start a standalone instance, you need a valid key file, operating in centralized protection mode is not supported (an option to install the key file exported from the centralized protection server is available). In this case, even if Dr.Web Server Security Suite is connected to the centralized protection server, the standalone instance does not notify the centralized protection server of the threats detected in standalone instance mode.
•All additional components that support the functioning of the standalone instance will be started on behalf of the current user and will work with a specifically generated configuration file.
•All temporary files and Unix sockets used for interaction of components are created only in a directory with a unique name, which is created when the standalone instance is started. The unique temporary directory is created in the directory for temporary files (specified by the TMPDIR environment variable).
•All the required paths to virus databases, the scan engine and executable files used during scanning are defined by default or retrieved from the special environment variables.
•The number of the standalone instances working simultaneously is not limited.
•When the standalone instance is shut down, the set of the components that manages its operation is also shut down.