KESL rejects connection from kesl-control, gui or nagent due to non-root write permissions [KES for Linux]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

There are several problems with similar causes:

1) KESL postinstall script produces error.

Warning: Failed to set up KSN

2) KESL is installed and running. However, the kesl-control command outputs something like that:

kesl-control --app-info

Connection refused. Invalid user permissions for /var.

Only root user should have write access to this path.

kesl-control --app-info

Could not connect to Kaspersky Endpoint Security 11.2.2 for Linux

3) KESL is installed and running, kesl-control indicates no problems. However, kesl-gui shows the Application is currently unavailable error.

4) KESL is installed and running, nagent indicates no connectivity problems. However, KSC shows that KESL is stopped and can't be started.

5) (Starting from 11.3) KESL journal errors "RemoteConnectionRejected"

EventType=RemoteConnectionRejected
EventId=4385
Initiator=Product
Date=2024-04-09 16:28:59
DangerLevel=Critical
Reason=InvalidPermissions
Path=/var
Process=/var/opt/kaspersky/kesl/11.4.0.1096_1684141407/opt/kaspersky/kesl/bin/kesl-control

6) (Starting from 11.3) Nagent errors "Remote Connection Rejected"

Note that in case the problem is with nagent itself (i.e not kesl-control or kesl-gui), nagent actually will not send these events to KSC due to very same issue.

Root cause

KESL service implements defensive internal logic which denies connections from not "trusted" processes. One of the causes is that the process executable file or some library it loads can be overwritten by a non-root user:

1) The Owner is not "root".

2) FS write permission is granted to "Group" or "Other".

Such errors often serve as indication of some erratic configuration. For example:

• Some system administrators change ACL for /opt or other folder (which is supposed to not be widely accessible) to 777 because they don't want to work via sudo;
• In Astra Linux, the owner of the /var directory is sometimes changed to the fly-dm service user due to an error in the fly-dm package. Astra developers confirmed this bug and released fix. If the issue reproduces with new fly-dm versions, address Astra support.
• LD_PRELOAD variable may be used to load arbitrary libraries for any given process including KESL. This is usually the case when you see non-root permissions errors for some third-party libraries.

Solution

To restore proper permissions, use the chown and/or chmod commands:

chown root:root /path/to/folder chmod g-w,o-w /path/to/folder

Please exercise caution and rely upon common sense when changing permissions for / and folders straight under /.

It depends on the environment which files/folders are checked, thus a complete list cannot be provided.

1)

# ls -ld / /var /var/opt /opt /opt/kaspersky /bin /usr /usr/lib /usr/lib64 | egrep -v '^d.{4}-.{2}-.*root root' drwxr-xr-x. 20 x root 279 Apr 5 14:30 /var

 

2) (kesl 11.3+) check for RemoteConnectionRejected events. Path parameter should contain faulty directory. Check for events by directly querying events.db, or querying event database via kesl-control, or kesl-control errors depending on scenario.

See examples

Broken permissions for kesl, kesl-control errors

root@dc-ubuntu:~# chmod 777 /var/opt/kaspersky/kesl/ root@dc-ubuntu:~# kesl-control --app-info Connection refused. Invalid user permissions for '/var/opt/kaspersky/kesl'. Only root user should have write access to this path.

 

Broken permissions for klnagent, events.db query via kesl-control

root@dc-ubuntu:~# chmod 777 /opt/kaspersky/klnagent64 root@dc-ubuntu:~# systemctl restart klnagent64 root@dc-ubuntu:~# kesl-control -E --query 'EventType=="RemoteConnectionRejected"' | tail -n 20 Process=/opt/kaspersky/klnagent64/sbin/klnagent   EventType=RemoteConnectionRejected EventId=11301 Initiator=Product Date=2024-04-10 18:01:53 DangerLevel=Critical Reason=InvalidPermissions Path=/opt/kaspersky/klnagent64 Process=/opt/kaspersky/klnagent64/sbin/klnagent   EventType=RemoteConnectionRejected EventId=11302 Initiator=Product Date=2024-04-10 18:02:04 DangerLevel=Critical Reason=InvalidPermissions Path=/opt/kaspersky/klnagent64 Process=/opt/kaspersky/klnagent64/sbin/klnagent

events.db query via 3rd party tool (sqlite3 utility)

root@dc-ubuntu:~# sqlite3 /var/opt/kaspersky/kesl/private/storage/events.db 'SELECT date,process,path FROM events WHERE eventtype=134 ORDER BY date DESC LIMIT 3' 2024-04-10 16:17:16|/var/opt/kaspersky/kesl/11.4.0.1096_1684141407/opt/kaspersky/kesl/bin/kesl-control|/var 2024-04-10 15:09:04|/opt/kaspersky/klnagent64/sbin/klnagent|/opt/kaspersky/klnagent64 2024-04-10 15:08:49|/opt/kaspersky/klnagent64/sbin/klnagent|/opt/kaspersky/klnagent64

 

3) To get a full list of files loaded by KESL or klnagent, you can read /proc/<pid>/maps. Use commands in the example below to filter out all application-specific files that are located in the folders listed above and to see what other files are used:

# cat /proc/$(pidof -s klnagent)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq /usr/lib64/gconv/gconv-modules.cache /usr/lib64/ld-2.17.so /usr/lib64/libattr.so.1.1.0 /usr/lib64/libbz2.so.1.0.6 /usr/lib64/libc-2.17.so /usr/lib64/libcap.so.2.22 /usr/lib64/libdl-2.17.so /usr/lib64/libdw-0.176.so /usr/lib64/libelf-0.176.so /usr/lib64/liblzma.so.5.2.2 /usr/lib64/libm-2.17.so /usr/lib64/libnss_dns-2.17.so /usr/lib64/libnss_files-2.17.so /usr/lib64/libnss_myhostname.so.2 /usr/lib64/libpthread-2.17.so /usr/lib64/libresolv-2.17.so /usr/lib64/librt-2.17.so /usr/lib64/libz.so.1.2.7 /usr/lib/locale/locale-archive   # cat /proc/$(pidof kesl)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq /usr/lib64/gconv/gconv-modules.cache /usr/lib64/ld-2.17.so /usr/lib64/libc-2.17.so /usr/lib64/libdl-2.17.so /usr/lib64/libm-2.17.so /usr/lib64/libnss_dns-2.17.so /usr/lib64/libnss_files-2.17.so /usr/lib64/libpthread-2.17.so /usr/lib64/libresolv-2.17.so /usr/lib64/librt-2.17.so /usr/lib64/libz.so.1.2.7 /usr/lib/locale/locale-archive