Configuring isolated Administration Servers to fix vulnerabilities in an isolated network

After configuring the Administration Server with internet access, prepare every isolated Administration Server within your network to fix vulnerabilities and install updates on managed devices connected to these isolated Administration Servers.

To configure isolated Administration Servers, follow the steps below for each Administration Server:

1. Activate a license key for the Vulnerability and patch management (VAPM) feature.
2. Create two folders on the disk where the Administration Server is installed:
   • Folder for the list of required updates
   • Folder for patches

   You can name these folders as desired.

3. Grant the Modify right to the KLAdmins group in the created folders, by using the standard administrative tools of the operating system.
4. Use the klscflag utility to specify the paths to the folders in the Administration Server properties.

   Run the command line, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.

5. Run the following commands in the command line:
   • To set the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "<path to the folder>"

   • To set the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v "<path to the folder>"

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "/FolderForPatches"

6. If necessary, use the klscflag utility to specify how often the isolated Administration Server should check for new patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v <value in seconds>

   The default value is 120 seconds.

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v 120

7. If necessary, use the klscflag utility to calculate the SHA256 hashes of patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_VERIFY_HASH -t d -v 1

   By running this command, you can make sure that the patches have not been modified during their transfer to the isolated Administration Server and that you have received the correct patches containing the required updates.

   By default, Kaspersky Security Center Linux does not calculate the SHA256 hashes of patches. If you enable this option, after the isolated Administration Server receives patches, Kaspersky Security Center Linux computes their hashes and compares the acquired values with the hashes stored in the Administration Server database. If the calculated hash does not match the hash in the database, an error occurs and you have to replace the incorrect patches.

8. Create and schedule the Find vulnerabilities and required updates task. Run the task manually if you want it to run earlier than it is specified in the task schedule.
9. Restart the Administration Server service.

After configuring all Administration Servers, you can transmit patches and lists of required updates and fix third-party software vulnerabilities on managed devices within the isolated network.