ESET FILE SECURITY, Руководство по установке

Страница: 18 / 32

18
ESET File Security
initialization statement, insert the following line:
/sbin/modprobe dazuko
For BSD OS's the line
/sbin/kldconfig dazuko
must be inserted into the ‘/usr/local/etc/rc.d/esets_daemon.sh’ script.
Warning!
It is extremely important that these steps are executed in the exact order given. If
the kernel module is not located within the kernel modules directory it will not properly load,
resulting in system hang-up.
5.3. On-access scanner using preload LIBC library
In previous sections we described the integration of the On-access scanner powered by
Dazuko with Linux/BSD file system services. In this section we would like to point out that the
technique using Dazuko may not be desired by system administrators who maintain critical
systems where:
The source code and/or configuration files related to the currently running kernel are not
y
available
The kernel is more monolithic than modular
y
The Dazuko module simply does not support the given OS
y
In any of these cases, the On-access scanning technique based on the preload LIBC library
should be used. See section 5.3.1 below for detailed information. Please note that this section is
relevant only for Linux OS users and contains information regarding the operation, installation
and configuration of the On-access scanner using the preload library '
libesets_pac.so'
.
5.3.1. Operation principle
The On-access scanner
libesets_pac.so
(ESETS Preload library based file Access Controller) is a
shared objects library which is activated at system start-up. This library is used for LIBC calls by
file system servers such as FTP server, Samba server etc. Every file system object is scanned based
on customizable file access event types. The following event types are supported by the current
version:
open events
This file access type is activated if the word 'open' is present in the 'event_mask‘ parameter
in the eset.cfg file ([pac] section).
close events
This file access type is activated if the word ‘close‘ is present in the ‘event_mask‘ parameter in
the eset.cfg file ([pac] section). In this case, all file descriptor and FILE stream close functions of
the LIBC are intercepted.
exec events
This file access type is activated if the word ‘exec‘ is present in the ‘event_mask‘ parameter in
the eset.cfg ([pac] section). In this case, all exec functions of the LIBC are intercepted.