KL 020.13 KHCS en Labs v0.9.15

KL 020.13: Kaspersky Hybrid Cloud Security.
Public Clouds & DevOps
KL 020.13
Kaspersky Hybrid
Cloud Security
Lab guide
1
Table of contents
Lab 1. Prepare Amazon Web Services environment .................................................................................... 2
Task A: Go to Amazon Web Services console and configure it ....................................................... 2
Task B: Start your EC2 instances .................................................................................................... 3
Task C: Open S3 Bucket console and copy credentials of the service account .............................. 4
Lab 2. Preparing Kaspersky Security Center Cloud Console and connecting it to Amazon Web Services . 6
Task A: Connect to Kaspersky Security Center Cloud Console ...................................................... 6
Task B: Set up a task to synchronize inventory information with the Amazon Web Services cloud
........................................................................................................................................................10
Task C: Prepare installation packages and policies to protect cloud resources ............................11
Lab 3. Installing Network Agent and Kaspersky Endpoint Security using Amazon Web Services .............16
Task A: Install Network Agent for Linux using Run Command in Systems Manager ....................16
Task B: Install Network Agent for Windows using a script in User Data ........................................18
Task C: Install Kaspersky Endpoint Security and Kaspersky Endpoint Security for Linux on EC2
instances.........................................................................................................................................22
Lab 4. Configuring Kaspersky Endpoint Security for Linux to protect containers .......................................27
Set up a container environment protection policy, start a malicious container and make sure
Kaspersky Endpoint Security for Linux protects the container environment ..................................27
Lab 5. Integrating Kaspersky Endpoint Security for Linux into CI/CD with Jenkins ....................................32
Task A: Configure a container environment protection policy for CI/CD ........................................32
Task B: Configure Jenkins and integration with Kaspersky Endpoint Security for Linux ...............34
Task C: Create a job to scan containers for malicious code ..........................................................36
Lab 6. Automation of new container image scanning with GitHub..............................................................39
Task A: Set up a webhook between Jenkins and GitHub ..............................................................40
Task B: Test automatic launch of the job that builds and scans a container image ......................44
Lab 7. Scanning third-party container images and uploading trusted images to a private repository via KESL
container ......................................................................................................................................................45
Task A: Build a KESL container using Docker Build ......................................................................46
Task B: Prepare the configuration files and run KESL container ...................................................48
Task C: Send POST requests to the KESL container service to scan container images ..............50
1
Lab 1.
Prepare Amazon Web Services environment
Scenario. Kaspersky Hybrid Cloud Security solution is designed to protect hybrid cloud environments. Your
company has decided to deploy some of its resources in Amazon Web Services. To protect them, we’ll use
Kaspersky Security Center Cloud Console with a Kaspersky Hybrid Cloud Security license. First of all, you will
need to prepare the Amazon Web Services console, start EC2 instances and copy the authorization data of the
KCSA service account.
Contents. In this lab, we will:
1. Go to Amazon Web Services console and configure it

2. Start EC2 instances
3. Open S3 Bucket console and copy credentials of the service account
Task A: Go to Amazon Web Services console and configure it

Every student has received an Amazon Web Services account for the training and is working in a real Amazon
Web Services management console. In this task, you will configure the console to optimize your work with services.
We will use:
– Virtual Private Cloud (VPC)
– Elastic Compute Cloud (EC2)
– Simple Storage Service (S3)
– Simple Systems Manager (SSM)
– Secrets Manager
The task is performed on the physical computer.

1. Launch a browser: Google Chrome or Mozilla Firefox
2. Go to https://<your Account ID>.signin.aws.amazon.com/console
Ask the instructor for your Account ID
3. Connect to the Amazon Web Services Management Console
Ask the instructor for your username and password
2
KL 020.13: Kaspersky Hybrid Cloud Security. Lab 1.
Public Clouds & DevOps Prepare Amazon Web Services environment
4. Enter a new password

5. Click Confirm password change
6. In the search box, type names of the following services (one by one), pause on the name of each service
and click the star to add it to your Favorites list:
– Virtual Private Cloud (VPC)
– Elastic Compute Cloud (EC2)
– Simple Storage Service (S3)
– Simple Systems Manager (SSM)
– Secrets Manager
Task B: Start your EC2 instances

In the Favorites list, click the EC2 icon to open the Amazon EC2 console and filter instances by your username.
Select your instances and start them. In the Favorites list, click the VPC icon to open the Amazon VPC console,
filter the list by your username and save your VPC ID in a text file.

1. In the Favorites list, click the
EC2 icon
2. In the navigation bar, choose
the name of the currently
displayed region. Then choose
the region to which you want to
switch
Ask the instructor about your

region
3
3. On the side menu, select

Instances
4. In the search box, type user =
and select your username
A list of your EC2 instances
(three virtual machines) will be
displayed
5. Select all instances on the list

6. Click Instance State and
select Start Instance

VPC icon
8. Click VPCs
9. In the search box, type user =

and select your username
Your VPC will be displayed
10. Copy your VPC ID to Notepad
and save this text file
Task C: Open S3 Bucket console and copy credentials of the service account
Ask the trainer for a direct link to your S3 bucket and check access to your folder. Open the Secrets Manager
console from the Favorites list, open the available secret with credentials of the KCSA service account and copy
them into a text file.
4

1. Ask the trainer for your S3 URL
and open it
2. Add this link to your Favorites
bar in the browser
3. Open the folder with your
username
4. Make sure the buttons Create

Folder and Upload are
available

Secrets Manager icon
6. Click
/KCSA/credentials/KCSA
7. Find the Secret value area and

click Retrieve Secret Value
5
Public Clouds & DevOps Preparing Kaspersky Security Center Cloud Console and connecting it to Amazon Web Services
8. Copy your ACCESS_KEY and

SECRET_KEY to Notepad and
save the text file
Conclusion
In this lab, you’ve got acquainted with the Amazon Web Services environment, configured quick access to the
necessary services and set up a filter for your EC2 instances. Also, you’ve saved credentials of your KCSA service
account.
Lab 2.
Preparing Kaspersky Security Center Cloud Console
and connecting it to Amazon Web Services
Scenario. You will connect to Kaspersky Security Center Cloud Console from which you will manage protection of
your cloud and DevOps resources. You will complete the quick start wizard, enter a test license key and connect to
the Amazon Web Services cloud. You will also generate standalone installation packages for Kaspersky Endpoint
Security for Windows and Linux, create a security policy and upload them to your folder on S3 Bucket.
1. Connect to Kaspersky Security Center Cloud Console

2. Set up a task to synchronize inventory information with the Amazon Web Services cloud
3. Prepare installation packages and policies to protect cloud resources
Task A: Connect to Kaspersky Security Center Cloud Console

Connect to Kaspersky Security Center Cloud Console, create your test organization and lab workspace. Enter the
test license key and proceed through the quick start wizard.
6

1. Go to
https://ksc.kaspersky.com/
2. Enter your credentials and click
Sign In
Ask the instructor for your

username and password
3. Accept the agreement and the

privacy policy
4. Specify the company name
Ask the instructor about it
5. Click Next
6. Enter the Workspace name

and specify 20 expected
devices
7. Click Next
7
8. Enter the test license key
Ask for the key from the instructor
9. Click Verify and Next
10. Click Go to workspace
You may need to wait a bit for the

service to be activated
11. On the Cloud Environment

Configuration Wizard page,
click Next
12. In the warning window, click
Show current application
versions
8
13. You need to download and

prepare the following
installation packages:
– Kaspersky Endpoint
Security for Linux
– Kaspersky Security for
Windows Server
– Kaspersky Network Agent
for Windows
– Kaspersky Network Agent
for Linux x64 rpm
14. Click the installation packages one by one and select Download and create installation package
15. Click Show EULA

privacy policy
17. Click Accept and Close
18. On the page that opens,

specify:
– Connection name – AWS
– Cloud environment –
Amazon Web Services
– Access key ID – the saved
ACCESS_KEY
– Secret key – the saved
SECRET_KEY
19. Click Next
20. Click Next without selecting the

checkbox
9
21. Select I agree to use

Kaspersky Security Network
and click Next
22. Select I confirm that I have

fully read, understand, and
accept the terms and
conditions of the Kaspersky
Security Network Statement
and click Next
23. On the page that opens, click
Next
24. Read the list of policies and

tasks that will be created and
click Create
25. Wait for the completion and
click Next
26. Click Finish
Task B: Set up a task to synchronize inventory information with the Amazon

Web Services cloud
Set up a task to synchronize your logically isolated Virtual Private Cloud (VPC) with the Cloud Console.

1. In the Cloud Console, go to
Devices and click Moving
Rules
2. Click the existing rule
Synchronize with Cloud
10
3. Under Apply Rule, select

Apply rule continuously
For labs only! We recommend that

you don't use this setting in a
production environment
4. Switch to Rule Conditions |

Cloud segments
5. On the tree, select your
VPC ID (consult your text file in
Notepad)
6. Click Save
7. Go to Devices | Managed
Devices and make sure three
EC2 instances are there
Task C: Prepare installation packages and policies to protect cloud resources

Download the Kaspersky Endpoint Security for Windows (English) installation package and create a security policy
for it. Prepare standalone installation packages for Kaspersky Endpoint Security for Windows and Linux and upload
them to S3 bucket.

1. In the Cloud Console, go to
Discovery & Deployment |
Deployment & Assignment
and select Installation
Packages
2. Click Add
11
3. Select Create an installation

package for a Kaspersky
application
4. Click Next
5. Click Kaspersky Endpoint

Security for Windows
(English) (Lite encryption)
6. Click Download and create
installation package
7. Click Show EULA
privacy policy
9. Click Accept and Close
10. Select Kaspersky Network

Agent for Windows (English)
and click Deploy
11. Select Using a stand-alone

package and click Next
12. On the page Move to list of
managed devices, leave the
default values unchanged and
click Next
13. Wait for the completion
14. Click Download stand-alone

installation package and wait
for the download to complete
15. Click Finish
12

Agent for Linux x64 rpm
(English) and click Deploy
17. Select Using a stand-alone

package and click Next
click Next
19. Wait for the completion
20. Click Download stand-alone

installation package and wait
for the download to complete
21. Click Finish
22. Go to Devices |
Policies & Profiles
23. Click Add
24. Select Kaspersky Endpoint

25. Click Next
13
26. Select I agree to use

Kaspersky Security Network
and click Next
27. On the next page, leave the
click Save
28. Go to Operations | Licensing

| Kaspersky Licenses
29. Click the name of the available
license
30. Make sure the checkbox

Automatically distribute
license key to managed
devices is selected
31. Close the license properties
32. Switch to the AWS tab and

click the S3 icon in the
Favorites list to open the S3
Bucket console
33. Click Upload
14
34. Click Add files and select the

downloaded standalone
installation packages
35. Click Upload and wait for the
successful completion
36. Click Close
37. Select the installation package

for Linux
38. Click Actions | Share with a
presigned URL
39. Select Hours and enter 12

40. Click Create presigned URL
The link will be automatically

copied to the clipboard. Paste it
into a text file in Notepad
41. Select the installation package

for Windows
42. Click Actions | Share with a
presigned URL
15
Public Clouds & DevOps Installing Network Agent and Kaspersky Endpoint Security using Amazon Web Services
43. Select Hours and enter 12

44. Click Create presigned URL
The link will be automatically

copied to the clipboard. Save it into
your text file
Conclusion
In this lab, we’ve configured the Cloud Console environment: completed its setup wizard and connected to Amazon
Web Services. We’ve also prepared standalone installation packages and uploaded them to S3 bucket. Each
installation package is accessible via a unique link.
Lab 3.
Installing Network Agent and Kaspersky Endpoint
Security using Amazon Web Services
Scenario. You’ve prepared Network Agent installation packages and uploaded them to S3 bucket. Now, let’s install
them on EC2 instances using standard Amazon Web Services tools, check the agents’ health and run the tasks to
install Kaspersky Endpoint Security for Windows and Linux.
1. Install Network Agent for Linux using Run Command in Systems Manager
2. Install Network Agent for Windows using a script in User Data
3. Install Kaspersky Endpoint Security and Kaspersky Endpoint Security for Linux on EC2 instances
Task A: Install Network Agent for Linux using Run Command in Systems
Manager
Log on to the Amazon Web Services console using your account and run the Network Agent installation task.
16

1. In the Amazon Web Services
console, in the Favorites list,
click the Systems Manager
icon
2. Find the button Explore Run
Command and click it
3. Click Run Command
4. In the search box, type AWS-

RunRemoteScript
5. Select the command AWS-
RunRemoteScript
6. In the area that appears below,

select Source Type S3
7. In the Source Info box, type
{“path”:”<your link to the
installation package for
Linux>”}
Attention! If you copy the text from

our guide, replace the
typographer's quotes with straight
quotes
8. In the Command Line box, type klnagent64-13.2.2-1263.x86_64.sh
17
9. For Target selection, choose

Specify instance tags
10. For the Tag key, specify
SSMTag
11. For the Tag value, type <your
username>-linux
12. Click Add
13. Under Output options, clear

the checkbox Enable an S3
bucket
14. Click Run
15. Wait for the command to

complete successfully
16. Click one of the Instance IDs
17. Scroll down to Step3 –

Command description and
status
18. Expand the Output section
and make sure Kaspersky
Network Agent has been
successfully installed on the
instance
Task B: Install Network Agent for Windows using a script in User Data
By default, user data scripts only run when you start an EC2 instance for the first time. Log on to the Amazon Web
Services console using your account, configure another run for the EC2 user data script, shut down the instance
and edit the PowerShell script in user data so that it installs Network Agent.
18

EC2 icon
2. Select Instances
3. Select your Windows instance

and click Connect
4. On the page that opens, on the

Session Manager tab, click
Connect
5. A new tab with the command prompt will open. Carry out the following command:
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 –Schedule
6. Make sure the result is Ready
This command will make the virtual machine process user data next time when its OS starts.
19
7. Close the current tab and

return to the previous one
8. Click your instance ID in the
breadcrumb menu at the top of
the page EC2 > Instances >
Your Instance ID
9. On the Instance state drop-

down list, select Stop instance
10. In the pop-up window, click
Stop
11. Wait for the instance to shut
down
12. Click Actions | Instance

Settings | Edit user data
20
13. In the New user data area, select Modify user data as text
14. Enter the following script. Replace <your link> with the link to the Installer.exe file that you created and
saved:
<powershell>
$url = "<your link>"
$outpath = "C:/installer.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath
Start-Process -Wait -FilePath $outpath -ArgumentList "/s" -PassThru
net user administrator Ka5per5Ky
</powershell>
15. Click Save
The net user command additionally sets the administrator’s password. We will need it later for RDP connections
to the virtual machine.

17. On the Instance state drop-
down list, select Start instance
18. Wait for the start
21

and click Connect
20. On the page that opens, select
the tab Session Manager and
click Connect
You may need to wait up to 10

minutes for the Network Agent to
install and start
21. A new tab with the command prompt will open

22. Carry out the following command to go to the Network Agent folder
cd ‘C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\’
23. Carry out the following command to run the connection check utility
.\klnagchk.exe
24. Make sure that the Network Agent is running and has successfully connected to the Administration Server
Task C: Install Kaspersky Endpoint Security and Kaspersky Endpoint

Security for Linux on EC2 instances
We’ve installed Network Agent on Windows and Linux instances. Now, let’s create and run tasks to remotely install
security applications on our instances using the Network Agent.
22

1. Return to the Kaspersky
Security Center Cloud
Console tab
2. Go to
Deployment & Assignment |
Installation Packages
Security for Linux (English)
4. Click Deploy
5. Select Using the remote

installation task and click
Next

Agent for Linux x64 (English)
and click Next
23
7. Click Select devices for

installation
8. In the group structure, select
ip-10-28-0-50 and
ip-10-28-0-100
9. Click Next
10. For the Task name, type

KESL for AWS
11. Make sure the following
checkboxes are selected:
– Using Network Agent
– Do not re-install
application if it is already
installed
12. Click Next
13. Select Restart the device to

force a reboot if the need
arises
14. Click Next
click Next
16. On the page Select accounts

to access devices, leave the
default value unchanged:
No account required
17. Select Run the task after the

Wizard finishes
18. Click Next
24
19. Return to
Deployment & Assignment |
Installation Packages
(English)
21. Click Deploy
22. Select Using the remote

installation task and click
Next

Agent for Windows (English)
and click Next
24. Click Select devices for

installation
25. On the tree, select the instance
whose name starts with
“EC2AMAZ-“ and click Next
26. For the Task name, type

KES for AWS
27. Make sure the following
checkboxes are selected:
– Using Network Agent
– Do not re-install
application if it is already
installed
28. Click Next
25
29. Select Restart the device to

force a reboot if the need
arises
30. Click Next
31. On the page Removing
incompatible applications
before installation, leave the
click Next
32. On the page Move to list of managed devices, leave the default values unchanged and click Next
33. On the page Select accounts
to access devices, leave the
default value unchanged: No
account required
34. Select Run the task after the

Wizard finishes
35. Click Next
36. Open Devices | Managed

devices
37. Open the properties of each
instance one by one and select
the checkbox Do not
disconnect from the
Administration Server
38. Click Save
This is required in our lab

environment, because we do not
configure a distribution point. We
recommend that you don't use this
setting in a production
environment.
39. Wait for the protection components to be installed

40. Return to the Amazon Web Services console
41. Restart the EC2 virtual machines
The restart is required because updates are additionally downloaded and installed after the main installation of
security components.
Conclusion
In this lab, we installed the Network Agent on EC2 instances using standard Amazon Web Services tools and then
installed security applications on Linux and Windows instances using Network Agent.
26
Public Clouds & DevOps Configuring Kaspersky Endpoint Security for Linux to protect containers
Lab 4.
Configuring Kaspersky Endpoint Security for Linux to
protect containers
Scenario. You’ve installed Kaspersky Endpoint Security on an EC2 DevOps instance. Docker engine was pre-
installed on the instance. Now, you will configure a container protection policy and run a container with malicious
files. An application will try to unpack malicious archives within the container, but the container will be automatically
stopped and deleted.
Set up a container environment protection policy, start a malicious container

and make sure Kaspersky Endpoint Security for Linux protects the container
environment
Log on to the Kaspersky Security Center Cloud Console using your account and configure a container environment
protection policy.

1. Open Devices |
Policies & Profiles
Security for Linux
3. Open Application Settings

and click File Threat
Protection
4. Under File Threat Protection

mode, select When opened
and modified
5. Click OK
This option is used in the lab

environment for demonstration. We
recommend that you don't change
the default value in a production
environment.
27
6. On the Application Settings

tab, open the General Settings
section and click Application
settings
7. Select the checkbox Detect

legitimate applications that
may be used by hackers to
harm devices or data
8. Click OK
9. In Application Settings |
General Settings, click
Container scan settings
10. Select Stop container if

disinfection fails
11. Enforce all settings in the
Container Scan Settings
window
12. Click OK and then Save
13. Go to Devices | Managed

devices
14. Click ip-10-28-0-50
28
15. Click Force synchronization

16. Wait for the synchronization to
complete successfully
This helps speed up applying the

reconfigured policy.
17. Switch to the Amazon Web

Services console
EC2 icon
19. Select Instances
20. Select your DevOps instance

and click Connect
21. On the Session Manager tab,

click Connect
29
22. A new tab with the command prompt will open. Carry out the following commands one by one:
sudo docker run -ti techedu/alpine:1.0
wget https://secure.eicar.org/eicar.com -O eicar.com
ls
cat eicar.com
ls
23. Make sure that the file eicar.com hasn’t opened and has been deleted
24. Stop the container using the command
exit
25. Switch to the Kaspersky

Console tab
26. If necessary, enter your
27. Open Monitoring & Reporting
| Event Selections
28. Click Recent events
29. Find the event named Object

deleted for the instance
ip-10-28-0-50
30. Click the link with the date and
time
31. Make sure Kaspersky

Endpoint Security for Linux
deleted the pseudo-malicious
test file eicar.com
32. Return to the Amazon Web Services tab with the connection to the DevOps instance
33. Carry out the following command:
sudo docker run -ti techedu/docker-eicar:1.0
30
34. Note that the archived files with test pseudo-malicious code were neither detected nor deleted
35. Switch to the Kaspersky

Console tab
36. Open Devices |
Policies & Profiles
Security for Linux
38. Open Application Settings

and click File Threat
Protection
39. In the Compound file scan

settings area, select the
checkbox Scan archives
40. Click OK and then Save
41. Go to Devices |
Managed devices
42. Click ip-10-28-0-50
43. Click Force synchronization

reconfigured policy.
31
Public Clouds & DevOps Integrating Kaspersky Endpoint Security for Linux into CI/CD with Jenkins
44. Return to the Amazon Web Services tab with the connection to the DevOps instance
45. Carry out the following command:
sudo docker run -ti techedu/docker-eicar:1.0
46. Note that the archived files with test pseudo-malicious code are deleted immediately

Console tab
48. Open Monitoring & Reporting
| Event Selections
49. Click Recent events
50. Find the latest event named
Object deleted for the instance
ip-10-28-0-50 and click the link
with the date and time
51. Make sure Kaspersky Endpoint Security for Linux deleted the pseudo-malicious test archive eicar.tar.gz
Conclusion
In this lab, we’ve set up container environment protection policies and checked how Kaspersky Endpoint Security
for Linux protects containers against malware.
Lab 5.
Integrating Kaspersky Endpoint Security for Linux
into CI/CD with Jenkins
Scenario. You’ve installed Kaspersky Endpoint Security on an EC2 Jenkins instance. Now, you need to add a
container scanning job to the CI/CD pipeline to be able to detect malware at any stage. Docker engine and Jenkins
were pre-installed on the instance. You will create a new container environment protection policy to enable Jenkins
to run container scanning jobs. You will also configure Jenkins and create a container scanning job.
1. Configure a container environment protection policy for CI/CD

2. Configure Jenkins and integration with Kaspersky Endpoint Security for Linux
3. Create a job to scan containers for malicious code
Task A: Configure a container environment protection policy for CI/CD

Log on to the Kaspersky Security Center Cloud Console using your account and configure a container environment
protection policy.
32

Console tab
2. Open Devices |
Policies & Profiles
Security for Linux
4. Click Copy
5. Select Cloud and click Add

child group
6. For the Group name, type

Jenkins
7. Click OK and then Copy
8. In the pop-up window, click OK
9. Open the created policy

Kaspersky Endpoint Security
for Linux (the one with
Jenkins in the Group column)
10. For the Name, type Jenkins

policy
11. Select Active
12. Switch off the toggle Inherit
settings from parent policy
33
13. Switch to the Application

Settings tab
14. Click Web Threat Protection
15. Disable Web Threat
Protection and click OK
16. Click File Threat Protection

17. Disable File Threat Protection
and click OK
18. In the Application Settings,

select Local Tasks
19. Click Task management
20. Select the checkbox Allow
users to view and manage
local tasks
21. Click OK
22. Click Save
23. Open Devices |
Managed devices
24. Make sure that
Administration Server is
selected in the Current path
line
25. Click ip-10-28-0-100
26. Click Move to group
27. Select Jenkins and click Move
28. Click ip-10-28-0-100
29. In the window that opens, click
Force synchronization

reconfigured policy
30. Return to the Amazon Web

Services console and restart
the Jenkins virtual machine
Task B: Configure Jenkins and integration with Kaspersky Endpoint Security

for Linux
Log on to the Amazon Web Services console using your account and configure Jenkins to work with Kaspersky
Endpoint Security for Linux.
34

1. Connect to the Amazon Web
Services management console
EC2 icon
3. Select Instances
4. Select your Jenkins instance

and click Connect
5. On the Session Manager tab, click Connect

6. A new tab with the command prompt will open. Carry out:
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
7. Copy your password to Notepad and save this text file
8. Return to the tab Connect to

instance and click the
Instance ID in the breadcrumb
menu at the top of the page
EC2 > Instances >
Instance ID
9. Copy the Public IPv4 address
10. Open a new browser tab your

and go to http://<Public IPv4
address>:8080
11. Enter the password that you’ve
saved
12. Click Continue
35
13. Select Install suggested

plugins
Wait for Jenkins to download all the

necessary plugins
14. To create a new user, specify:

– Your Amazon Web Services username (lowercase)
– Enter the password
– Your Email address
15. Click Save and continue
16. On the Instance
Configuration page, leave the
default value unchanged and
click Save and finish
17. Click Start using Jenkins
18. Return to the Connect to

instance tab of the Amazon
Web Services console
19. Click Connect
20. A new tab with the command prompt will open. Carry out:
sudo kesl-control --grant-role admin jenkins
sudo usermod -aG docker jenkins
sudo systemctl restart docker.service
sudo chown jenkins /var/run/docker.sock
sudo sed -i -e '$ajenkins ALL=(ALL) NOPASSWD: ALL' /etc/sudoers
We enable the jenkins user to run docker commands with root privileges
Task C: Create a job to scan containers for malicious code

In the Jenkins console, create a new project to scan container images for malicious code using Kaspersky
Endpoint Security for Linux.
36

1. Open the tab with Jenkins
web interface and click Create
a job
2. Under Enter an item name,

type Container scan job
3. Choose Freestyle project
4. Click OK

This project is parameterized
6. Click Add parameter and
select String Parameter
7. For the Name, type
TEST_CONTAINER_IMAGE
8. In the Build area, click Add

build step and select Execute
shell
9. Download the
jenkins_shell_template.txt
template file from
https://khcs-ted-s3.s3.
us-west-1.amazonaws.com
/jenkins_shell_template.txt
10. Copy and paste contents of the
file
Jenkins_shell_template.txt
11. Click Add build step
12. Select Execute shell
13. Download the jenkins_scan_template.txt template file from

https://khcs-ted-s3.s3.us-west-1.amazonaws.com/jenkins_scan_template.txt
37

file
Jenkins_scan_template.txt
15. Click Save
16. In the side menu, select Build

with Parameters
17. Type techedu/alpine:1.0 for
the container image name
18. Click Build
19. In the Permalinks area, click

the top link Last build
20. On the side menu, click

Console Output
The green icon indicates success
21. Make sure the console output displays No threats found
No threats were detected because we scanned an image without malicious code
38
Public Clouds & DevOps Automation of new container image scanning with GitHub
22. Click Back to Project

23. Click Build with Parameters
24. For the parameters, specify
techedu/eicar-file:1.0 and
click Build
25. In the Permalinks area, click

the top link Last build
26. On the side menu, click
Console Output
The red icon indicates failure

because a malicious file was
found.
27. Make sure the console output displays THREATS_AMOUNT=1
Conclusion
In this lab, we’ve configured Jenkins integration with Kaspersky Endpoint Security for Linux to scan container images.
We created a project to scan container images on demand and tested it.
Lab 6.
Automation of new container image scanning with
GitHub
Scenario. CI/CD automation significantly speeds up the development process. GitHub is a version control
repository popular among developers and DevOps engineers. Containers are described and created using a
Dockerfile. Any modification of a Dockerfile requires creating a new container to take into account the changes. In
39
this lab, you will set up integration between Jenkins and GitHub using a webhook and thus automate the process of
creating and scanning new containers when the Dockerfile changes.
1. Set up a webhook between Jenkins and GitHub

2. Test automatic launch of the job that builds and scans a container image
Task A: Set up a webhook between Jenkins and GitHub

Log on to the GitHub and Jenkins consoles using your account and create a webhook to Jenkins.

1. Open a new browser tab your
and go to
https://github.com/login
2. Enter your username and
password
Ask the trainer for your GitHub

3. In the side menu, click the

repository name
<login>/KHCS
4. Switch to the Settings tab

Webhooks
6. Click Add webhook
40
7. Open the tab with Jenkins

web interface and copy its IP
from the address bar
8. Return to the GitHub tab
9. In the Payload URL textbox,
paste the copied IP so that the
URL looks like
http://<public IP
address>:8080/github-
webhook/
10. Under Content type, select
application/json
11. Click Add webhook
12. Click the profile icon in the
upper right corner
13. Click Settings
14. In the side menu, at the

bottom, select Developer
Settings
15. Select Personal access
tokens
16. Click Generate new token
17. In the Note textbox, type For

Jenkins
18. Under Expiration, select 7
days
19. Select the repo scope
20. Click Generate token
41
21. Copy the token into a text file

in Notepad
22. Return to your KHCS

repository
23. In the Quick setup area, copy
the hyperlink and save it in a
text file
24. In the Quick setup area, click
creating a new file
25. Under Name your file, type Dockerfile
26. Download the Dockerfile_template.txt template file from
https://khcs-ted-s3.s3.us-west-1.amazonaws.com/Dockerfile_template.txt
27. Under Edit new file, paste the contents of Dockerfile_template.txt
28. Click Commit new file
We are creating a new Dockerfile, which we will edit in the future. Any change will send a Jenkins command to
build a container image with the new version of Dockerfile and scan this image for malicious code.
29. Return to the Jenkins tab

30. In the side menu, select New
Item
31. Under Enter an item name,

type GitHub project
32. Choose Freestyle project
33. Click OK
42
34. Open the Source Code

Management tab
35. Choose Git
36. In the Repository URL box,
paste the saved link
37. Below the Credentials field,
click the button Add and select
Jenkins credential provider
38. Under Username, enter the

name of your GitHub user
39. In the Password box, paste
the saved token
40. Click Add
41. In the Credentials drop-down

list, select the created
credentials
42. Click the button Advanced
43. In the Branches to build area,

delete the contents from the
Branch Specifier box and
leave it empty
44. On the Build Triggers tab,

select GitHub hook trigger
for GITScm polling
43
45. In the Build area, select

Execute shell
46. Download the
Jenkins_GitHub_template.txt
template file from
https://khcs-ted-s3.s3.
us-west-1.amazonaws.com
/jenkins_GitHub_template.txt
file
Jenkins_GitHub_template.txt
48. Edit the link in the following line
DOCKER_FILE= https://raw.githubusercontent.com/<login>/KHCS /master/Dockerfile
<login> - your GitHub username
49. Click Save
Task B: Test automatic launch of the job that builds and scans a container
image
In the GitHub console, add a command that will download a pseudo-malicious file to the Dockerfile and check if the
job to build and test the container starts automatically.

1. Return to the GitHub tab with
your KHCS project and click
Dockerfile
2. Click the pencil icon and select
Edit this file
3. Add a new command to line 5

RUN wget http://www.eicar.org/download/eicar_com.zip
4. Click Commit changes
44
Public Clouds & DevOps Scanning third-party container images and uploading trusted images to a private repository via KESL container
5. Switch to the Jenkins tab and

refresh it
6. Click the link Last build

Console Output
The build is considered non-

successful because the container
image contained malicious code
and was deleted
8. Make sure the image was built with the new version of Dockerfile and Total detected objects=1
Conclusion
In this lab, we’ve set up integration between Jenkins and GitHub, automated the process of building container images
and scanning them for malware.
Lab 7.
Scanning third-party container images and uploading
trusted images to a private repository via KESL
container
Scenario. You need to maintain a private repository of containers with trusted malware-free images. We will build
Kaspersky Endpoint Security for Linux as a container, run it as a service and send it POST requests to download a
45
container image from a public repository and scan it. If the container does not contain malicious code, it will be
considered trusted and uploaded into a private repository with trusted contents.
1. Build a KESL container using Docker Build

2. Prepare the configuration files and run KESL container
3. Send POST requests to the KESL container service to scan container images
Task A: Build a KESL container using Docker Build

Log on to the Amazon Web Services console using your account and connect to the EC2 DevOps instance. Build a
KESL container.

1. Connect to the
Amazon Web
Services management
console
2. In the Favorites list,
click the EC2 icon
3. Select Instances
4. Select your Jenkins

instance and click
Connect
5. On the page that

opens, select the tab
Session Manager and
click Connect
46
6. In the command line tab that opens, go to the user's home folder
cd ~
7. Download the prepared build files from S3 Bucket
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/docker-service-kesl64-
11.2.0-4528.tgz -O docker-service-kesl64-11.2.0-4528.tgz
8. Unpack the archive
tar -xvf docker-service-kesl64-11.2.0-4528.tgz
9. Create a folder named distr

mkdir distr
10. Download the Kaspersky Endpoint Security for Linux distribution to the distr folder
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/kesl-11.2.0-
4528.x86_64.rpm -O /home/ssm-user/distr/kesl-11.2.0-4528.x86_64.rpm
11. Download the Network Agent file to the distr folder
sudo wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/klnagent.rpm -O
/home/ssm-user/distr/klnagent.rpm
47
12. Copy the script build.sh

cp build.sh.example build.sh
13. Make it executable
chmod u+x build.sh
14. Delete Dockerfile.1809
rm Dockerfile.1809
15. Download the version of Dockerfile.1809 that was modified for our labs
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/Dockerfile.1809 -O
Dockerfile.1809
16. Build the container image

sudo build.sh
17. Wait for the build to be created and check if the kesl-service image is ready
sudo docker images -a
Task B: Prepare the configuration files and run KESL container

Prepare a file with KESL container settings and run it.

1. Create a new config folder in the /home/ssm-user/ folder
cd ~
mkdir config
2. Download a ready script that will run KESL container
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/run.sh -O /home/ssm-
user/run.sh
3. Download a ready configuration file kesl-service.config to the folder /home/ssm-user/config
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/kesl-service.config -O
/home/ssm-user/config/kesl-service.config
48
4. Download the license file prepared in advance to the /home/ssm-user/config folder using the command
wget https://khcs-ted-s3.s3.us-west-1.amazonaws.com/configl -O /home/ssm-
user/config/configl
5. Edit the kesl-service.config file and add your Docker Hub credentials to it
nano config/kesl-service.config
6. In the string user: khcslabuser, replace khcslabuser with your Docker Hub username
7. To save and close the file, press CTRL+O and CTRL+X
We created a Docker Hub user account for you with the same username as in Amazon Web Services. The
screenshot shows an example configuration for khcslabuser1
49
8. Run the KESL container service using the script run.sh

sudo sh run.sh
9. Wait for the anti-virus signature databases to be updated and the KESL container service to start
During the first start, KESL container downloads signature databases, which takes some time. To speed up
subsequent starts, the databases are stored in the /home/ssm-user/.../volume folder mounted inside the
container.
Task C: Send POST requests to the KESL container service to scan container
images
Install Postman on your Windows instance and send POST requests to the KESL container to scan container
images. If a container does not contain malicious code, it will be uploaded to your private repository of Docker Hub
container images.

1. Return to the Amazon Web
Services management
console
EC2 icon
3. Select Instances

and click Connect
50

the RDP Client tab and click
Download remote desktop
file
6. Run the downloaded file
Ask the instructor for the password

of the local Windows administrator
7. On the desktop, find the

postman-portable folder and
open it
8. Run postman-portable.exe
9. Click Skip and go to the app
at the bottom of the window
10. On the File menu, select New

11. Click HTTP Request
12. For the METHOD, select

POST
13. In the text box, specify the link
to the KESL Container
service
http://<Public IP
address>:8085/scans
Use the saved public IP address of

the Jenkins instance
14. Switch to the Body subtab

15. Select raw and then in the
drop-down list on the right
select JSON
51
16. Download the ready POST1 file with the basic POST request from
https://khcs-ted-s3.s3.us-west-1.amazonaws.com/POST1.txt
17. Copy the file contents to the
Postman request field
18. Click Send
19. In the lower part of the page,

select the Body tab
20. Click the location link
The KESL container service sent

this link in response to your POST
request. Click it to consult the
container image scanning result.
21. In the tab that opens, click the

Send button
22. Make sure the container image
scanning result is Clean
A GET request with a link queries

the scan task status. The Clean
status means that malicious code
was not found in the container
image.
23. Download a ready POST2 file with the a complex POST request from
https://khcs-ted-s3.s3.us-west-1.amazonaws.com/POST2.txt
24. Return to the tab with the
POST request and copy the
file contents to the Postman
request field
25. In the destination line,
replace <login> with your
Docker Hub username
26. Click Send
The screenshot shows an example

for the khcstestuser name.
52
27. Open a new tab in your browser and go to https://login.docker.com/u/login

28. Enter your username and
password
29. Make sure that a new
container image repository
with the <login>/alpine tag
has been created
30. Click <login>/alpine
31. Make sure that the container

image with the latest tag has
been uploaded to the
repository
The KESL container service has

automatically scanned and
uploaded a clean container image
to your private repository. If
malicious code is found when
scanning an image, it will not be
uploaded to the private repository
because KESL Container will
delete it.
Conclusion
In this lab, we run the KESL container service, used it to scan a container image from an external untrusted repository
for malicious code and uploaded the verified clean image to a private repository of container images.
v.1.0
53

KL 020.13 KHCS en Labs v0.9.15

Uploaded by

Copyright:

Available Formats

KL 020.13 KHCS en Labs v0.9.15

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KL 020.13 KHCS en Labs v0.9.15

Uploaded by

Copyright:

Available Formats

KL 020.13: Kaspersky Hybrid Cloud Security.

Public Clouds & DevOps

Public Clouds & DevOps

Contents. In this lab, we will:

1. Go to Amazon Web Services console and configure it

Task A: Go to Amazon Web Services console and configure it

The task is performed on the physical computer.

Ask the instructor for your Account ID

3. Connect to the Amazon Web Services Management Console

Ask the instructor for your username and password

4. Enter a new password

Task B: Start your EC2 instances

The task is performed on the physical computer.

Ask the instructor about your

3. On the side menu, select

5. Select all instances on the list

7. In the Favorites list, click the

9. In the search box, type user =

The task is performed on the physical computer.

4. Make sure the buttons Create

5. In the Favorites list, click the

7. Find the Secret value area and

8. Copy your ACCESS_KEY and

Contents. In this lab, we will:

1. Connect to Kaspersky Security Center Cloud Console

Task A: Connect to Kaspersky Security Center Cloud Console

The task is performed on the physical computer.

Ask the instructor for your

3. Accept the agreement and the

4. Specify the company name

Ask the instructor about it

6. Enter the Workspace name

8. Enter the test license key

Ask for the key from the instructor

9. Click Verify and Next

10. Click Go to workspace

You may need to wait a bit for the

11. On the Cloud Environment

13. You need to download and

15. Click Show EULA

18. On the page that opens,

20. Click Next without selecting the

21. Select I agree to use

22. Select I confirm that I have

24. Read the list of policies and

Task B: Set up a task to synchronize inventory information with the Amazon

The task is performed on the physical computer.

3. Under Apply Rule, select

For labs only! We recommend that

4. Switch to Rule Conditions |

Task C: Prepare installation packages and policies to protect cloud resources

The task is performed on the physical computer.

3. Select Create an installation

5. Click Kaspersky Endpoint

10. Select Kaspersky Network

11. Select Using a stand-alone

14. Click Download stand-alone

16. Select Kaspersky Network

17. Select Using a stand-alone