Installation
You can get Keysas either from source or from a pre-compiled binary. The following installation steps will therefore be annotated to take the source base installation in consideration.
Software dependencies
$ sudo echo "deb http://deb.debian.org/debian bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara9
$ sudo apt install \
acl clamav-daemon clamav-freshclam libyara9 make \
pkg-config bash ssh rsync apparmor
For a source based installation
$ sudo echo "deb http://deb.debian.org/debian bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara-dev libyara9
$ sudo apt install \
libseccomp2 libseccomp-dev \
lsb-release pkg-config bash software-properties-common \
build-essential libudev-dev
# Install rustup
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Install the LLVM toolchain (x86_64 only)
$ bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
Getting Keysas (Network gateway)
Thanks to the Gitlab CI a pre-compiled Keysas binary is at your disposal, you can choose and download a specific version of Keysas using the download section.
- Download the following files of lastest stable version.
keysas-vx.y.z.zip
keysas-vx.y.z.zip.sha256
keysas-vx.y.z.zip.sig
First, verify the sha256sum and compare it to the keysas-vx.y.z.zip.sha256 file, and import our public gpg key:
$ diff <(sha256sum keysas-vx.y.z.zip) keysas-vx.y.z.zip.sha256
$ wget https://keysas.fr/download/public.gpg
$ gpg2 --import public.gpg
$ gpg2 --verify keysas-vx.y.z.zip.sig keysas-vx.y.z.zip
$ unzip keysas-vx.y.z.zip -d keysas
Warning
Ensure that /usr/sbin is present in your $PATH. If not, add it:
$ export PATH=$PATH:/usr/sbin
For a source based installation
Clone the gitlab repository and compile Keysas
$ git clone --depth=1 https://gitlab.com/r3dlight/keysas.git
$ cd keysas
$ make build
Clamav configuration
Keysas uses Clamav as a virus scanner for now but additionnal scanners could be added in future. You should update your Clamav signature database on regular bases. This operation is handled by the clamav-freshclam daemon, you have to enable it.
Make sure that your clamav-daemon and clamav-freshclam services are up and running
$ systemctl status clamav-daemon clamav-freshclam
Edit the Clamav configuration
Enable TCP listening on the loopback interface using port 3310
#/etc/clamav/clamd.conf
TCPSocket 3310
TCPAddr 127.0.0.1
We now need to allow the Clamav daemon to be able to read the /var/local/in directory with Apparmor.
Clamav apparmor profile tweak
Add the the following Clamav apparmor rules to authorise Clamd scanning the entry point:
#/etc/apparmor.d/local/usr.sbin.clamd
/var/local/in/ r,
/var/local/in/* kr,
/var/local/in/** kr,
If not, add it manually and reload your apparmor configuration
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
You can now manually run a signature database update and restart the Clamav daemon to take the new configurations in account.
$ sudo systemctl start clamav-freshclam
$ sudo systemctl restart clamav-daemon
System wide installation
You can now install Keysas-core on your system.
$ cd keysas
$ sudo make install-core
$ sudo make install-yararules
To install the USB version of Keysas (decontamination station):
$ cd keysas
$ sudo make install
$ sudo make install-yararules
At the end of the installation, you should see something like this:

Installation details
Every binaries (ELF) are installed under /usr/bin/ ;
Systemd units are installed under /etc/systemd/system/ ;
Apparmor profiles are installed under /etc/apparmor.d/ ;
Configuration files are installed under /etc/keysas/ ;
Log directories are created under /var/log/ ;
Yara rules are installed under /usr/share/keysas/rules.
You can now check that every services are up and running (core mode):
$ systemctl status keysas keysas-in keysas-transit keysas-out
If you want to check the full installation (USB mode):
$ systemctl status keysas keysas-in keysas-transit keysas-out keysas-udev keysas-backend