Installation

You can get Keysas either from source or from a pre-compiled binary. The following installation steps will therefore be annotated to take the source base installation in consideration.

Software dependencies

$ sudo echo "deb http://deb.debian.org/debian bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara9
$ sudo apt install \
             acl clamav-daemon clamav-freshclam libyara9 make \
             pkg-config bash ssh rsync apparmor

For a source based installation

$ sudo echo "deb http://deb.debian.org/debian bullseye-backports main contrib non-free" > /etc/apt/sources.list.d/backports.list
$ sudo apt update
$ sudo apt -qy -t bullseye-backports install libyara-dev libyara9
$ sudo apt install \
            libseccomp2 libseccomp-dev \
            lsb-release pkg-config bash software-properties-common \
            build-essential libudev-dev

# Install rustup
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Install the LLVM toolchain (x86_64 only)
$ bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"

Getting Keysas (Network gateway)

Thanks to the Gitlab CI a pre-compiled Keysas binary is at your disposal, you can choose and download a specific version of Keysas using the download section.

Download the following files of lastest stable version.
  • keysas-vx.y.z.zip

  • keysas-vx.y.z.zip.sha256

  • keysas-vx.y.z.zip.sig

First, verify the sha256sum and compare it to the keysas-vx.y.z.zip.sha256 file, and import our public gpg key:

$ diff <(sha256sum keysas-vx.y.z.zip) keysas-vx.y.z.zip.sha256
$ wget https://keysas.fr/download/public.gpg
$ gpg2 --import public.gpg
$ gpg2 --verify keysas-vx.y.z.zip.sig keysas-vx.y.z.zip
$ unzip keysas-vx.y.z.zip -d keysas

Warning

Ensure that /usr/sbin is present in your $PATH. If not, add it:

$ export PATH=$PATH:/usr/sbin

For a source based installation

Clone the gitlab repository and compile Keysas

$ git clone --depth=1 https://gitlab.com/r3dlight/keysas.git
$ cd keysas
$ make build

Clamav configuration

Keysas uses Clamav as a virus scanner for now but additionnal scanners could be added in future. You should update your Clamav signature database on regular bases. This operation is handled by the clamav-freshclam daemon, you have to enable it.

Make sure that your clamav-daemon and clamav-freshclam services are up and running

$ systemctl status clamav-daemon clamav-freshclam

Edit the Clamav configuration

Enable TCP listening on the loopback interface using port 3310

#/etc/clamav/clamd.conf
TCPSocket 3310
TCPAddr 127.0.0.1

We now need to allow the Clamav daemon to be able to read the /var/local/in directory with Apparmor.

Clamav apparmor profile tweak

Add the the following Clamav apparmor rules to authorise Clamd scanning the entry point:

#/etc/apparmor.d/local/usr.sbin.clamd
/var/local/in/ r,
/var/local/in/* kr,
/var/local/in/** kr,

If not, add it manually and reload your apparmor configuration

$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd

You can now manually run a signature database update and restart the Clamav daemon to take the new configurations in account.

$ sudo systemctl start clamav-freshclam
$ sudo systemctl restart clamav-daemon

System wide installation

You can now install Keysas-core on your system.

$ cd keysas
$ sudo make install-core
$ sudo make install-yararules

To install the USB version of Keysas (decontamination station):

$ cd keysas
$ sudo make install
$ sudo make install-yararules

At the end of the installation, you should see something like this:

_images/install_completed.png

Installation details

  • Every binaries (ELF) are installed under /usr/bin/ ;

  • Systemd units are installed under /etc/systemd/system/ ;

  • Apparmor profiles are installed under /etc/apparmor.d/ ;

  • Configuration files are installed under /etc/keysas/ ;

  • Log directories are created under /var/log/ ;

  • Yara rules are installed under /usr/share/keysas/rules.

You can now check that every services are up and running (core mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out

If you want to check the full installation (USB mode):

$ systemctl status keysas keysas-in keysas-transit keysas-out keysas-udev keysas-backend