Sudo privilege for the user account/group that the SymantecDLPDetectionServerService is using.
Overview:
To implement the CIFS based scanning for Network Discover, you'll need to complete the following steps:
Create the mount and unmount scripts, smb.py and smbu.py, found under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/
Configure the script mappings, protocol mappings and protocol regex patterns within SharePointMapper.properties, found under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config
Disable JCIFS on the Linux Network Discover Server.
Prefix your content roots within scan targets with the SMB protocol prefix. For example, smb://<servername>/<sharename>
Configuring the mount and unmount scripts for CIFS:
Create an smb.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below: #!/bin/python # # smb.py - mount an smb share on a Linux system # # usage: smb.py <mount point> <share path> <username> <password> # # <mount point>: The point where the file system is mounted. Ex: /mnt/vontu # # <share path>: The path to mount in the following format: # "//<host.domain.com>/dir1/dir2" (can be surrounded by single or double quotes) # # # # instructions for use: You must enter the mount command below. The following variables are available # # sys.argv[1] = <mount point> # sys.argv[2] = <share path> # sys.argv[3] = <user name> # sys.argv[4] = <password> # # eg. # # mount sys.argv[1] sys.argv[2] sys.argv[3] sys.argv[4] # stat sys.argv(1)
Change smb.py owner to SymantecDLP (or whatever DLP account you're using) and mark as executable: chown root:SymantecDLP smb.py ; chmod +x smb.py
Create an smbu.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below: #!/bin/python # # smbu.py - unmount an smb share on a Linux system # # usage: smbu.py <mount point> # # <mount point>: The point where the file system is mounted. Ex: /mnt/vontu # # # # instructions for use: You must enter the mount command below. The following variables are available # # sys.argv[1] = <mount point> # # eg. # # sudo umount sys.argv[1] ; rmdir sys.argv[1] # sudo umount sys.argv[1]
Change owner to SymantecDLP (or whatever DLP account you're using) and mark as executable: chown root:SymantecDLP smbu.py ; chmod +x smbu.py
Configuring the SharePointMapper.properties file for SMB:
Edit the SharePointMapper.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config and append/update the following SMB mounter region: #SMB cifs-utils mounter2.uri=smb mounter2.prefix=SMB
SMB.AccessDenied=denied SMB.ShareNotFound=Permission denied|can't get address for SMB.ShareExists=already mounted SMB.MultipleConnections=already mounted SMB.SyntaxError=Usage: SMB.ServerNotFound=failed SMB.AccountLockedOut=denied SMB.NoLogonServers=Not Applicable SMB.RequireLogin=Not Applicable SMB.Success=/DiscoverMount/ SMB.umountSuccess=mountpoint not found SMB.MountDoesNotExist=not mounted
Disable JCIFS in the Crawler.properties on the Linux Network Discover Server:
Edit the Crawler.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config to disable JCIFS as shown below: filesystemcrawler.use.jcifs = false
Restart the Detection server service: systemctl restart SymantecDLPDetectionServerService
Update Scan Targets with SMB Protocol Prefix:
Update existing scan targets so that content roots are listed as follows: smb://<servername>/<sharename>
Update the user credentials in the scan targets to use the following syntax, take note of the forward slash, instead of the backslash character: domain/username
For best results, ensure the username and password use alpha-numeric characters. Avoid using these characters in the password: . ^ $ * + ? { } [ ] \ | ( )
Additional Information
This method has only been tested with SMBv2.
Restart the Detection server service after making changes to any .properties file on the Detection server.
If implementing this on versions older than 15.5, you may have to make additional changes. For example, for 15.1:
Make the following additional change to Crawler.properties on the Network Discover server, under /opt/Symantec/DataLossPrevention/Detection Server/15.1/Protect/config/ By default, the path has a space between "Detection" and "Server". Remove the space so that it looks like the following: filesystemcrawler.mount.drive.letter.linux = /var/Symantec/DataLossPrevention/DetectionServer/15.1/DiscoverMount
Create the directory structure down to /DetectionServer/ and change the owner to SymantecDLP (or whatever DLP account you are using): mkdir -p /var/Symantec/DataLossPrevention/DetectionServer ; chown SymantecDLP:SymantecDLP /var/Symantec/DataLossPrevention/DetectionServer
Known limitations when using CIFS scanning:
File owners on incidents may be reported as "unknown"
DFS names cannot be mounted, and attempting to do so produces the following mount error and stack trace:
om.vontu.discover.mount.mounter.ExecMonitor$2 run
WARNING: exception while reading stream
java.io.IOException: Stream closed
at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:170)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:283)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
at sun.nio.cs.StreamDecoder.read0(StreamDecoder.java:127)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:112)
at java.io.InputStreamReader.read(InputStreamReader.java:168)
at com.vontu.discover.mount.mounter.ExecMonitor$2.run(ExecMonitor.java:133)
As a workaround, locate and use the actual UNC paths from the DFS as the content roots to scan.