search cancel

Implementing Network Discover scans of SMB shares using CIFS

book

Article ID: 190123

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover

Issue/Introduction

You want to implement Network Discover scans of SMB shares using CIFS.

Environment

  • DLP 15.7
  • Red Hat Linux based Network Discover server scanning SMB File System targets

Cause

This can be useful when the shipping JCIFS version does not support the target SMB version or feature flags.

Resolution

Prerequisites:

  1. Install cifs-utils package:
    yum install -y cifs-utils
  2. Install python:
    yum install -y python
  3. Sudo privilege for the user account/group that the SymantecDLPDetectionServerService is using.

Overview:

To implement the CIFS based scanning for Network Discover, you'll need to complete the following steps:

  1. Create the mount and unmount scripts, smb.py and smbu.py, found under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/
  2. Configure the script mappings, protocol mappings and protocol regex patterns within SharePointMapper.properties, found under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config
  3. Disable JCIFS on the Linux Network Discover Server.
  4. Prefix your content roots within scan targets with the SMB protocol prefix. For example, smb://<servername>/<sharename>

Configuring the mount and unmount scripts for CIFS:

  1. Create an smb.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below:
    #!/bin/python
    #
    # smb.py - mount an smb share on a Linux system
    #
    # usage: smb.py <mount point> <share path> <username> <password>
    #
    #       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
    #
    #       <share path>: The path to mount in the following format:
    #                     "//<host.domain.com>/dir1/dir2"  (can be surrounded by single or double quotes)
    #
    #
    #
    # instructions for use:  You must enter the mount command below.  The following variables are available
    #
    # sys.argv[1] = <mount point>
    # sys.argv[2] = <share path>
    # sys.argv[3] = <user name>
    # sys.argv[4] = <password>
    #
    # eg.
    #
    # mount sys.argv[1] sys.argv[2] sys.argv[3] sys.argv[4]
    # stat sys.argv(1)

    import sys
    import os

    username=sys.argv[3].split('/')[1]
    domain=sys.argv[3].split('/')[0]

    mountCommand = 'sudo mount -t cifs -o sec=ntlmsspi,username=' + username + ',domain=' + domain + ',password=' + sys.argv[4] + ' ' + sys.argv[2] + ' ' + sys.argv[1]
    statCommand = 'stat ' + sys.argv[1]

    print 'mount command= ' + mountCommand

    os.system(mountCommand)
    os.system(statCommand)

  2. Change smb.py owner to SymantecDLP (or whatever DLP account you're using) and mark as executable:
    chown root:SymantecDLP smb.py ; chmod +x smb.py
  3. Create an smbu.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below:
    #!/bin/python
    #
    # smbu.py - unmount an smb share on a Linux system
    #
    # usage: smbu.py <mount point>
    #
    #       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
    #
    #
    #
    # instructions for use:  You must enter the mount command below.  The following variables are available
    #
    # sys.argv[1] = <mount point>
    #
    # eg.
    #
    # sudo umount sys.argv[1] ; rmdir sys.argv[1]
    # sudo umount sys.argv[1]

    import sys
    import os

    unmountCommand = 'sudo umount ' + sys.argv[1] + ' ; rmdir ' + sys.argv[1]
    testCommand = 'sudo umount ' + sys.argv[1]

    os.system(unmountCommand)
    os.system(testCommand)


  4. Change owner to SymantecDLP (or whatever DLP account you're using) and mark as executable:
    chown root:SymantecDLP smbu.py ; chmod +x smbu.py

Configuring the SharePointMapper.properties file for SMB:

  1. Edit the SharePointMapper.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config and append/update the following SMB mounter region:
    #SMB cifs-utils
    mounter2.uri=smb
    mounter2.prefix=SMB

    SMB.scriptName=smb.py
    SMB.unmountScriptName=smbu.py
    SMB.ScriptExecutionTimeout = 60000

    SMB.AccessDenied=denied
    SMB.ShareNotFound=Permission denied|can't get address for
    SMB.ShareExists=already mounted
    SMB.MultipleConnections=already mounted
    SMB.SyntaxError=Usage:
    SMB.ServerNotFound=failed
    SMB.AccountLockedOut=denied
    SMB.NoLogonServers=Not Applicable
    SMB.RequireLogin=Not Applicable
    SMB.Success=/DiscoverMount/
    SMB.umountSuccess=mountpoint not found
    SMB.MountDoesNotExist=not mounted

Disable JCIFS in the Crawler.properties on the Linux Network Discover Server:

  1. Edit the Crawler.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config to disable JCIFS as shown below:
    filesystemcrawler.use.jcifs = false
  2. Restart the Detection server service:
    systemctl restart SymantecDLPDetectionServerService

Update Scan Targets with SMB Protocol Prefix:

  1. Update existing scan targets so that content roots are listed as follows:
    smb://<servername>/<sharename>
  2. Update the user credentials in the scan targets to use the following syntax, take note of the forward slash, instead of the backslash character:
    domain/username
  3. For best results, ensure the username and password use alpha-numeric characters. Avoid using these characters in the password: . ^ $ * + ? { } [ ] \ | ( )
 

Additional Information

  • This method has only been tested with SMBv2.
  • Restart the Detection server service after making changes to any .properties file on the Detection server.
  • If implementing this on versions older than 15.5, you may have to make additional changes. For example, for 15.1:
    1. Make the following additional change to Crawler.properties on the Network Discover server, under /opt/Symantec/DataLossPrevention/Detection Server/15.1/Protect/config/
      By default, the path has a space between "Detection" and "Server". Remove the space so that it looks like the following:
      filesystemcrawler.mount.drive.letter.linux = /var/Symantec/DataLossPrevention/DetectionServer/15.1/DiscoverMount

    2. Create the directory structure down to /DetectionServer/ and change the owner to SymantecDLP (or whatever DLP account you are using):
      mkdir -p /var/Symantec/DataLossPrevention/DetectionServer ; chown SymantecDLP:SymantecDLP /var/Symantec/DataLossPrevention/DetectionServer
  • Known limitations when using CIFS scanning:
    • File owners on incidents may be reported as "unknown"
    • DFS names cannot be mounted, and attempting to do so produces the following mount error and stack trace:
      om.vontu.discover.mount.mounter.ExecMonitor$2 run
      WARNING: exception while reading stream
      java.io.IOException: Stream closed
              at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:170)
              at java.io.BufferedInputStream.read1(BufferedInputStream.java:283)
              at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
              at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
              at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
              at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
              at sun.nio.cs.StreamDecoder.read0(StreamDecoder.java:127)
              at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:112)
              at java.io.InputStreamReader.read(InputStreamReader.java:168)
              at com.vontu.discover.mount.mounter.ExecMonitor$2.run(ExecMonitor.java:133)

      • As a workaround, locate and use the actual UNC paths from the DFS as the content roots to scan.