You want to implement Network Discover scans of SMB shares using CIFS.

• DLP 15.7
• Red Hat Linux based Network Discover server scanning SMB File System targets

This can be useful when the shipping JCIFS version does not support the target SMB version or feature flags.

Prerequisites:

1. Install cifs-utils package:
   yum install -y cifs-utils
2. Install python:
   yum install -y python
3. Sudo privilege for the user account/group that the SymantecDLPDetectionServerService is using.

Overview:

To implement the CIFS based scanning for Network Discover, you'll need to complete the following steps:

1. Create the mount and unmount scripts, smb.py and smbu.py, found under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/
2. Configure the script mappings, protocol mappings and protocol regex patterns within SharePointMapper.properties, found under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config
3. Disable JCIFS on the Linux Network Discover Server.
4. Prefix your content roots within scan targets with the SMB protocol prefix. For example, smb://<servername>/<sharename>

Configuring the mount and unmount scripts for CIFS:

1. Create an smb.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below:
   #!/bin/python
   #
   # smb.py - mount an smb share on a Linux system
   #
   # usage: smb.py <mount point> <share path> <username> <password>
   #
   #       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
   #
   #       <share path>: The path to mount in the following format:
   #                     "//<host.domain.com>/dir1/dir2"  (can be surrounded by single or double quotes)
   #
   #
   #
   # instructions for use:  You must enter the mount command below.  The following variables are available
   #
   # sys.argv[1] = <mount point>
   # sys.argv[2] = <share path>
   # sys.argv[3] = <user name>
   # sys.argv[4] = <password>
   #
   # eg.
   #
   # mount sys.argv[1] sys.argv[2] sys.argv[3] sys.argv[4]
   # stat sys.argv(1)
   
   import sys
   import os
   
   username=sys.argv[3].split('/')[1]
   domain=sys.argv[3].split('/')[0]
   
   mountCommand = 'sudo mount -t cifs -o sec=ntlmsspi,username=' + username + ',domain=' + domain + ',password=' + sys.argv[4] + ' ' + sys.argv[2] + ' ' + sys.argv[1]
   statCommand = 'stat ' + sys.argv[1]
   
   print 'mount command= ' + mountCommand
   
   os.system(mountCommand)
   os.system(statCommand)
   
   
2. Change smb.py owner to SymantecDLP (or whatever DLP account you're using) and mark as executable:
   chown root:SymantecDLP smb.py ; chmod +x smb.py
3. Create an smbu.py script under /opt/Symantec/DataLossPrevention/ServerPlatformCommon/15.7/Protect/bin/, updating the content to match the script below:
   #!/bin/python
   #
   # smbu.py - unmount an smb share on a Linux system
   #
   # usage: smbu.py <mount point>
   #
   #       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
   #
   #
   #
   # instructions for use:  You must enter the mount command below.  The following variables are available
   #
   # sys.argv[1] = <mount point>
   #
   # eg.
   #
   # sudo umount sys.argv[1] ; rmdir sys.argv[1]
   # sudo umount sys.argv[1]
   
   import sys
   import os
   
   unmountCommand = 'sudo umount ' + sys.argv[1] + ' ; rmdir ' + sys.argv[1]
   testCommand = 'sudo umount ' + sys.argv[1]
   
   os.system(unmountCommand)
   os.system(testCommand)
   
   
   
4. Change owner to SymantecDLP (or whatever DLP account you're using) and mark as executable:
   chown root:SymantecDLP smbu.py ; chmod +x smbu.py

Configuring the SharePointMapper.properties file for SMB:

1. Edit the SharePointMapper.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config and append/update the following SMB mounter region:
   #SMB cifs-utils
   mounter2.uri=smb
   mounter2.prefix=SMB
   
   SMB.scriptName=smb.py
   SMB.unmountScriptName=smbu.py
   SMB.ScriptExecutionTimeout = 60000
   
   SMB.AccessDenied=denied
   SMB.ShareNotFound=Permission denied|can't get address for
   SMB.ShareExists=already mounted
   SMB.MultipleConnections=already mounted
   SMB.SyntaxError=Usage:
   SMB.ServerNotFound=failed
   SMB.AccountLockedOut=denied
   SMB.NoLogonServers=Not Applicable
   SMB.RequireLogin=Not Applicable
   SMB.Success=/DiscoverMount/
   SMB.umountSuccess=mountpoint not found
   SMB.MountDoesNotExist=not mounted

Disable JCIFS in the Crawler.properties on the Linux Network Discover Server:

1. Edit the Crawler.properties file under /opt/Symantec/DataLossPrevention/DetectionServer/15.7/Protect/config to disable JCIFS as shown below:
   filesystemcrawler.use.jcifs = false
2. Restart the Detection server service:
   systemctl restart SymantecDLPDetectionServerService

Update Scan Targets with SMB Protocol Prefix:

1. Update existing scan targets so that content roots are listed as follows:
   smb://<servername>/<sharename>
2. Update the user credentials in the scan targets to use the following syntax, take note of the forward slash, instead of the backslash character:
   domain/username
3. For best results, ensure the username and password use alpha-numeric characters. Avoid using these characters in the password: . ^ $ * + ? { } [ ] \ | ( )

• This method has only been tested with SMBv2.
• Restart the Detection server service after making changes to any .properties file on the Detection server.
• If implementing this on versions older than 15.5, you may have to make additional changes. For example, for 15.1:
  1. Make the following additional change to Crawler.properties on the Network Discover server, under /opt/Symantec/DataLossPrevention/Detection Server/15.1/Protect/config/
     By default, the path has a space between "Detection" and "Server". Remove the space so that it looks like the following:
     filesystemcrawler.mount.drive.letter.linux = /var/Symantec/DataLossPrevention/DetectionServer/15.1/DiscoverMount
     
     
  2. Create the directory structure down to /DetectionServer/ and change the owner to SymantecDLP (or whatever DLP account you are using):
     mkdir -p /var/Symantec/DataLossPrevention/DetectionServer ; chown SymantecDLP:SymantecDLP /var/Symantec/DataLossPrevention/DetectionServer
• Known limitations when using CIFS scanning:
  • File owners on incidents may be reported as "unknown"
  • DFS names cannot be mounted, and attempting to do so produces the following mount error and stack trace:
    

    om.vontu.discover.mount.mounter.ExecMonitor$2 run
    WARNING: exception while reading stream
    java.io.IOException: Stream closed
            at java.io.BufferedInputStream.getBufIfOpen(BufferedInputStream.java:170)
            at java.io.BufferedInputStream.read1(BufferedInputStream.java:283)
            at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
            at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
            at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
            at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
            at sun.nio.cs.StreamDecoder.read0(StreamDecoder.java:127)
            at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:112)
            at java.io.InputStreamReader.read(InputStreamReader.java:168)
            at com.vontu.discover.mount.mounter.ExecMonitor$2.run(ExecMonitor.java:133)

    
    
    • As a workaround, locate and use the actual UNC paths from the DFS as the content roots to scan.