Integration with Samba File Server

The SpIDer Guard for SMB monitor uses a special VFS SMB module for the integration with the Samba server. With SpIDer Guard for SMB, several versions of this module which are built for various versions of Samba are supplied. However, the supplied versions of the VFS SMB module may be incompatible with the version of Samba installed on your file server. It may occur, for example, if the Samba server uses the CLUSTER_SUPPORT option.

In case of incompatibility of the VFS SMB module with the Samba server, the corresponding message is shown during the Dr.Web for UNIX File Servers product installation. In this case, build the VFS SMB module for your Sambа server from the supplied source codes manually (including the compatibility with the CLUSTER_SUPPORT option if necessary).

The procedure of building the VFS SMB module from the supplied source codes is described in Appendix G.

To integrate Dr.Web for UNIX File Servers with the Samba file server, do the following:

1.In the directory with Samba VFS modules (the default directory in Linux is /usr/lib/samba/vfs), create a symbolic link smb_spider.so that refers to the module VFS SMB Dr.Web corresponding to the used Samba.

The VFS SMB modules, which are supplied by Dr.Web, reside in the product libraries directory:

<opt_dir>/lib/samba – for 32-bit platforms

<opt_dir>/lib64/samba – for 64-bit platforms

The module files have the following pattern name: libsmb_spider.so.<ver>, where <ver> is the version of Sambа interacting with the module.

For example, /opt/drweb.com.lib/samba/libsmb_spider.so.3.6.0 file is for Samba 3.6.0, operating on Linux OS designed for 32-bit platform.

2.In the Samba configuration file smb.conf (the default Linux directory is /etc/samba), create sections for the shared directories. Such section is as follows:

[<share_name>]
comment = <any_comment>
path = </directory/to/be/protected/>
vfs objects = smb_spider
writeable = yes
browseable = yes
guest ok = yes
public = yes

where <share_name> is any name of the shared resource and <any_comment> is an arbitrary line with a comment (optional). The object's name specified in vfs objects must be the same as the name of the symbolic link (here smb_spider).

After that, this directory will be monitored by SpIDer Guard for SMB. Interaction between SpIDer Guard for SMB and VFS SMB module will be performed via UNIX socket /<samba_chroot_path>/var/run/.com.drweb.smb_spider_vfs. By default, the path to this UNIX socket is specified in the SpIDer Guard for SMB settings and in the settings of the VFS SMB module.

3.If you need to change the path to the socket, specify the new path both in the settings of SpIDer Guard for SMB (the SmbSocketPath parameter) and in the configuration file of Samba smb.conf. For that, add the following line to the [<share_name>] section:

smb_spider:socket = <path_to_socket>

where <path_to_socket> must be an absolute path to the UNIX socket relative to the root directory, specified for Samba by using chroot.

4.If required, you can use ExcludedPath and IncludedPath parameters to exclude paths to objects located in the protected shared directories or to include them in SpIDer Guard for SMB checks. You can specify paths to directories or paths to files. If you specify a directory, all content of the directory is skipped or scanned. Note that the IncludedPath parameter takes precedence over the ExcludedPath parameter, that is, if the same object (file or directory) is included in both parameter values, this object will be checked.

5.If you need to specify personal scanning settings (different from the default settings for all modules) for this shared directory, set a tag -identifier for the VFS SMB module that controls this directory:

smb_spider:tag = <share_name>

Then specify personal settings to control the shared directory in SpIDer Guard for SMB settings as a separate section [SMBSpider.Share.<share_name>].

To add new section with a tag <share_name> by command-line tool Dr.Web Ctl, it is necessary to use the command drweb-ctl cfset SmbSpider.Share.<share_name>.<parameter> <value>.

Example:

# drweb-ctl cfset SmbSpider.Share.DepartFiles.OnAdware Quarantine

This command adds to the configuration file the additional section [SMBSpider.Share.DepartFiles]. The section will contain all parameters for the shared directory, and values for the all parameters, beside OnAdware parameter, which is specified in the command, will equal to values of the corresponding parameters from the common [SMBSpider] section.

After all settings are adjusted, restart both Samba and SpIDer Guard for SMB. It is recommended to restart SpIDer Guard for SMB by restarting the suite Dr.Web for UNIX File Servers. For that, restart the configuration daemon Dr.Web ConfigD.

To avoid conflicts between SpIDer Guard for SMB and SpIDer Guard, which may occur when scanning files in shared Samba directories, it is recommended to additionally configure SpIDer Guard by performing one of the following:

add shared Samba directories to the exclusion scope (specify these directories in ExcludedPath parameter)

add the Samba process (smbd) to the list of ignored processes (specify smbd in ExcludedProc parameter).

 

Scripts to support integration

For convenient integration of Dr.Web for UNIX File Servers withe the file server Samba, the product is supplied with special setup scripts. They are located in the product directory (Linux default directory is /opt/drweb.com), in the share/drweb-smbspider-modules subdirectory:

Script file

Function

drweb_smbspider_configure.sh

Interactive script that allows to change Samba configuration file smb.conf in the dialog window (the script adds shared directories described in the file to monitoring).

update-links.sh

The script that adds/updates the link to module VFS SMB Dr.Web in the Samba directory.

vfs-versions.sh

Auxiliary script that determines the version of module VFS SMB Dr.Web; used by the script update-links.sh

The update-links.sh script automatically runs once Dr.Web for UNIX File Servers is installed. If required, you can run it manually. The rweb_smbspider_configure.sh script run automatically only if you install the product from universal package, and it is recommended to be run after completes installation of the product from Dr.Web repository. It can be run several times, when it is necessary to enable or disable monitoring of certain directories. The script saves the original (unmodified) copy of the Samba configuration file smb.conf by adding the .drwebsave extension to its name.