Integration with Samba File Server

 Top  Previous  Next

The SpIDer Guard for SMB monitor uses a special VFS SMB module for the integration with the Samba server. With SpIDer Guard for SMB, several versions of this module are supplied. They are built for various versions of Samba. However, the supplied versions of the VFS SMB module may be incompatible with the version of Samba installed on your file server. It may occur, for example, if your Samba server uses the CLUSTER_SUPPORT option.

If VFS SMB modules are incompatible with your Samba server, the corresponding message is shown during the product installation. In this case, build the VFS SMB module for your Samba server manually (including the compatibility with the CLUSTER_SUPPORT option if necessary).

The procedure of building the VFS SMB module from the supplied source code files is described in the Building the VFS SMB Module section.

Steps for integration with Samba

To integrate SpIDer Guard for SMB with the Samba file server, do the following:

1.In the directory from which Samba loads its VFS SMB modules (the default directory in Linux is /usr/lib/samba/vfs), create a symbolic link smb_spider.so that points to the Dr.Web-supplied VFS SMB module that corresponds to your version of Samba.

The VFS SMB modules that are supplied by Dr.Web reside in the directory that holds the libraries of:

<opt_dir>/lib/samba – for the 32-bit platform.

<opt_dir>/lib64/samba – for the 64-bit platform.

The modules have file names that look as follows: libsmb_spider.so.<ver>, where <ver> is the version of the Samba server for which the module is intended.

For instance: /opt/drweb.com/lib/samba/libsmb_spider.so.3.6.0 is a VFS SMB module for the Samba server version 3.6.0 that runs on a 32-bit platform in the Linux environment.

2.In the configuration file of the Samba server—smb.conf (the default location in Linux is /etc/samba)—create sections for the shared directories. Such a section should look like:

[<share_name>]
comment = <any comment>
path = <path to the protected directory>
vfs objects = smb_spider
writeable = yes
browseable = yes
guest ok = yes
public = yes

where the <share name> is any name for the shared resource and <any comment> is an arbitrary line with a comment (optional). The object's name specified in vfs objects must be the same as the name of the symbolic link (here smb_spider).

After that, this directory will be monitored by SpIDer Guard for SMB. Interaction between SpIDer Guard for SMB and the VFS SMB module will be performed via a UNIX socket /<samba chroot path>/var/run/.com.drweb.smb_spider_vfs. By default, the path to this UNIX socket is specified in the SpIDer Guard for SMB settings and in the settings of the VFS SMB module.

3.If you need to change the path to the socket, specify the new path both in the settings of SpIDer Guard for SMB (the SmbSocketPath parameter) and in the configuration file of Samba—smb.conf. For that, add the following line to the [<share name>] section:

smb_spider:socket = <path to socket>

where <path to socket> must be an absolute path to the UNIX socket, relative to the root directory that was set for the Samba server by using chroot (<samba chroot path>).

4.If required, you can use ExcludedPath and IncludedPath parameters to exclude paths to objects located in the protected shared directories or to include them in SpIDer Guard for SMB checks. You can specify paths to directories or paths to files. If you specify a directory, all content of the directory is skipped or scanned. Note that the IncludedPath parameter takes precedence over the ExcludedPath parameter, that is, if the same object (file or directory) is included in both parameter values, this object will be checked.

5.If you need to specify personal scanning settings for this shared directory (different from the default settings used for all shared directories), create a tag identifier for the VFS SMB module that controls this directory:

smb_spider:tag = <share name>

Then specify personal settings for the protection of this shared directory in SpIDer Guard for SMB settings as a separate sectionseparate section [SMBSpider.Share.<share name>].

To add a new section identified by a <share name> tag with the help of the Dr.Web Ctl command-line tool, it is necessary to use the following command: drweb-ctl cfset SmbSpider.Share.<share name>.<parameter> <value>, for example:

# drweb-ctl cfset SmbSpider.Share.BuhFiles.OnAdware Quarantine

This command adds the [SMBSpider.Share.BuhFiles] section into the configuration file. This added section will contain all the available parameters adjusting the scanning of this shared directory, at that, values for all parameters, except the OnAdware parameter specified in the command, will coincide with parameter values from the general [SMBSpider] section.

6.Enable SpIDer Guard for SMB by setting the Start value to Yes.

After all settings are adjusted, restart Dr.Web for UNIX File Servers (use the command drweb-ctl reload). You can also restart the configuration daemon Dr.Web ConfigD (use the service drweb-configd restart command).

To avoid conflicts between SpIDer Guard for SMB and SpIDer Guard, which may occur in the process of scanning the files located in the shared directories of Samba, it is recommended that you additionally configure SpIDer Guard by performing one of the following actions:

add Samba shared directories to the exclusion scope (specify these directories in the ExcludedPath parameter);

add the Samba process (smbd) to the list of ignored processes (specify smbd in the ExcludedProc parameter).

 

Scripts to Support Integration

For convenient integration of SpIDer Guard for SMB with the Samba file server, Dr.Web for UNIX File Servers is supplied with special shell scripts for integration setting. They are located in: <opt_dir>/share/drweb-smbspider-modules:

The script file

Function

drweb_smbspider_configure.sh

The script that allows you to modify the Samba configuration file—smb.conf—via a dialog window (the script sets up monitoring and protection for the shared directories described in the Samba configuration file).

update-links.sh

The script that creates/updates a link to the Dr.Web VFS SMB module in the Samba directory.

vfs-versions.sh

Auxiliary script that determines the version of a Dr.Web VFS SMB module; it is used by the update-links.sh script

The update-links.sh shell script automatically runs when product is installed. If required, you can also run it manually afterwards. The drweb_smbspider_configure.sh script runs automatically if Dr.Web for UNIX File Servers is installed from a universal package; it is recommended that you run this script manually after installing the Dr.Web for UNIX File Servers product if you installed the product from a repository, or if you declined the offer to run the script during the installation. It is allowed to run this script repeatedly, when it is necessary to enable or disable monitoring of certain shared directories. The script also saves the original (unmodified) copy of the Samba smb.conf—adding a .drwebsave extension to its name.