In this section
•Steps for Integration with Samba
|
The SpIDer Guard for SMB monitor uses a custom VFS SMB module to integrate with Samba. Several versions of the VFS SMB module built for different versions of Samba are supplied with the SpIDer Guard for SMB component; however, they may be incompatible with the version of Samba installed on your file server, for example, if your Samba server uses the CLUSTER_SUPPORT option. If VFS SMB modules are incompatible with your Samba server, the corresponding message is shown during the Dr.Web Server Security Suite installation. In this case, build the VFS SMB module for your Sambа server manually (with the CLUSTER_SUPPORT option if necessary). The procedure of building the VFS SMB module from source code is described in the Building the VFS SMB Module section. |
Steps for Integration with Samba
To integrate SpIDer Guard for SMB with the Samba file server, do the following:
1.In the directory from which Samba loads its VFS modules (the default directory in GNU/Linux is /usr/lib/<architecture>-linux-gnu/samba/), create the smb_spider.so symbolic link that points to the Doctor Web-supplied VFS SMB module that corresponds to your version of the Samba server.
The VFS SMB modules supplied by the Doctor Web company are stored in the directory with libraries /opt/drweb.com/lib/<architecture>-linux-gnu/samba/ (in Debian, Ubuntu, Mint) or /opt/drweb.com/lib64/samba/.
The files of modules are named as follows: libsmb_spider.so.<ver>, where <ver> is the version of the Sambа server for which the module is intended.
For example, /opt/drweb.com/lib/x86_64-linux-gnu/samba/libsmb_spider.so.4.13.0 is a VFS SMB module for the Samba server version 4.13.0 for GNU/Linux, x86_64 architecture.
2.Create sections for shared directories in the smb.conf configuration file of the Samba server (by default, stored on GNU/Linux in the /etc/samba directory). Such section should be drafted as follows:
[<resource name>] |
where the <resource name> is any name of the shared resource, and <comment> is an arbitrary string with a comment (optional). The object name specified in the vfs objects parameter must match the file name of the symbolic link (in this case, smb_spider).
After that, the directory specified in the path parameter, will be monitored by the SpIDer Guard for SMB monitor. At the same time, SpIDer Guard for SMB and the VFS SMB module will interact via a UNIX socket /<samba chroot path>/var/run/.com.drweb.smb_spider_vfs. By default, the path to this UNIX socket is specified in the SpIDer Guard for SMB settings and in VFS SMB module settings.
You can connect SpIDer Guard for SMB to the shared directories customized in the Samba server configuration file using the drweb-configure configuration tool (see below).
3.If you need to change the path to the socket, specify the new path both in the settings of SpIDer Guard for SMB (the SmbSocketPath parameter) and in the smb.conf Samba configuration file. For that, add the following line to the [<resource name>] section:
smb_spider:socket = <path to a public socket> |
where <path to socket> must be an absolute path to the UNIX socket, relative to the root directory that was set for the Samba server by using chroot (<samba chroot path>).
4.If required, you can exclude objects in protected shared directories (both directories and separate files can be excluded). For that, specify paths to these objects in the ExcludedPath parameter. Specify paths to the objects that must be scanned in the IncludedPath parameter.
|
The IncludedPath parameter takes precedence over the ExcludedPath parameter, that is, if the same file or directory is included in both parameter values, this object will be scanned. |
5.If you need to specify custom scanning settings for this shared directory different from default settings (for all modules), create a tag identifier for the VFS SMB module that controls this directory:
smb_spider:tag = <resource name> |
Then specify custom settings for controlling this shared directory in the SpIDer Guard for SMB settings as a separate section [SMBSpider.Share.<resource name>].
To add a new parameter section identified by the <resource name> tag with the help of the Dr.Web Ctl command-line tool, use the following command: drweb-ctl cfset SmbSpider.Share.<resource name>.<parameter> <value>, for example:
# drweb-ctl cfset SmbSpider.Share.AccountingFiles.OnAdware Quarantine |
This command adds the [SMBSpider.Share.AccountingFiles] section into the configuration file. This section will contain all parameters for scanning the directory, at that, values for all parameters, except the OnAdware parameter specified in the command, will coincide with parameter values from the general [SMBSpider] section.
6.Enable SpIDer Guard for SMB by setting the Start parameter value to Yes.
After the settings are adjusted, restart the Samba server and also reload the Dr.Web Server Security Suite configuration using the command:
# drweb-ctl reload |
You can also restart Dr.Web Server Security Suite by restarting the Dr.Web ConfigD configuration management daemon using the command:
# service drweb-configd restart |
|
To avoid potential conflicts between SpIDer Guard for SMB and SpIDer Guard, which may occur in the process of scanning files in Samba shared directories, it is recommended that you additionally configure SpIDer Guard by performing one of the following actions: •exclude the Samba shared directories (specify them in the ExcludedPath parameter); •add the Samba process (smbd) to the list of ignored processes (specify smbd in the ExcludedProc parameter). |
For ease of integration of SpIDer Guard for SMB with shared directories (connecting and disconnecting them) customized in the Samba file server configuration file, a custom tool named drweb-configure was designed. To configure the way SpIDer Guard for SMB connects to or disconnects from existing shared directories, run the command:
# drweb-configure samba [<parameters>] |
You can specify the following parameters:
•+<Samba resource>—name of Samba shared resource (as it is specified in the smb.conf configuration file) to be protected by SpIDer Guard for SMB;
•-<Samba resource>—name of Samba shared resource (as it is specified in the smb.conf configuration file) to be excluded from SpIDer Guard for SMB protection;
•+/all—protect all shared Samba resources specified in the smb.conf configuration file by SpIDer Guard for SMB;
•-/all—exclude all shared Samba resources specified in the smb.conf configuration file from SpIDer Guard for SMB protection;
•add_symlink—create the smb_spider.so symbolic link pointing to the VFS SMB Dr.Web module (the path to the source file may differ depending on the version of Samba being used);
•remove_symlink—remove the smb_spider.so symbolic link;
•<configuration file>—path to the Samba file server configuration file (smb.conf) to be processed. If this argument is skipped, the drweb-configure tool will attempt to locate the relevant smb.conf file.
|
To access help documentation on integrating Samba shared directories in SpIDer Guard for SMB, run the command:
|