Integration with Samba File Server |
•Steps for Integration with Samba
Steps for Integration with Samba To integrate SpIDer Guard for SMB with the Samba file server, do the following: 1.In the directory from which Samba loads its VFS SMB modules (the default directory in GNU/Linux is /usr/lib/samba/vfs), create a symbolic link smb_spider.so that points to the Dr.Web-supplied VFS SMB module that corresponds to your version of Samba. The VFS SMB modules supplied by Dr.Web are stored in the directory with libraries <opt_dir>/lib/<architecture>-linux-gnu/samba/vfs (in Debian, Ubuntu, Mint) or <opt_dir>/lib64/samba/. The modules have file names that look as follows: libsmb_spider.so.<ver>, where <ver> is the version of the Samba server for which the module is intended. For instance: /opt/drweb.com/lib/x86_64-linux-gnu/samba/libsmb_spider.so.4.13.0 is a VFS SMB module for the Samba server version 4.13.0 that runs in the GNU/Linux environment, x86_64 architecture. 2.In the configuration file of the Samba server—smb.conf (the default location in GNU/Linux is /etc/samba)—create sections for the shared directories. Such a section should look like:
where the <share name> is any name for the shared resource and <any comment> is an arbitrary line with a comment (optional). The object's name specified in vfs objects must be similar to the symbolic link (here smb_spider). After that, this directory, specified in path parameter, will be monitored by SpIDer Guard for SMB. Interaction between SpIDer Guard for SMB and the VFS SMB module will be performed via a UNIX socket /<samba chroot path>/var/run/.com.drweb.smb_spider_vfs. By default, the path to this UNIX socket is specified in the SpIDer Guard for SMB settings and in VFS SMB module settings. You can connect SpIDer Guard for SMB to customized in Samba server configuration file using the drweb-configure configuration tool (see below). 3.If you need to change the path to the socket, specify the new path both in the settings of SpIDer Guard for SMB (the SmbSocketPath parameter) and in the configuration file of Samba—smb.conf. For that, add the following line to the [<share name>] section:
where <path to socket> must be an absolute path to the UNIX socket, relative to the root directory that was set for the Samba server by using chroot (<samba chroot path>). 4.If required, you can use ExcludedPath and IncludedPath parameters to exclude paths to objects located in the protected shared directories or to include them in SpIDer Guard for SMB checks. You can specify paths to directories or paths to files. If you specify a directory, all content of the directory is skipped or scanned.
5.If you need to specify personal scanning settings for this shared directory (different from the default settings used for all shared directories), create a tag identifier for the VFS SMB module that controls this directory:
Then specify personal settings for the protection of this shared directory in SpIDer Guard for SMB settings as a separate section [SMBSpider.Share.<share name>]. To add a new section identified by a <share name> tag with the help of the Dr.Web Ctl command-line tool, it is necessary to use the following command: drweb-ctl cfset SmbSpider.Share.<share name>.<parameter> <value>, for example:
This command adds the [SMBSpider.Share.BuhFiles] section into the configuration file. This added section will contain all the available parameters adjusting the scanning of this shared directory, at that, values for all parameters, except the OnAdware parameter specified in the command, will coincide with parameter values from the general [SMBSpider] section. 6.Enable SpIDer Guard for SMB by setting the Start value to Yes. After all settings are adjusted, restart both Dr.Web for UNIX File Servers and the Samba server, use the command:
You can also restart the configuration daemon Dr.Web ConfigD, use the command:
For ease of integration SpIDer Guard for SMB with Samba shared directories (connecting and disconnecting them) customized in file server configuration file, a special tool drweb-configure was designed. To configure SpIDer Guard for SMB connection to or from a shared directory, use the command:
You can specify the following parameters: •+<Samba resource>—name of Samba shared resource (as it is specified in smb.conf configuration file), which should be added to SpIDer Guard for SMB protection; •-<Samba resource>—name of Samba shared resource (as it is specified in smb.conf configuration file), which should be excluded from SpIDer Guard for SMB protection; •+/all—adds to SpIDer Guard for SMB protection all shared Samba resources, specified in smb.conf configuration file; •-/all—excludes from SpIDer Guard for SMB protection all shared Samba resources, specified in smb.conf configuration file; •add_symlink—create a symbolic link smb_spider.so pointing to the VFS SMB Dr.Web module (the path to the source file may differ depending on the version of Samba being used); •remove_symlink—remove the symbolic link smb_spider.so; •<configuration file>—path to the Samba server configuration file (smb.conf), which should be processed. If this argument is skipped, drweb-configure tool will attempt to locate the actual smb.conf file.
|