In this section
•Steps for Integration with Samba
|
The SpIDer Guard for SMB monitor uses a special VFS SMB module for the integration with the Samba server. With SpIDer Guard for SMB, several versions of this module are supplied. They are built for various versions of Samba. However, the supplied versions of the VFS SMB module may be incompatible with the version of Samba installed on your file server. It may occur, for example, if your Samba server uses the CLUSTER_SUPPORT option. If VFS SMB modules are incompatible with your Samba server, the corresponding message is shown during the Dr.Web for UNIX File Servers installation. In this case, build the VFS SMB module for your Samba server manually (including the compatibility with the CLUSTER_SUPPORT option if necessary). The procedure of building the VFS SMB module from the supplied source code files is described in the Building the VFS SMB Module section. |
Steps for Integration with Samba
To integrate SpIDer Guard for SMB with the Samba file server, do the following:
1.In the directory from which Samba loads its VFS SMB modules (the default directory in GNU/Linux is /usr/lib/samba/vfs), create a symbolic link smb_spider.so that points to the Dr.Web-supplied VFS SMB module that corresponds to your version of Samba.
The VFS SMB modules supplied by Dr.Web are stored in the directory with libraries <opt_dir>/lib/<architecture>-linux-gnu/samba/vfs (in Debian, Ubuntu, Mint) or <opt_dir>/lib64/samba/.
The modules have file names that look as follows: libsmb_spider.so.<ver>, where <ver> is the version of the Samba server for which the module is intended.
For instance: /opt/drweb.com/lib/x86_64-linux-gnu/samba/libsmb_spider.so.4.13.0 is a VFS SMB module for the Samba server version 4.13.0 that runs in the GNU/Linux environment, x86_64 architecture.
2.In the configuration file of the Samba server—smb.conf (the default location in GNU/Linux is /etc/samba)—create sections for the shared directories. Such a section should look like:
[<share name>] |
where the <share name> is any name for the shared resource and <any comment> is an arbitrary line with a comment (optional). The object's name specified in vfs objects must be similar to the symbolic link (here smb_spider).
After that, this directory, specified in path parameter, will be monitored by SpIDer Guard for SMB. Interaction between SpIDer Guard for SMB and the VFS SMB module will be performed via a UNIX socket /<samba chroot path>/var/run/.com.drweb.smb_spider_vfs. By default, the path to this UNIX socket is specified in the SpIDer Guard for SMB settings and in VFS SMB module settings.
You can connect SpIDer Guard for SMB to customized in Samba server configuration file using the drweb-configure configuration tool (see below).
3.If you need to change the path to the socket, specify the new path both in the settings of SpIDer Guard for SMB (the SmbSocketPath parameter) and in the configuration file of Samba—smb.conf. For that, add the following line to the [<share name>] section:
smb_spider:socket = <path to socket> |
where <path to socket> must be an absolute path to the UNIX socket, relative to the root directory that was set for the Samba server by using chroot (<samba chroot path>).
4.If required, you can use ExcludedPath and IncludedPath parameters to exclude paths to objects located in the protected shared directories or to include them in SpIDer Guard for SMB checks. You can specify paths to directories or paths to files. If you specify a directory, all content of the directory is skipped or scanned.
|
The IncludedPath parameter takes precedence over the ExcludedPath parameter, that is, if the same object (file or directory) is included in both parameter values, this object will be checked. |
5.If you need to specify personal scanning settings for this shared directory (different from the default settings used for all shared directories), create a tag identifier for the VFS SMB module that controls this directory:
smb_spider:tag = <share name> |
Then specify personal settings for the protection of this shared directory in SpIDer Guard for SMB settings as a separate section [SMBSpider.Share.<share name>].
To add a new section identified by a <share name> tag with the help of the Dr.Web Ctl command-line tool, it is necessary to use the following command: drweb-ctl cfset SmbSpider.Share.<share name>.<parameter> <value>, for example:
# drweb-ctl cfset SmbSpider.Share.UserFiles.OnAdware Quarantine |
This command adds the [SMBSpider.Share.BuhFiles] section into the configuration file. This added section will contain all the available parameters adjusting the scanning of this shared directory, at that, values for all parameters, except the OnAdware parameter specified in the command, will coincide with parameter values from the general [SMBSpider] section.
6.Enable SpIDer Guard for SMB by setting the Start value to Yes.
After all settings are adjusted, restart both Dr.Web for UNIX File Servers and the Samba server, use the command:
# drweb-ctl reload |
You can also restart the configuration daemon Dr.Web ConfigD, use the command:
# service drweb-configd restart |
|
To avoid conflicts between SpIDer Guard for SMB and SpIDer Guard, which may occur in the process of scanning the files located in the shared directories of Samba, it is recommended that you additionally configure SpIDer Guard by performing one of the following actions: •add Samba shared directories to the exclusion scope (specify these directories in the ExcludedPath parameter); •add the Samba process (smbd) to the list of ignored processes (specify smbd in the ExcludedProc parameter). |
For ease of integration SpIDer Guard for SMB with Samba shared directories (connecting and disconnecting them) customized in file server configuration file, a special tool drweb-configure was designed. To configure SpIDer Guard for SMB connection to or from a shared directory, use the command:
# drweb-configure samba [<parameters>] |
You can specify the following parameters:
•+<Samba resource>—name of Samba shared resource (as it is specified in smb.conf configuration file), which should be added to SpIDer Guard for SMB protection;
•-<Samba resource>—name of Samba shared resource (as it is specified in smb.conf configuration file), which should be excluded from SpIDer Guard for SMB protection;
•+/all—adds to SpIDer Guard for SMB protection all shared Samba resources, specified in smb.conf configuration file;
•-/all—excludes from SpIDer Guard for SMB protection all shared Samba resources, specified in smb.conf configuration file;
•add_symlink—create a symbolic link smb_spider.so pointing to the VFS SMB Dr.Web module (the path to the source file may differ depending on the version of Samba being used);
•remove_symlink—remove the symbolic link smb_spider.so;
•<configuration file>—path to the Samba server configuration file (smb.conf), which should be processed. If this argument is skipped, drweb-configure tool will attempt to locate the actual smb.conf file.
|
To access help documentation on integrating SpIDer Guard for SMB with Samba shared directories, use the command:
|