Data Loss Prevention DLP and Scanning via SSH and using SSHFS

Hello DLP Users..

I wanted to share some information on how to get DLP to Scan using SSH.

I had a customer who wanted to scan their File Server (EMC Isilon), but NOT all of the File System was accesible via NFS or CIFS shares. They were able to provide me a ROOT account that I could SSH directly to the File server.

So I began to figure out how to be able to Mount a file system using SSH as the protocol.

This lead me to SSHFS!

SSHFS is a filesystem based on the SSH File Transfer Protocol (SFTP). On remote side (Discover Target) we just need to install SSH server, Since most of SSH servers already support this, there are nothing to do on remote server except installing SSH server. On client side (Discover Server) we need to install fuse sshfs packages to mount remote filesystem.

Features of SSHFS:
Based on FUSE (Best userspace filesystem framework for linux)
Multithreading: more than one request can be on it’s way to the server
Allowing large reads (max 64k)
Caching directory contents

**** First of all Scanning using SSH is NOT supported by Symantec and has NOT been certified or tested at all. So please make sure that you have strong Linux knowledge if you move forward with this at your own risk. ****

Also keep in mind that some of these steps will require you to edit existing configuration files and installation of Linux Packages in order for it to work.

You will need to be using a LINUX Discover Server to get this to really work.

INSTALL the SSHFS program

1. Download and install the SSHFS program (You will need the EPEL Repository to find it). It should download the fuse package as part of the dependencies.

yum install fuse-sshfs

2. Create the mount directory for testing.

mkdir /mnt/test
chmod 777 /mnt/test

3. Test mounting the directory and Accept the authenticity and type password

YOU WILL NEED TO DO THIS FOR EACH DIFFERENT server you plan to connect to from this Discover Server

sshfs root@remote.example.com:/home/remoteuser /mnt/test

The authenticity of host 'remote.example.com (192.168.1.12)' can't be established.
RSA key fingerprint is 77:85:9e:ff:de:2a:ef:49:68:09:9b:dc:f0:f3:09:07.
Are you sure you want to continue connecting (yes/no)? yes
root@remote.example.com's password:

4. Test the mount

# mount

/dev/mapper/vg_svr1-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
root@remote.example.com:/home/remoteuser on /mnt/test type fuse.sshfs (rw,nosuid,nodev)

5. Navigate and test the share by opening a file and then unmount it.

# cd /mnt/test
# ls
# cat file.txt
# umount /mnt/test

Create a NEW filesystem Category for SSHFS and Scripts

1. Edit the /etc/sudoers file to allow the protect user to run the sshfs command (verify 'which sshfs')

# Vontu service user
Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs, /bin/sshfs

2. Edit the SharePointMapper.properties file. (/opt/SymantecDLP/Protect/config)

You will need to type this manually or copy/paste edit from the previous settings.

You may need to change the mounterX.uri and mounterX.prefix if have added another setting before. (Make it 3 instead of 2)

Add the following lines to the bottom:

#Linux implementation of SSHFS
mounter2.uri=sshfs
mounter2.prefix=SSHFS

#General
SSHFS.ResponseExpected=No valid response
SSHFS.scriptName=sshfs.sh
SSHFS.Success=status:0
SSHFS.ScriptExecutionTimeout=60000

# SSHFS- Linux
SSHFS.AccessDenied=denied
SSHFS.ShareNotFound=Permission denied|can't get address for|No such file or directory
SSHFS.ShareExists=mountpoint is not empty
SSHFS.MultipleConnections=mountpoint is not empty
SSHFS.SyntaxError=Usage:|fuse:
SSHFS.ServerNotFound=failed|Connection reset by peer
SSHFS.AccountLockedOut=denied
SSHFS.NoLogonServers=Not Applicable
SSHFS.RequireLogin=Not Applicable

#Unmount
SSHFS.MountRemoved=umounted
SSHFS.MountDoesNotExist=not mounted
SSHFS.MountDependencyExists=open files|target is busy
SSHFS.unmountScriptName=sshfsu.sh
SSHFS.umountSuccess=status:0

3. Create the Mount and unmounting scripts for SSHFS. (Make sure to be the protect user) (copied to keep right execute permissions)

#su - protect
#cd /opt/SymantecDLP/Protect/bin
#cp nfs.sh sshfs.sh
#cp nfsu.sh sshfsu.sh
#chown protect:protect sshfs.sh
#chown protect:protect sshfsu.sh

4. Edit the sshfsu.sh file and make it look like the following. (add sleep)

sudo umount -v $1
sleep 20
echo status:$?

5. Edit the sshfs.sh file to look like the following:

#!/bin/bash
#
# sshfs.sh - mount a share using sshfs on a Linux system
#
# $1 = <mount point>
# $2 = <share path>
# $3 = <user name>
# $4 = <password>
#
# usage: sshfs.sh <options> <user>@<share path> <mount point>
#
#       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
#
#       <share path>: The path to mount in the following format:
#                     "//<host.domain.com>/dir1/dir2"  (can be surrounded by single or double quotes)
#
# Author: Ronak Patel

#Format the Share Path to be suitable for the mount command.
share_path=`echo $2 | sed -e 's/\([^\/]*\)\/\/\([^\/]*\)\([^"'"'"']*\).*/\2:\3/'`

#Format the Username to be suitable for the mount command (remove quotes).
user="${3%\"}"
user="${user#\"}"

#Format the Password to be suitable for the mount command (remove quotes).
password="${4%\"}"
password="${password#\"}"


#Then mount!
#sleep commands are to make sure system has time to mount
sleep 10
echo $password | sudo sshfs -o allow_other -o async_read -o password_stdin -o ro $user@"$share_path" $1
sleep 10
echo status:$?

6. Restart the VontuMonitor service on the Discover Servers

7. Create the Discover Target

When creating your Discover Target make sure to use the following structure so it recognizes which mount script to use.

Watch the backlashes!

sshfs:\\server.company.com\ifs\home\local data\

sshfs:\\10.0.0.1\ifs\home\local data

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Troubleshooting:

1. Discover Scan Fails: error: Unknown Error
   1. Restart VontuMonitor Service
2. Discover Scan Fails: error: The content root URI is malformed: sshfs:\\10.0.0.2.10\ifs
   1. Retype the settings in the SharePaointMapper.properties file
3. Discover Scan Fails: error: Unknown Error
   1. Check the permsissions on the sshfs files in the Bin directory (Should be owned by Protect and Executable)
4. Discover scan cannot scan any data
   1. Mount the share manually using the following commands as root

   2. #sshfs -o allow_other -o async_read user@10.253.2.10:/ifs /mnt/test/
      #su - protect
      #cd /mnt/test
      #ls -al
      #cat file.txt

   3. If this fails then you have a permissions issue with the SSHFS and how it mounts the share.
   4. You will then have to play with the sshfs.sh script to inlcude the the following settings or try it manually
      1. -o uid=XXX
      2. -o gid=XXX
      3. -o umask=XXX
      4. For UID try using the same one that the protect user has by looking at /etc/passwd
      5. For GID try using the same one that the protect user has by looking at /etc/groups

   #sshfs -o allow_other -o async_read -o uid=1001 -o gid=10 user@10.253.2.10:/ifs /mnt/test/
   #su - protect
   #cd /mnt/test
   #ls -al
   #cat file.txt

5. When trying to scan lots of targets consecutively you may see that it will not scan after mounting and unmounting more than 3 shares in 1 Discover Target. I have seen this and not sure of the issue.
   1. I have then created multiple targets of 1-2 Shares and spread them out over time.

Hope this helps...

Good Luck

Ronak Patel