Hello DLP Users..
I wanted to share some information on how to get DLP to Scan Amazon AWS Buckets.
I had a customer who wanted to scan their Amazon AWS Storage (S3), there is no documentation on how to do this and it is currently NOT supported by Symantec
So I began to figure out how to be able to Mount a S3 file system using fuse.
This lead me to S3FS!
S3FS is a FUSE (File System in User Space) will mount Amazon S3 as a local file system. S3FS has an ability to manipulate Amazon S3 bucket in many useful ways. If you wish to access your Amazon S3 bucket without mounting it on your server, you can use s3cmd command line utility to manage S3 bucket.
Features of S3FS:
- large subset of POSIX including reading/writing files, directories, symlinks, mode, uid/gid, and extended attributes
- compatible with Amazon S3, Google Cloud Storage, and other S3-based object stores
- large files via multi-part upload
- renames via server-side copy
- optional server-side encryption
- data integrity via MD5 hashes
- in-memory metadata caching
- local disk data caching
- user-specified regions, including Amazon GovCloud
- authenticate via v2 or v4 signatures
What is an Amazon S3 bucket?
Amazon S3 is a cloud based web service interface that you can used to store and retrieve any amount of data. To upload your data, first you need to create an S3 bucket in one of the Amazon regions.
Creating a Bucket
S3 provides an API for creating and managing buckets. You can create a maximum of 100 buckets from your AWS console. When you create a bucket, you need to provide a name and AWS region where you want to create the bucket. In each bucket, you can store any number of objects. You can use your AWS account root credentials to create a bucket, but it is not recommended. Instead just create an IAM user and add full permission to that user on S3 bucket. You can access your S3 bucket from your Amazon S3 console.
**** First of all Scanning using S3FS is NOT supported by Symantec and has NOT been certified or tested by them (I got it to work). So please make sure that you have strong Linux knowledge if you move forward with this at your own risk. ****
Also keep in mind that some of these steps will require you to edit existing configuration files and installation of Linux Packages in order for it to work.
You will need to be using a LINUX Discover Server WITHIN THE AWS environment to get this to really work.
INSTALL the S3FS program
1. Remove Old Versions and Download and install the S3FS program (You will need the EPEL Repository to find it). It should download the fuse package as part of the dependencies.
yum remove fuse fuse-s3fs
yum install gcc libstdc++-devel gcc-c++ curl-devel libxml2-devel openssl-devel mailcap git wget make svn
2. Download and compile fuse (It needs to be a specific version of Fuse)
$ cd /usr/src/
$ wget https://github.com/libfuse/libfuse/releases/downlo...
$ tar xzf fuse-3.0.0.tar.gz
$ cd fuse-3.0.0
$ ./configure –prefix=/usr/local
$ make && make install
$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
$ ldconfig
$ modprobe fuse
3. Download and compile S3FS
$ cd /usr/src
$ git clone https://github.com/s3fs-fuse/s3fs-fuse.git
$ cd s3fs-fuse
$ yum install fuse-devel -y
$ yum install automake
$ ./autogen.sh
$ ./configure
$ make
$ make install
4. Setup Access Key for the Bucket.
Both access key and secret key of your S3 AWS account is required for configuring S3FS.
Replace the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with your actual key values.
If you have more than 1 Key and it's different for each bucket you will need to specifiy the bucket.
$vi /etc/passwd-s3fs
AWS_ACCESS_KEY_ID:AWS_SECRET_ACCESS_KEY
OR
BUCKET_NAME:AWS_ACCESS_KEY_ID:AWS_SECRET_ACCESS_KEY
Change the permissions:
$ chmod 600 /etc/passwd-s3fs
5. Create the mount and cache directory for testing and create symbolic link for application
mkdir /mnt/test
chmod 777 /mnt/test
mkdir /root/cache
chmod 777 /root/cache
ln -s /usr/local/bin/s3fs /bin/s3fs
6. Test mounting the directory
You may need to do this for each bucket you plan to connect to from this Discover Server.
s3fs bucketname /mnt/test/ -o passwd_file=/etc/passwd-s3fs -o allow_other,use_cache=/root/cache
4. Test the mount
# mount
/dev/mapper/vg_svr1-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
s3fs on /mnt/test type fuse.s3fs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
5. Navigate and test the share by opening a file and then unmount it.
# cd /mnt/test
# ls
# cat file.txt
# umount /mnt/test
Create a NEW filesystem Category for S3FS and Scripts
1. Edit the /etc/sudoers file to allow the protect user to run the sshfs command (verify 'which s3fs')
# Vontu service user
Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs, /bin/sshfs, /bin/s3fs
2. Edit the SharePointMapper.properties file. (/opt/SymantecDLP/Protect/config)
You will need to type this manually or copy/paste edit from the previous settings.
You may need to change the mounterX.uri and mounterX.prefix if have added another setting before. (Make it 3 instead of 2)
Add the following lines to the bottom:
#Linux implementation of S3FS
mounter2.uri=s3fs
mounter2.prefix=S3FS
#General
S3FS.ResponseExpected=No valid response
S3FS.scriptName=s3fs.sh
S3FS.Success=status:0
S3FS.ScriptExecutionTimeout=60000
# S3FS- Linux
S3FS.AccessDenied=denied
S3FS.ShareNotFound=Permission denied|can't get address for|No such file or directory
S3FS.ShareExists=mountpoint is not empty|Transport endpoint is not connected
S3FS.MultipleConnections=mountpoint is not empty|Transport endpoint is not connected
S3FSS.SyntaxError=Usage:|s3fs:|fuse:
S3FS.ServerNotFound=failed|Connection reset by peer
S3FS.AccountLockedOut=denied
S3FS.NoLogonServers=Not Applicable
S3FS.RequireLogin=Not Applicable
#Unmount
S3FS.MountRemoved=umounted
S3FS.MountDoesNotExist=not mounted
S3FS.MountDependencyExists=open files|target is busy
S3FS.unmountScriptName=s3fsu.sh
S3FS.umountSuccess=status:0
3. Create the Mount and unmounting scripts for S3FS. (Make sure to be the protect user) (copied to keep right execute permissions)
#su - protect
#cd /opt/SymantecDLP/Protect/bin
#cp nfs.sh sshfs.sh
#cp nfsu.sh sshfsu.sh
#chown protect:protect s3fs.sh
#chown protect:protect s3fsu.sh
4. Edit the s3fsu.sh file and make it look like the following. (add sleep)
sudo umount -v $1
sleep 20
echo status:$?
5. Edit the s3fs.sh file to look like the following:
You will then have to play with the s3fs.sh script to inlcude the the following settings or try it manually
- -o uid=XXX
- -o gid=XXX
- -o umask=XXX
- For UID try using the same one that the protect user has by looking at /etc/passwd
- For GID try using the same one that the protect user has by looking at /etc/groups
- I also added the protect user to the 'wheel' group (10) along with 'root'
- I think this allowed the protect user to emulate a root account
#!/bin/bash
#
# s3fs.sh - mount a share using s3fs on a Linux system
#
# $1 = <mount point>
# $2 = <share path>
# $3 = <user name>
# $4 = <password>
#
# usage: s3fs.sh <options> <user>@<share path> <mount point>
#
# <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
#
# <share path>: The path to mount in the following format:
# <host.domain.com>
#
# Author: Ronak Patel
#Format the Share Path to be suitable for the mount command.
share_path=`echo $2 | sed -e 's/\([^\/]*\)\/\/\([^\/]*\)\([^"'"'"']*\).*/\2:\3/'`
#Format the Share_Path to be suitable for the mount command (remove quotes).
share_path="${share_path%\"}"
share_path="${share_path#\"}"
#Then mount!
#sleep commands are to make sure system has time to mount
sleep 10
sudo s3fs $share_path $1 -o passwd_file=/etc/passwd-s3fs -o allow_other,uid=1002,gid=10,use_cache=/root/cache
sleep 10
echo status:$?
6. Restart the VontuMonitor service on the Discover Servers
7. Create the Discover Target
When creating your Discover Target make sure to use the following structure so it recognizes which mount script to use.
Keep in mind that sometimes if you specify a directory that has 1000's of files, it will take a lot longer to mount the directory and may fail. So in most situations I would just specify the bucket and let it run.
s3fs://bucketname or s3fs:\\bucketname
or
s3fs://bucketname/dir or s3fs:\\bucketname\dir
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Troubleshooting:
- Discover Scan Fails: error: Unknown Error
- Restart VontuMonitor Service
- Discover Scan Fails: error: The content root URI is malformed: s3fs:\\bucketname
- Retype the settings in the SharePaointMapper.properties file
- Discover Scan Fails: error: Unknown Error
- Check the permsissions on the s3fs files in the Bin directory (Should be owned by Protect and Executable)
- Discover scan cannot scan any data
- Mount the share manually using the following commands as root
#s3fs -o allow_other -o async_read user@10.253.2.10:/ifs /mnt/test/
#su - protect
#cd /mnt/test
#ls -al
#cat file.txt
- If this fails then you have a permissions issue with the SSHFS and how it mounts the share.
- You will then have to play with the s3fs.sh script to inlcude the the following settings or try it manually
- -o uid=XXX
- -o gid=XXX
- -o umask=XXX
- For UID try using the same one that the protect user has by looking at /etc/passwd
- For GID try using the same one that the protect user has by looking at /etc/groups
#s3fs bucketname /mnt/test -o passwd_file=/etc/passwd-s3fs -o allow_other,uid=1002,gid=10,use_cache=/root/cache
#su - protect
#cd /mnt/test
#ls -al
#cat file.txt
- When trying to scan lots of targets consecutively you may see that it will not scan after mounting and unmounting more than 3 shares in 1 Discover Target. I have seen this and not sure of the issue.
- I have then created multiple targets of 1-2 Shares and spread them out over time.
- Keep in mind that sometimes if you specify a directory that has 1000's of files, it will take a lot longer to mount the directory and may fail. So in most situations I would just specify the bucket and let it run.
Hope this helps...
Good Luck
Ronak Patel
