Data Loss Prevention using OpenDLPOpenDLP describes itself as a “Data Loss Prevention suite with centralized web frontend to manage Windows agent filesystem scanners, agentless database scanners, and agentless Windows/UNIX filesystem scanners that identify sensitive data at rest.” OpenDLP can scan systems for sensitive data such as credit card and social security numbers. Using regular expressions, any other text item can be searched for as well, such as @maine.edu email addresses or a person’s name. There are two components to OpenDLP:

● A web application to manage the Windows agents and scan results● A Windows agent used to perform the scans

It is possible to use OpenDLP in an agentless mode, but the agent shifts the processing to the host instead of the server.

InstallationOpenDLP can be installed either by compiling the source code or run from a virtual machine provided by the developer. This guide will use the VirtualBox virtual machine as that is the quickest way to start utilizing the tool.

VirtualBox installationNavigate to the VirtualBox web site to download the virtualization platform: https://www.virtualbox.org/ If the host computer is 64-bit compatible, select the AMD64 download option. For further information on installing VirtualBox, refer to the latest version of the User Manual: https://www.virtualbox.org/manual/UserManual.html

OpenDLP VirtualBox VM downloadThe VM download is split into multiple files using the 7z compression format. Ensure that 7-Zip (http://www.7-zip.org/) or a compatible decompression tool is installed. Download the OpenDLP VM files at: http://code.google.com/p/opendlp/downloads/list Once all of them are downloaded and all in the same directory, open the file ending with .7z.001 with 7-Zip. It will extract all of the necessary files into an ‘OpenDLP-0.4.4-VM’ folder (the version number may change). Within VirtualBox, select File > Import Appliance.

Select Choose... and browse to the OpenDLP OVA file.

Review the Appliance Import Settings. The defaults should be accepted.

Click Import.

Importing of the appliance will take a few minutes. After the import, select Start within the VirtualBox Manager.

Configuring OpenDLP for connectivityLog in to the console with the default username and passworip add:

Username: opendlpPassword: opendlp

The appliance’s MAC address will need to be registered within NM. To determine the MAC address run the command ip addr. Look for the eth0 adaptor. The MAC address is twelve characters on the link/ether line beginning with 08:00:27 [the vendor OUI for VirtualBox].

Register this MAC in NM and ensure that an IP address was obtained by running the ip addr command again. A reboot may be necessary. NOTE: it may be necessary to remove the networking devices from the Linux kernel on the VM.

cd /etc/udev/rules.dsudo rm 70-persistent-cd.rulessudo rm 70-persistent-net.rulessudo reboot now

Install sc.exeObtain the file “sc.exe” from a 32-bit Windows 2000/XP machine and place it in /var/www/OpenDLP/bin/. A Windows client such as WinSCP may be used or a command line SCP from a Linux/OS X host using the syntax:

scp sc.exe opendlp@ip:/var/www/OpenDLP/bin/

Import Firefox CertificateLaunch Firefox and import the client.p12 certificate into the browser:

1. Go to File > Preferences (on Windows machines, Tools > Options)2. Click the Advanced tab3. Click the Encryption sub-tab4. Click the View Certificates button5. Within the Certificate Manager, click on the Your Certificates sub-tab6. Click the Import... button and browse to the client.p12 file that was provided with the VM in the 7zip archive. Note that there is

no password to import.

Using OpenDLPLaunch Firefox and browse to: https://ip-of-vm-/OpenDLP/index.html. The default credentials are:

Username: dlpuser

Password: OpenDLP The main interface looks like the following:

WARNING: OpenDLP is a public, open source product. The default authentication credentials are available for anyone to see. Once profiles are created and scans take place, business sensitive and compliant data may be accessed through the OpenDLP web interface via links to the original files. Take appropriate means to restrict access and change passwords. See the README-VM.txt file that came with the virtual machine for more information.

WorkflowOpenDLP is a flexible tool that can be used in different, creative ways, but the basic workflow is as follows:

● Review the provided Regular Expressions for data to look for● Create a profile with authentication credentials and policy settings● Start a scan by providing a list of IPs● Review the scan results and mark false positives● Report any suspect business sensitive or compliant data found● Work with the information owners and Office of Information Security to develop a remediation plan

ProfilesProfiles are used to define the scan types to be done as well as to provide and store the credentials necessary to perform the scan:

● Windows Filesystem (agent)● Windows Filesystem (agentless over SMB)● Windows Network Share (agentless over SMB)● UNIX Filesystem (agentless over SSH)● Microsoft SQL Server (agentless)● MySQL (agentless)

To scan a Windows file system with an agent a local or domain administrator account is necessary. See the screenshots below for an example.

A domain administrator “samuel.gaudet” in the “infosec” domain will be performing this scan. On a Windows workstation, domain information can be found in The Control Panel System information.

In the above screenshot, the “sws” domain would be used.

The scan is looking for AMEX, Discover, Mastercard, Social Security Numbers with dashes, Social Security Numbers with spaces and Visa credit card numbers.

The default user account used to send results from the agent to the server is:

Username: ddtPassword: OpenDLPagent

There will be five concurrent deployments, meaning that only five hosts will be scanned at one time.

ScansTo begin a scan, select Scans then Start New Scan from the side menu. Enter a list of IPs to scan in the Systems to scan dialog.

Press Start to initiate the scan of the hosts in scope.

It may take a few minutes for the agents to be pushed to and installed on the systems to scan. Do not close the window until they are deployed. When the screen shows “(0 systems remain in queue)” it means all agents have been deployed.

Review ScansOn the OpenDLP side menu, select Scans > View Scans/Results.

Select one of the scans and press the View Scan Details button. A list of the individual hosts in the scan will appear. Select one and then View Results.

Depending on the size of the system scanned, it may take a few minutes to load the results. Details of the scan are shown in the View Results page.

All of the files scanned that contain a regular expressions match for the profile used to do the scan are on the View Results page.

False Positives can be marked with the checkbox next to the item and the Mark Selected as False Positives button at the bottom of the page.

Further informationOpenDLP developer Andrew Gavin has a presentation demoing Windows agent scanning available at: http://www.youtube.com/watch?v=kz3M--LhyBg OpenDLP FAQ: http://code.google.com/p/opendlp/wiki/FAQ