Data Loss Prevention using
OpenDLP
OpenDLP describes itself as a “Data Loss Prevention suite with centralized web frontend to manage Windows agent filesystem
scanners, agentless database scanners, and agentless Windows/UNIX filesystem scanners that identify sensitive data at rest.”
OpenDLP can scan systems for sensitive data such as credit card and social security numbers. Using regular expressions, any other
text item can be searched for as well, such as @maine.edu email addresses or a person’s name.
There are two components to OpenDLP:
● A web application to manage the Windows agents and scan results
● A Windows agent used to perform the scans
It is possible to use OpenDLP in an agentless mode, but the agent shifts the processing to the host instead of the server.
Installation
OpenDLP can be installed either by compiling the source code or run from a virtual machine provided by the developer. This guide
will use the VirtualBox virtual machine as that is the quickest way to start utilizing the tool.
VirtualBox installation
Navigate to the VirtualBox web site to download the virtualization platform: https://www.virtualbox.org/
If the host computer is 64-bit compatible, select the AMD64 download option.
For further information on installing VirtualBox, refer to the latest version of the User Manual: https://www.virtualbox.org/manual/
UserManual.html
OpenDLP VirtualBox VM download
The VM download is split into multiple files using the 7z compression format. Ensure that 7-Zip (http://www.7-zip.org/) or a
compatible decompression tool is installed.
Download the OpenDLP VM files at: http://code.google.com/p/opendlp/downloads/list
Once all of them are downloaded and all in the same directory, open the file ending with .7z.001 with 7-Zip. It will extract all of the
necessary files into an ‘OpenDLP-0.4.4-VM’ folder (the version number may change).
Within VirtualBox, select File > Import Appliance.
Select Choose... and browse to the OpenDLP OVA file.
Review the Appliance Import Settings. The defaults should be accepted.
Click Import.
Importing of the appliance will take a few minutes.
After the import, select Start within the VirtualBox Manager.
Configuring OpenDLP for connectivity
Log in to the console with the default username and passworip add:
Username: opendlp
Password: opendlp
The appliance’s MAC address will need to be registered within NM. To determine the MAC address run the command ip addr. Look
for the eth0 adaptor. The MAC address is twelve characters on the link/ether line beginning with 08:00:27 [the vendor OUI for
VirtualBox].
Register this MAC in NM and ensure that an IP address was obtained by running the ip addr command again. A reboot may be
necessary.
NOTE: it may be necessary to remove the networking devices from the Linux kernel on the VM.
cd /etc/udev/rules.d
sudo rm 70-persistent-cd.rules
sudo rm 70-persistent-net.rules
sudo reboot now
Install sc.exe
Obtain the file “sc.exe” from a 32-bit Windows 2000/XP machine and place it in /var/www/OpenDLP/bin/.
A Windows client such as WinSCP may be used or a command line SCP from a Linux/OS X host using the syntax:
scp sc.exe opendlp@ip:/var/www/OpenDLP/bin/
Import Firefox Certificate
Launch Firefox and import the client.p12 certificate into the browser:
1. Go to File > Preferences (on Windows machines, Tools > Options)
2. Click the Advanced tab
3. Click the Encryption sub-tab
4. Click the View Certificates button
5. Within the Certificate Manager, click on the Your Certificates sub-tab
6. Click the Import... button and browse to the client.p12 file that was provided with the VM in the 7zip archive. Note that there is
no password to import.
Using OpenDLP
Launch Firefox and browse to: https://ip-of-vm-/OpenDLP/index.html. The default credentials are:
Username: dlpuser
Password: OpenDLP
The main interface looks like the following:
WARNING: OpenDLP is a public, open source product. The default authentication credentials are available for anyone to see. Once
profiles are created and scans take place, business sensitive and compliant data may be accessed through the OpenDLP web
interface via links to the original files. Take appropriate means to restrict access and change passwords. See the README-VM.txt
file that came with the virtual machine for more information.
Workflow
OpenDLP is a flexible tool that can be used in different, creative ways, but the basic workflow is as follows:
● Review the provided Regular Expressions for data to look for
● Create a profile with authentication credentials and policy settings
● Start a scan by providing a list of IPs
● Review the scan results and mark false positives
● Report any suspect business sensitive or compliant data found
● Work with the information owners and Office of Information Security to develop a remediation plan
Profiles
Profiles are used to define the scan types to be done as well as to provide and store the credentials necessary to perform the scan:
● Windows Filesystem (agent)
● Windows Filesystem (agentless over SMB)
● Windows Network Share (agentless over SMB)
● UNIX Filesystem (agentless over SSH)
● Microsoft SQL Server (agentless)
● MySQL (agentless)
To scan a Windows file system with an agent a local or domain administrator account is necessary. See the screenshots below for
an example.
A domain administrator “samuel.gaudet” in the “infosec” domain will be performing this scan.
On a Windows workstation, domain information can be found in The Control Panel System information.
In the above screenshot, the “sws” domain would be used.
The scan is looking for AMEX, Discover, Mastercard, Social Security Numbers with dashes, Social Security Numbers with spaces
and Visa credit card numbers.
The default user account used to send results from the agent to the server is:
Username: ddt
Password: OpenDLPagent
There will be five concurrent deployments, meaning that only five hosts will be scanned at one time.
Scans
To begin a scan, select Scans then Start New Scan from the side menu. Enter a list of IPs to scan in the Systems to scan dialog.
Press Start to initiate the scan of the hosts in scope.
It may take a few minutes for the agents to be pushed to and installed on the systems to scan. Do not close the window until they are
deployed.
When the screen shows “(0 systems remain in queue)” it means all agents have been deployed.
Review Scans
On the OpenDLP side menu, select Scans > View Scans/Results.
Select one of the scans and press the View Scan Details button. A list of the individual hosts in the scan will appear. Select one
and then View Results.
Depending on the size of the system scanned, it may take a few minutes to load the results.
Details of the scan are shown in the View Results page.
All of the files scanned that contain a regular expressions match for the profile used to do the scan are on the View Results page.
False Positives can be marked with the checkbox next to the item and the Mark Selected as False Positives button at the
bottom of the page.
Further information
OpenDLP developer Andrew Gavin has a presentation demoing Windows agent scanning available at: http://www.youtube.com/
watch?v=kz3M--LhyBg
OpenDLP FAQ: http://code.google.com/p/opendlp/wiki/FAQ