Windows Server

The Samba and RDP modules require an extra installation steps. It’s a good idea to consult the README before trying this out.

Inside ~/.opencanary.conf:

{
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": true
}

Below is an example of an smb.conf for a Samba installation,

[global]
   workgroup = WORKGROUP
   server string = blah
   netbios name = SRV01
   dns proxy = no
   log file = /var/log/samba/log.all
   log level = 0
   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   full_audit:success = pread
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice
   max log size = 100
   panic action = /usr/share/samba/panic-action %d
   #samba 4
   server role = standalone server
   #samba 3
   #security = user
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   map to guest = bad user
   usershare allow guests = yes
[myshare]
   comment = All the stuff!
   path = /home/demo/share
   guest ok = yes
   read only = yes
   browseable = yes

Please note that there are some details in the above config that you would want to change,

  • server string
  • netbios name
  • [myshare] to the name of your share
  • path

Of course you may change other settings as long as the smbd_audit logs to the file that your OpenCanary daemon is watching (above we set it as /var/log/samba-audit.log).

In the above config, we are relying on Samba using syslog (rsyslog in newer systems). In order for our Samba to use rsyslog, we will edit the /etc/rsyslog.conf file. Below is two lines we add to the bottom,

$FileCreateMode 0644
local7.*            /var/log/samba-audit.log

This will redirect any message of facility local7 to your /var/log/samba-audit.log file, which will be watched by our OpenCanary daemon.

Please note this is all written up in the github README.md