Windows Server

The Samba and RDP modules require an extra installation step. It’s a good idea to consult the README before trying this out.

Inside ~/.opencanary.conf:

    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": true

Below is an example of an smb.conf for a Samba installation,

   workgroup = WORKGROUP
   server string = blah
   netbios name = SRV01
   dns proxy = no
   log file = /var/log/samba/log.all
   log level = 0
   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   full_audit:success = pread
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice
   max log size = 100
   panic action = /usr/share/samba/panic-action %d
   #samba 4
   server role = standalone server
   #samba 3
   #security = user
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   map to guest = bad user
   usershare allow guests = yes
   comment = All the stuff!
   path = /home/demo/share
   guest ok = yes
   read only = yes
   browseable = yes

Please note that there are some details in the above config that you would want to change,

  • server string

  • NetBIOS name

  • [myshare] to the name of your share

  • path

Of course, you may change other settings as long as the smbd_audit logs to the file that your OpenCanary daemon is watching (above we set it as /var/log/samba-audit.log).

In the above config, we are relying on Samba using Syslog (rsyslog in newer systems). For our Samba to use rsyslog, we will edit the /etc/rsyslog.conf file. Below are two lines we add to the bottom,

$FileCreateMode 0644
local7.*            /var/log/samba-audit.log

This will redirect any message of facility local7 to your /var/log/samba-audit.log file, which will be watched by our OpenCanary daemon.

Please note this is all written up in the GitHub