Opencanary and Samba
Please note that there are many different versions of Samba and many different versions of OS on which Samba runs (differently).
The Samba OpenCanary module monitors a log file produced by the Samba full_audit VFS module.
So we'll go through setting it up on Ubuntu 22.04 and using Samba Version 4.15.13, but will add debugging steps that could be applied generally.
Samba and Opencanary work together by:
- adding audit events to Samba file share accesses (on file open only)
- logging these audit events to rsyslog
- writing Samba specific audit event logs to a file
- Opencanary monitoring that file and parsing the information
The above points are each points that we need to ensure are working when setting up our smb for Opencanary (and debugging it).
When setting this all up, we will be getting a few services to work together (Samba, rsyslog, Opencanary). Below are some commands to use to restart the services once you have changed some configuration files:
# Restart Rsyslog/Syslog
sudo systemctl restart rsyslog
sudo systemctl restart syslog
# Restart Samba
sudo smbcontrol all reload-config
sudo systemctl restart smbd
sudo systemctl restart nmbd
Lets get your Samba setup right first; check that it is working as expected, then move on.
For this example, ill use the following (please note you can change these as you feel fit):
-
/samba-> folder that will be visible on the network. -
NBDocs-> Server string -
SRV01-> NetBios named used
Please customise these as you see fit.
- create directory and set correct permissions:
mkdir /samba
chown $USER:$USER /samba
chmod 755 /samba
- create a file inside:
touch /samba/testing.txt - edit your default
smb.conffile (found in/etc/samba/smb.confon Ubuntu) to match ours:
[global]
workgroup = WORKGROUP
server string = NBDocs
netbios name = SRV01
dns proxy = no
log file = /var/log/samba/log.all
log level = 0
max log size = 100
panic action = /usr/share/samba/panic-action %d
server role = standalone
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
map to guest = bad user
usershare allow guests = yes
load printers = no
vfs object = full_audit
full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
full_audit:success = flistxattr
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = notice
[myshare]
comment = All the stuff!
path = /samba
guest ok = yes
read only = yes
browseable = yes
- Restart Samba and ensure you can browse to your Samba share.
- edit rsyslogd configuration:
vi /etc/rsyslog.confand add the linelocal7.* /var/log/samba-audit.log - create that audit log:
touch /var/log/samba-audit.log - change permissions for the log:
chown syslog:adm /var/log/samba-audit.log - restart rsyslogd/syslog
- enable Samba monitoring by editing your
/etc/opencanaryd/opencanary.conf(or whichever conf file you are using) and editing"smb.enabed": true. - ensure that your
smbservice is pointing at the correct log file:"smb.auditfile": "/var/log/samba-audit.log", - start your Opencanary:
opencanaryd --start
- Make sure you have setup logging or alerting for your Opencanary. We are going to want to make sure that information is coming through.
- Navigate to your Samba File Share and open a file inside.
- Check that that file open share event comes through.
So you went through the above steps, and you got nothing! Lets attack this step by step.
Straight away this is a Samba issue before anything else. Opencanary will only report on accessed files on your Samba share. So we need to make sure that the Samba File Share is accessible.
Double check these:
- Samba is running:
$ ps aux | grep smbdor$ systemctl status smbd. In both cases you should be able to clearly see they are running/active. - Ensure network connectivity from the workstation you trying to access the file share from:
$ ping <ip of opencanary server>. If you are running this in the cloud, please ensure you have allowed traffic to port 139 and 445 (for Samba File Share).
This is a broader problem space. Lets try narrow it down.
So lets access a file in our Samba and then check the following:
Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACKER IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_send|ok|/home/ubuntu/samba/README.md
Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACK IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_recv|ok|/home/ubuntu/samba/README.md
If there aren't any logs in there, we know that Samba is logging the actions. Now to narrow it down to Samba or rsyslog. Please double that you have created the file /var/log/samba-audit.log and changed its permissions such that rsyslog can write to the file.
- run
opencanaryd --dev. This runs your opencanary in the foreground and will show you whichopencanary.confis being used.
$ opencanaryd --dev
Removing stale pidfile /home/ubuntu/twistd.pid
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Failed to open /root/.opencanary.conf for reading ([Errno 2] No such file or directory: '/root/.opencanary.conf')
[-] Using config file: /etc/opencanaryd/opencanary.conf
Also it will show you which services are starting up. Please ensure you see CanarySamba is starting up. If it isn't, we know we need to navigate to the config file the our Opencanary process is using and enable Samba ("smb.enabled": true).
- Samba is enabled. Lets check the file path that it is looking at. So run this command (sub in the location of your Opencanary config):
$ cat /etc/opencanaryd/opencanary.conf | grep "smb.auditfile"
"smb.auditfile": "/var/log/samba-audit.log",
Please confirm that that path is the same path as we checked in 1) for the Samba logging.