Closed jeffshead closed 1 year ago
Hi @jeffshead,
Firstly, thanks for the information. Its very useful. I have a suspicion that the docker opencanary process doesn't have access to the host machine's /var/log/samba-audit.log
. This would mean that even though Samba is writing out to that file on the host machine, the docker opencanary cannot monitor.
Would you mind trying to alter your docker-compose.yml
and add in the volumes
section:
volumes:
- ./data/.opencanary.conf:/root/.opencanary.conf
- /var/log/samba-audit.log:/var/log/samba-audit.log
Would you mind trying to alter your
docker-compose.yml
and ...
I added that volume and rebuilt the image but, unfortunately, it didn't change anything. SELinux is also disabled.
Hi @jeffshead,
Thanks for giving that a try. I think the next debug test would be to:
docker exec -ti
opencanary_latest`)/var/log/samba-audit.log
file?Regarding the config file error you seeing, which opencanary.conf
are you changing?
Hi @jeffshead,
Looking at your startup logging, it looks like you don't have smb
enabled. You can see ftp
and http
modules starting up but I don't see smb
starting up.
I do see in your config that you shared that the smb
is enabled. I would make ensure that that config is being used inside the docker. The docker uses the config inside data
folder of the Opencanary repo.
Hi @jeffshead,
I'm closing this issue due to inactivity. Please feel free to comment or reopen when you want to continue the discussion.
My host is AlmaLinux 9. I installed Samba using the
dnf install samba
command. I installed Opencanary via Docker Compose. Everything works except I'm not getting email alerts when accessing a Samba share. I get alerts when accessing the fake Synology login page. The /var/log/samba-audit.log file is being updated when I open a Samba share file. I'm just not getting an email alert for it. Am I supposed to do something "extra" since I'm running Opencanary in Docker?I read that, "_...
pread_recv pread_send
aren't being triggered in the newer versions of Samba_". However, they ARE being logged in my samba-audit.log. I even tried replacingpread_recv pread_send
withfstat
and I triedall
but all that did was add many more entries to samba-audit.log; still no email alerts.So it appears Opencanary is not monitoring and/or parsing my /var/log/samba-audit.log.
I'm also confused as to why I get the following error because the config file is being read. I know this because any edit made to it does take effect.
Below is my docker-compose.yml:
Below is my .opencanary.conf:
Below is my smb.conf:
Below is my
rsyslog.conf
:This is what I get from the
docker-compose up --build latest
command: