Opencanary not monitoring samba-audit.log

[jeffshead]

My host is AlmaLinux 9. I installed Samba using the dnf install samba command. I installed Opencanary via Docker Compose. Everything works except I'm not getting email alerts when accessing a Samba share. I get alerts when accessing the fake Synology login page. The /var/log/samba-audit.log file is being updated when I open a Samba share file. I'm just not getting an email alert for it. Am I supposed to do something "extra" since I'm running Opencanary in Docker?

I read that, "_...pread_recv pread_send aren't being triggered in the newer versions of Samba_". However, they ARE being logged in my samba-audit.log. I even tried replacing pread_recv pread_send with fstat and I tried all but all that did was add many more entries to samba-audit.log; still no email alerts.

So it appears Opencanary is not monitoring and/or parsing my /var/log/samba-audit.log.

I'm also confused as to why I get the following error because the config file is being read. I know this because any edit made to it does take effect.

opencanary_latest  | [-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')

Below is my docker-compose.yml:

version: "3.4"

x-common: &common
  restart: unless-stopped
  volumes:
    - ./data/.opencanary.conf:/root/.opencanary.conf
  image: "opencanary"
  ports:
    # Comment/un-comment the port lines below to disable/enable the services you are using
    # FTP
    - "21:21"
    # SSH
    # - "22:22"
    # Telnet
    # - "23:23"
    # TFTP
    # - "69:69"
    # HTTP
    - "80:80"
    # NTP
    # - "123:123"
    # SNMP
    # - "161:161"
    # MSSQL
    # - "1433:1433"
    # MYSQL
    # - "3306:3306"
    # RDP
    # - "3389:3389"
    # VNC
    # - "5000:5000"
    # SIP
    # - "5060:5060"
    # REDIS
    # - "6379:6379"
    # TCP Banner
    # - "8001:8001"
    # HTTP Proxy
    # - "8080:8080"
    # Git
    # - "9418:9418"

services:
  latest: # docker-compose up --build -d latest
    <<: *common
    container_name: opencanary_latest
    build:
      context: .
      dockerfile: Dockerfile.latest

  stable: # docker-compose up --build -d stable
    <<: *common
    container_name: opencanary_stable
    build:
      context: .
      dockerfile: Dockerfile.stable

Below is my .opencanary.conf:

{
    "device.node_id": "Synology",
    "ip.ignorelist": [  ],
    "git.enabled": false,
    "git.port" : 9418,
    "ftp.enabled": true,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready",
    "http.banner": "Apache/2.2.22 (Ubuntu)",
    "http.enabled": true,
    "http.port": 80,
    "http.skin": "nasLogin",
    "http.skin.list": [
        {
            "desc": "Plain HTML Login",
            "name": "basicLogin"
        },
        {
            "desc": "Synology NAS Login",
            "name": "nasLogin"
        }
    ],
    "httpproxy.enabled" : false,
    "httpproxy.port": 8080,
    "httpproxy.skin": "squid",
    "httproxy.skin.list": [
        {
            "desc": "Squid",
            "name": "squid"
        },
        {
            "desc": "Microsoft ISA Server Web Proxy",
            "name": "ms-isa"
        }
    ],
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "formatters": {
                "plain": {
                    "format": "%(message)s"
                },
                "syslog_rfc": {
                    "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s"
                }
            },
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/tmp/opencanary.log"
                },
        "SMTP": {
                    "class": "logging.handlers.SMTPHandler",
                    "mailhost": ["mail.example.com", 587],
                    "fromaddr": "noreply@example.com",
                    "toaddrs" : ["me@example.com"],
                    "subject" : "OpenCanary Alert",
                    "credentials" : ["noreply@example.com", "password"],
                    "secure" : []
                }
            }
        }
    },
    "portscan.enabled": false,
    "portscan.ignore_localhost": false,
    "portscan.logfile":"/var/log/kern.log",
    "portscan.synrate": 5,
    "portscan.nmaposrate": 5,
    "portscan.lorate": 3,
    "smb.auditfile": "/var/log/samba-audit.log",
    "smb.enabled": true,
    "mysql.enabled": false,
    "mysql.port": 3306,
    "mysql.banner": "5.5.43-0ubuntu0.14.04.1",
    "ssh.enabled": false,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4",
    "redis.enabled": false,
    "redis.port": 6379,
    "rdp.enabled": false,
    "rdp.port": 3389,
    "sip.enabled": false,
    "sip.port": 5060,
    "snmp.enabled": false,
    "snmp.port": 161,
    "ntp.enabled": false,
    "ntp.port": 123,
    "tftp.enabled": false,
    "tftp.port": 69,
    "tcpbanner.maxnum":10,
    "tcpbanner.enabled": false,
    "tcpbanner_1.enabled": false,
    "tcpbanner_1.port": 8001,
    "tcpbanner_1.datareceivedbanner": "",
    "tcpbanner_1.initbanner": "",
    "tcpbanner_1.alertstring.enabled": false,
    "tcpbanner_1.alertstring": "",
    "tcpbanner_1.keep_alive.enabled": false,
    "tcpbanner_1.keep_alive_secret": "",
    "tcpbanner_1.keep_alive_probes": 11,
    "tcpbanner_1.keep_alive_interval":300,
    "tcpbanner_1.keep_alive_idle": 300,
    "telnet.enabled": false,
    "telnet.port": 23,
    "telnet.banner": "",
    "telnet.honeycreds": [
        {
            "username": "admin",
            "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
        },
        {
            "username": "admin",
            "password": "admin1"
        }
    ],
    "mssql.enabled": false,
    "mssql.version": "2012",
    "mssql.port":1433,
    "vnc.enabled": false,
    "vnc.port":5000
}

Below is my smb.conf:

[global]
   # Next two lines are needed if IPv6 is disabled
   bind interfaces only = yes
   interfaces = lo eth0 wlan
   workgroup = WORKGROUP
   server string = Samba
   netbios name = NAS
   dns proxy = no
   log file = /var/log/samba/log.all
   log level = 0
   max log size = 100
   panic action = /usr/share/samba/panic-action %d
   #samba 4
   server role = standalone server
   #samba 3
   #security = user
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   map to guest = bad user
   usershare allow guests = yes
   load printers = no
   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   #full_audit:success = pread_recv pread_send
   full_audit:success = fstat
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice
[public]
   comment = Stuff
   path = /home/user
   guest ok = yes
   read only = yes
   browseable = yes

Below is my rsyslog.conf:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
              # local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
# local7.*                                              /var/log/boot.log
# For OpenCanary – commnted out the above line and added line below:
local7.*                                                /var/log/samba-audit.log

# ### sample forwarding rule ###
#action(type="omfwd"  
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

This is what I get from the docker-compose up --build latest command:

Attaching to opencanary_latest
opencanary_latest  | ** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
opencanary_latest  | [-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
opencanary_latest  | [-] Using config file: /root/.opencanary.conf
opencanary_latest  | {"dst_host": "", "dst_port": -1, "local_time": "2022-09-15 22:57:00.456579", "local_time_adjusted": "2022-09-15 22:57:00.456622", "logdata": {"msg": {"logdata": "Added service from class CanaryHTTP in opencanary.modules.http to fake"}}, "logtype": 1001, "node_id": "Synology", "src_host": "", "src_port": -1, "utc_time": "2022-09-15 22:57:00.456613"}
opencanary_latest  | {"dst_host": "", "dst_port": -1, "local_time": "2022-09-15 22:57:00.755002", "local_time_adjusted": "2022-09-15 22:57:00.755034", "logdata": {"msg": {"logdata": "Added service from class CanaryFTP in opencanary.modules.ftp to fake"}}, "logtype": 1001, "node_id": "Synology", "src_host": "", "src_port": -1, "utc_time": "2022-09-15 22:57:00.755027"}
opencanary_latest  | {"dst_host": "", "dst_port": -1, "local_time": "2022-09-15 22:57:01.008670", "local_time_adjusted": "2022-09-15 22:57:01.008739", "logdata": {"msg": {"logdata": "Ran startYourEngines on class CanarySamba in opencanary.modules.samba"}}, "logtype": 1001, "node_id": "Synology", "src_host": "", "src_port": -1, "utc_time": "2022-09-15 22:57:01.008719"}
opencanary_latest  | {"dst_host": "", "dst_port": -1, "local_time": "2022-09-15 22:57:01.239780", "local_time_adjusted": "2022-09-15 22:57:01.239879", "logdata": {"msg": {"logdata": "Canary running!!!"}}, "logtype": 1001, "node_id": "Synology", "src_host": "", "src_port": -1, "utc_time": "2022-09-15 22:57:01.239857"}
opencanary_latest  | 2022-09-15T22:56:59+0000 [-] Loading /usr/local/bin/opencanary.tac...
opencanary_latest  | 2022-09-15T22:57:01+0000 [-] Loaded.
opencanary_latest  | 2022-09-15T22:57:01+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 19.10.0 (/usr/local/bin/python 3.7.14) starting up.
opencanary_latest  | 2022-09-15T22:57:01+0000 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
opencanary_latest  | 2022-09-15T22:57:01+0000 [-] Site starting on 80
opencanary_latest  | 2022-09-15T22:57:01+0000 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site object at 0x7fb0d8606850>
opencanary_latest  | 2022-09-15T22:57:01+0000 [-] FTPFactory starting on 21
opencanary_latest  | 2022-09-15T22:57:01+0000 [twisted.protocols.ftp.FTPFactory#info] Starting factory <twisted.protocols.ftp.FTPFactory object at 0x7fb0da423b50>

[jayjb]

Hi @jeffshead,

Firstly, thanks for the information. Its very useful. I have a suspicion that the docker opencanary process doesn't have access to the host machine's /var/log/samba-audit.log. This would mean that even though Samba is writing out to that file on the host machine, the docker opencanary cannot monitor.

Would you mind trying to alter your docker-compose.yml and add in the volumes section:

volumes:
    - ./data/.opencanary.conf:/root/.opencanary.conf
    - /var/log/samba-audit.log:/var/log/samba-audit.log

[jeffshead]

Would you mind trying to alter your docker-compose.yml and ...

I added that volume and rebuilt the image but, unfortunately, it didn't change anything. SELinux is also disabled.

[jayjb]

Hi @jeffshead,

Thanks for giving that a try. I think the next debug test would be to:

• start your opencanary docker process (with the edits we made above)
• open a shell into the docker process (docker exec -tiopencanary_latest`)
• check to see if there is logging in the /var/log/samba-audit.log file?

Regarding the config file error you seeing, which opencanary.conf are you changing?

[jayjb]

Hi @jeffshead,

Looking at your startup logging, it looks like you don't have smb enabled. You can see ftp and http modules starting up but I don't see smb starting up.

I do see in your config that you shared that the smb is enabled. I would make ensure that that config is being used inside the docker. The docker uses the config inside data folder of the Opencanary repo.

[jayjb]

Hi @jeffshead,

I'm closing this issue due to inactivity. Please feel free to comment or reopen when you want to continue the discussion.