OpenCanary supports a Windows File Share service by integrating with Samba. When both are setup and working together, your honeypot can expose an open Windows File Share with interesting-looking files, and if any of the files are opened then you'll get an alert.

This page will guide you through setting up OpenCanary's Windows File Share with Samba. Samba is a venerable package with many versions, and runs on many OSes; this guide was written for Samba Version 4.15.13 on Ubuntu 22.04. It also uses Rsyslog as the syslog implementation.

We include debugging steps that are generially applicable on other platforms and Samba versions.

Samba and OpenCanary work together by:

1. Adding audit events to Samba file share accesses (on file open only) through a Samba configuration change
2. Logging these audit events to Syslog, which writes them to their own file
3. OpenCanary monitoring that file and parsing the information

The above points are each points that we need to ensure are working when setting up our smb for OpenCanary (and debugging it).

The initial step is to configure Samba. There are many guides, and we include a basic configuration that allows guest access to a single directory (/samba), using the NetBIOS name SRV01 and share name documents. The values can be changed as you wish.

1. Create the share's directory and set the correct permissions:

$ mkdir /samba
$ chown $USER:$USER /samba
$ chmod 755 /samba

2. Create a file inside the share directory:

$ touch /samba/testing.txt

1. Edit /etc/samba/smb.conf to look like:

[global]
   workgroup = WORKGROUP
   server string = NBDocs
   netbios name = SRV01
   dns proxy = no
   log file = /var/log/samba/log.all
   log level = 0
   max log size = 100
   panic action = /usr/share/samba/panic-action %d
   server role = standalone
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = no
   map to guest = bad user
   usershare allow guests = yes
   load printers = no
   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   full_audit:success = flistxattr
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice
[documents]
   comment = Office documents
   path = /samba
   guest ok = yes
   read only = yes
   browseable = yes

3. Restart Samba:

$ sudo smbcontrol all reload-config
$ sudo systemctl restart smbd
$ sudo systemctl restart nmbd

4. Ensure you can browse to your Samba share, and see the testing.txt file.

The key part of the configuration are the audit lines, which can be included in other Samba configurations:

   vfs object = full_audit
   full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
   full_audit:success = flistxattr
   full_audit:failure = none
   full_audit:facility = local7
   full_audit:priority = notice

With the above Samba configuration in place, Samba VFA audit logs are being written to syslog on the local7 facility, with notice priority. You'll now configure Rsyslog to write these to a /var/log/samba-audit.log:

1. Edit rsyslogd configuration (/etc/rsyslog.conf) and add the line:

local7.*        /var/log/samba-audit.log

2. Create that audit log and set its permissions:

$ sudo touch /var/log/samba-audit.log
$ sudo chown syslog:adm /var/log/samba-audit.log

3. Restart rsyslog:

$ sudo systemctl restart rsyslog

1. Enable Samba monitoring by editing your /etc/opencanaryd/opencanary.conf (or whichever conf file you are using) and setting "smb.enabed": true.
2. Ensure that your smb service is pointing at the correct log file: "smb.auditfile": "/var/log/samba-audit.log",
3. Start your OpenCanary: opencanaryd --start

1. Make sure you have setup logging or alerting for your OpenCanary. We are going to want to make sure that information is coming through.
2. Navigate to your Samba File Share and open a file inside.
3. Check that that file open share event comes through.

If the above steps didn't get you setup, here's a quick guide to debugging:

1. Check that the Samba share is visible and browseable.
2. Check that the Samba audit events are being logged.
3. Check that OpenCanary can read the right audit file.

Straight away this is a Samba issue before anything else. OpenCanary will only report on accessed files on your Samba share. So we need to make sure that the Samba File Share is accessible.

Double check these:

• Samba is running: $ ps aux | grep smbd or $ systemctl status smbd. In both cases you should be able to clearly see they are running/active.
• Ensure network connectivity from the workstation you trying to access the file share from: $ ping <ip of opencanary server>. If you are running this in the cloud, please ensure you have allowed traffic to port 139 and 445 (for Samba File Share).

The smb.conf configuration writes VFA audit events to Syslog, which should be storing them at /var/log/samba-audit.log.

Inside the the Samba VFS audit file you should see lines like:

Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACKER IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_send|ok|/samba/texting.txt
Sep 14 08:13:13 OpenSourceDevMachine smbd_audit: guest|<ATTACK IP>|<OPENCANARY IP>|<ATTACK MACHINE NAME>|myshare|srv01|SMB3_11|OSX|2021/09/14 08:13:13|SRV01|pread_recv|ok|/samba/texting.txt

If there are no logs at /var/log/samba-audit.log, then either Samba isn't sending them, or your syslog isn't writing them.

Samba requires the full_audit VFS module to work with OpenCanary. Check that the module is loaded with:

$ smbd -b | grep full_audit
    vfs_full_audit_init

If nothing is returned, you need to install the VFS modules for your Samba. In Ubuntu, they are present in the samba-vfs-modules package.

Please double that you have created the file /var/log/samba-audit.log and changed its permissions such that your syslog can write to the file. You can confirm that Samba is writing the events to syslog, by modifying the main syslog file to write all messages at all priority levels to an already present syslog file:

# Something like:
*.* /var/log/syslog

If the entries show up in /var/log/syslog but not /var/log/samba-audit.log, check the permissions of /var/log/samba-audit.log.

You've confirmed the share is visible, and audit events are being written to /var/log/samba-audit.log, but OpenCanary isn't reporting them.

You should run opencanaryd --dev. This runs your opencanary in the foreground and will show you which opencanary.conf is being used:

$ opencanaryd --dev
Removing stale pidfile /home/ubuntu/twistd.pid
** We hope you enjoy using OpenCanary. For more open source Canary goodness, head over to canarytokens.org. **
[-] Failed to open opencanary.conf for reading ([Errno 2] No such file or directory: 'opencanary.conf')
[-] Failed to open /root/.opencanary.conf for reading ([Errno 2] No such file or directory: '/root/.opencanary.conf')
[-] Using config file: /etc/opencanaryd/opencanary.conf

As OpenCanary starts, it will show you which services are starting up. Ensure you see CanarySamba is starting up. If it isn't, we know we need to navigate to the config file the our OpenCanary process is using and enable Samba ("smb.enabled": true).

If Samba is enabled, then check the file path that it is monitoring. Run this command (with the location of your OpenCanary config):

$ cat /etc/opencanaryd/opencanary.conf | grep "smb.auditfile"
    "smb.auditfile": "/var/log/samba-audit.log",

Confirm that that path is the same path as we checked in for the Samba logging.