Add some samba regex improvements (#300)

thinkst · Aug 21, 2023 · e60d80b · e60d80b
1 parent e8392ef
commit e60d80b
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 32 deletions.
diff --git a/docs/services/windows.rst b/docs/services/windows.rst
@@ -17,36 +17,34 @@ Below is an example of an `smb.conf` for a Samba installation,
 
 .. code-block:: dosini
 
-    [global]
-       workgroup = WORKGROUP
-       server string = blah
-       netbios name = SRV01
-       dns proxy = no
-       log file = /var/log/samba/log.all
-       log level = 0
-       vfs object = full_audit
-       full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
-       full_audit:success = pread
-       full_audit:failure = none
-       full_audit:facility = local7
-       full_audit:priority = notice
-       max log size = 100
-       panic action = /usr/share/samba/panic-action %d
-       #samba 4
-       server role = standalone server
-       #samba 3
-       #security = user
-       passdb backend = tdbsam
-       obey pam restrictions = yes
-       unix password sync = no
-       map to guest = bad user
-       usershare allow guests = yes
-    [myshare]
-       comment = All the stuff!
-       path = /home/demo/share
-       guest ok = yes
-       read only = yes
-       browseable = yes
+        [global]
+            workgroup = WORKGROUP
+            server string = NBDocs
+            netbios name = SRV01
+            dns proxy = no
+            log file = /var/log/samba/log.all
+            log level = 0
+            max log size = 100
+            panic action = /usr/share/samba/panic-action %d
+            server role = standalone
+            passdb backend = tdbsam
+            obey pam restrictions = yes
+            unix password sync = no
+            map to guest = bad user
+            usershare allow guests = yes
+            load printers = no
+            vfs object = full_audit
+            full_audit:prefix = %U|%I|%i|%m|%S|%L|%R|%a|%T|%D
+            full_audit:success = flistxattr
+            full_audit:failure = none
+            full_audit:facility = local7
+            full_audit:priority = notice
+        [myshare]
+            comment = All the stuff!
+            path = /samba
+            guest ok = yes
+            read only = yes
+            browseable = yes
 
 Please note that there are some details in the above config that you would want to change,
 

diff --git a/opencanary/modules/samba.py b/opencanary/modules/samba.py
@@ -10,7 +10,7 @@ def __init__(self, logFile=None, logger=None):
             FileSystemWatcher.__init__(self, fileName=logFile)
 
         def handleLines(self, lines=None):
-            audit_re = re.compile(r"^.*smbd_audit:.*$")
+            audit_re = re.compile(r"^.*smbd_audit.*: (.*$)")
 
             for line in lines:
                 matches = audit_re.match(line)
@@ -19,7 +19,7 @@ def handleLines(self, lines=None):
                 if matches is None:
                     continue
 
-                data = line.split("smbd_audit:", 1)[-1].strip().split("|")
+                data = matches.groups()[0].split("|")
 
                 user = data[0]
                 srcHost = data[1]