From mboxrd@z Thu Jan  1 00:00:00 1970
From: varun gulati <gitmevg@yahoo.co.in>
Subject: How to Audit ssh Commands --> wget, scp
Date: Mon, 9 May 2016 16:13:19 +0000 (UTC)
Message-ID: <1090410784.877995.1462810399474.JavaMail.yahoo@mail.yahoo.com>
References: <1090410784.877995.1462810399474.JavaMail.yahoo.ref@mail.yahoo.com>
Reply-To: varun gulati <gitmevg@yahoo.co.in>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3346128616805147303=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u49GDOa0001819
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 9 May 2016 12:13:24 -0400
Received: from nm7-vm10.bullet.mail.sg3.yahoo.com
	(nm7-vm10.bullet.mail.sg3.yahoo.com [106.10.148.185])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 071AD4944A
	for <linux-audit@redhat.com>; Mon,  9 May 2016 16:13:22 +0000 (UTC)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============3346128616805147303==
Content-Type: multipart/alternative;
	boundary="----=_Part_877994_715117086.1462810399470"

------=_Part_877994_715117086.1462810399470
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Team,
We have requirement where we have to monitor and log any read operations pe=
rformed on a file.=20
e.g. /a/b/c/xyz.log
This file is usually=C2=A0copied and downloaded by=C2=A0many users using va=
rious operations, like, wget, ssh, jsp Download link provided. These comman=
ds are fired from different hosts.
With the auditd we want to create a rule which auditctl can leverage to log=
 the User ID that is reading (and copying) it from a different host may be.=
 I have gone through many of the rules but didn't find anything fruitful as=
 such (which logs wget, scp commands from remote hosts). May be I am missin=
g on something. Since it is a very crucial requirement, appreciate your gui=
dance and directions with this.
Let me know in case you require any further information from my end. Many t=
hanks in advance.



Thanks and Regards,Varun Gulati

------=_Part_877994_715117086.1462810399470
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div style=3D"color:#000; background-color:#fff; f=
ont-family:times new roman, new york, times, serif;font-size:16px"><div><sp=
an></span></div><div></div><div id=3D"yui_3_16_0_ym19_1_1462809781234_3381"=
>Hi Team,</div><div id=3D"yui_3_16_0_ym19_1_1462809781234_3476"><br></div><=
div id=3D"yui_3_16_0_ym19_1_1462809781234_3477">We have requirement where w=
e have to monitor and log any read operations performed on a file. </div><d=
iv id=3D"yui_3_16_0_ym19_1_1462809781234_3478"><br></div><div id=3D"yui_3_1=
6_0_ym19_1_1462809781234_3479">e.g. /a/b/c/xyz.log</div><div id=3D"yui_3_16=
_0_ym19_1_1462809781234_3480"><br></div><div id=3D"yui_3_16_0_ym19_1_146280=
9781234_3481" dir=3D"ltr">This file is usually&nbsp;copied and downloaded b=
y&nbsp;many users using various operations, like, wget, ssh, jsp Download l=
ink provided. These commands are fired from different hosts.</div><div id=
=3D"yui_3_16_0_ym19_1_1462809781234_3482"><br></div><div id=3D"yui_3_16_0_y=
m19_1_1462809781234_3483">With the auditd we want to create a rule which au=
ditctl can leverage to log the User ID that is reading (and copying) it fro=
m a different host may be. I have gone through many of the rules but didn't=
 find anything fruitful as such (<strong id=3D"yui_3_16_0_ym19_1_1462809781=
234_3532">which logs wget, scp commands from remote hosts</strong>). May be=
 I am missing on something. Since it is a very crucial requirement, appreci=
ate your guidance and directions with this.</div><div id=3D"yui_3_16_0_ym19=
_1_1462809781234_3519"><br></div><div id=3D"yui_3_16_0_ym19_1_1462809781234=
_3521">Let me know in case you require any further information from my end.=
 Many thanks in advance.</div><div id=3D"yui_3_16_0_ym19_1_1462809781234_35=
26"><br></div><div id=3D"yui_3_16_0_ym19_1_1462809781234_3485"><br></div><d=
iv id=3D"yui_3_16_0_ym19_1_1462809781234_3565"><br></div><div id=3D"yui_3_1=
6_0_ym19_1_1462809781234_3573"><br></div><div class=3D"signature" id=3D"yui=
_3_16_0_ym19_1_1462809781234_3486"><b id=3D"yui_3_16_0_ym19_1_1462809781234=
_3489">Thanks and Regards,</b><div id=3D"yui_3_16_0_ym19_1_1462809781234_34=
87"><b id=3D"yui_3_16_0_ym19_1_1462809781234_3488">Varun Gulati</b></div><d=
iv id=3D"yui_3_16_0_ym19_1_1462809781234_3548"><strong></strong><br></div><=
/div></div></body></html>
------=_Part_877994_715117086.1462810399470--


--===============3346128616805147303==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3346128616805147303==--