Re: How to Audit ssh Commands --> wget, scp

From: Steve Grubb <sgrubb@redhat.com>
To: varun gulati <gitmevg@yahoo.co.in>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: How to Audit ssh Commands --> wget, scp
Date: Tue, 10 May 2016 09:55:28 -0400	[thread overview]
Message-ID: <1516870.Lzm0Vsvr0T@x2> (raw)
In-Reply-To: <2052092882.1384284.1462888019553.JavaMail.yahoo@mail.yahoo.com>

On Tuesday, May 10, 2016 01:46:59 PM varun gulati wrote:
> Thanks for the response. We are not using web services to provide/serve this
> file.

You have to be. :-) If someone on another system uses wget to access a file on 
the system you care about, something is serving the file on port 80. Maybe you 
need to do a netstat -tanp to see what is serving the file.

> Its simply kept at a particular folder which people download using
> wget. Here is the wget command users are using to download the file from
> the different hosts: wget --no-cache
> http://servername/app/name/dist/xyz.zip
> Still no logging is happening :(Need your expert help with this.
> 
> > Thanks for your suggestions. We incorporated the below rule for
> > auditctl which you suggested, but unfortunately it didn't helped. We
> > are able to log the wget from the same server but unfortunately it is
> > still not logging from a different host:
> > 
> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> > 
> > This is how the file looks like:
> > 
> > -w /a/b/c/xyz.log -p rwxa -k Audit

This should get you all access of that file if you are on a distribution that 
enables the audit system unless you are on a special file system like NFS which 
is not supported by the audit system.

> > -w /usr/bin/wget -p rwxa -k Audit

This will show execution of wget on the server, not the client.

> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access

This is roughly the same as the first above just expressed in the longer form.

> > But nothing is logging the Audit when wget is called from any other
> > host. Can you please assist on this further.
> 
> If you are using a web service (httpd, etc) to service your files, then
> make it authenticated and have it log.

I agree on this point. Auditd will tell you that the web server accessed the 
file but not who is getting it. Only the web server can know that.

-Steve

> > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > 
> > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > > Hi Team,
> > > We have requirement where we have to monitor and log any read
> > 
> > operations
> > 
> > > performed on a file. e.g. /a/b/c/xyz.log
> > 
> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> > 
> > > This file is usually copied and downloaded by many users using
> > 
> > various
> > 
> > > operations, like, wget, ssh, jsp Download link provided. These
> > 
> > commands are
> > 
> > > fired from different hosts. With the auditd we want to create a rule
> > 
> > which
> > 
> > > auditctl can leverage to log the User ID that is reading (and
> > 
> > copying) it
> > 
> > > from a different host may be.
> > 
> > You will get the local auid/uid that the kernel sees when the request
> > triggers
> > the rule. There is nothing more that can be done from the audit
> > system.
> > 
> > -Steve
> > 
> > > I have gone through many of the rules but didn't find anything
> > 
> > fruitful as
> > 
> > > such (which logs wget, scp commands from remote hosts). May be I am
> > 
> > missing
> > 
> > > on something. Since it is a very crucial requirement, appreciate
> > 
> > your
> > 
> > > guidance and directions with this. Let me know in case you require
> > 
> > any
> > 
> > > further information from my end. Many thanks in advance.
> > > 
> > > 
> > > 
> > > Thanks and Regards,Varun Gulati
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit