From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to Audit ssh Commands --> wget, scp Date: Tue, 10 May 2016 09:55:28 -0400 Message-ID: <1516870.Lzm0Vsvr0T@x2> References: <1462885014.3439.18.camel@swtf.swtf.dyndns.org> <2052092882.1384284.1462888019553.JavaMail.yahoo@mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2052092882.1384284.1462888019553.JavaMail.yahoo@mail.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: varun gulati Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Tuesday, May 10, 2016 01:46:59 PM varun gulati wrote: > Thanks for the response. We are not using web services to provide/serve this > file. You have to be. :-) If someone on another system uses wget to access a file on the system you care about, something is serving the file on port 80. Maybe you need to do a netstat -tanp to see what is serving the file. > Its simply kept at a particular folder which people download using > wget. Here is the wget command users are using to download the file from > the different hosts: wget --no-cache > http://servername/app/name/dist/xyz.zip > Still no logging is happening :(Need your expert help with this. > > > Thanks for your suggestions. We incorporated the below rule for > > auditctl which you suggested, but unfortunately it didn't helped. We > > are able to log the wget from the same server but unfortunately it is > > still not logging from a different host: > > > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > > > > This is how the file looks like: > > > > -w /a/b/c/xyz.log -p rwxa -k Audit This should get you all access of that file if you are on a distribution that enables the audit system unless you are on a special file system like NFS which is not supported by the audit system. > > -w /usr/bin/wget -p rwxa -k Audit This will show execution of wget on the server, not the client. > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access This is roughly the same as the first above just expressed in the longer form. > > But nothing is logging the Audit when wget is called from any other > > host. Can you please assist on this further. > > If you are using a web service (httpd, etc) to service your files, then > make it authenticated and have it log. I agree on this point. Auditd will tell you that the web server accessed the file but not who is getting it. Only the web server can know that. -Steve > > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb > > wrote: > > > > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote: > > > Hi Team, > > > We have requirement where we have to monitor and log any read > > > > operations > > > > > performed on a file. e.g. /a/b/c/xyz.log > > > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > > > > > This file is usually copied and downloaded by many users using > > > > various > > > > > operations, like, wget, ssh, jsp Download link provided. These > > > > commands are > > > > > fired from different hosts. With the auditd we want to create a rule > > > > which > > > > > auditctl can leverage to log the User ID that is reading (and > > > > copying) it > > > > > from a different host may be. > > > > You will get the local auid/uid that the kernel sees when the request > > triggers > > the rule. There is nothing more that can be done from the audit > > system. > > > > -Steve > > > > > I have gone through many of the rules but didn't find anything > > > > fruitful as > > > > > such (which logs wget, scp commands from remote hosts). May be I am > > > > missing > > > > > on something. Since it is a very crucial requirement, appreciate > > > > your > > > > > guidance and directions with this. Let me know in case you require > > > > any > > > > > further information from my end. Many thanks in advance. > > > > > > > > > > > > Thanks and Regards,Varun Gulati > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit