From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to Audit ssh Commands --> wget, scp Date: Mon, 09 May 2016 16:02:09 -0400 Message-ID: <1735441.Z8U2sxjTp5@x2> References: <1090410784.877995.1462810399474.JavaMail.yahoo.ref@mail.yahoo.com> <1090410784.877995.1462810399474.JavaMail.yahoo@mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1090410784.877995.1462810399474.JavaMail.yahoo@mail.yahoo.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com, varun gulati List-Id: linux-audit@redhat.com On Monday, May 09, 2016 04:13:19 PM varun gulati wrote: > Hi Team, > We have requirement where we have to monitor and log any read operations > performed on a file. e.g. /a/b/c/xyz.log -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > This file is usually copied and downloaded by many users using various > operations, like, wget, ssh, jsp Download link provided. These commands are > fired from different hosts. With the auditd we want to create a rule which > auditctl can leverage to log the User ID that is reading (and copying) it > from a different host may be. You will get the local auid/uid that the kernel sees when the request triggers the rule. There is nothing more that can be done from the audit system. -Steve > I have gone through many of the rules but didn't find anything fruitful as > such (which logs wget, scp commands from remote hosts). May be I am missing > on something. Since it is a very crucial requirement, appreciate your > guidance and directions with this. Let me know in case you require any > further information from my end. Many thanks in advance. > > > > Thanks and Regards,Varun Gulati