From mboxrd@z Thu Jan 1 00:00:00 1970 From: varun gulati Subject: Re: How to Audit ssh Commands --> wget, scp Date: Tue, 10 May 2016 13:46:59 +0000 (UTC) Message-ID: <2052092882.1384284.1462888019553.JavaMail.yahoo@mail.yahoo.com> References: <1462885014.3439.18.camel@swtf.swtf.dyndns.org> Reply-To: varun gulati Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6771961491673947926==" Return-path: Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4ADl8Wb025751 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 10 May 2016 09:47:08 -0400 Received: from nm21-vm5.bullet.mail.sg3.yahoo.com (nm21-vm5.bullet.mail.sg3.yahoo.com [106.10.151.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 252DF627C1 for ; Tue, 10 May 2016 13:47:05 +0000 (UTC) In-Reply-To: <1462885014.3439.18.camel@swtf.swtf.dyndns.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "burn@swtf.dyndns.org" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============6771961491673947926== Content-Type: multipart/alternative; boundary="----=_Part_1384283_291963593.1462888019546" ------=_Part_1384283_291963593.1462888019546 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =C2=A0Hi Team, Thanks for the response. We are not using web services to provide/serve thi= s file. Its simply kept at a particular folder which people download using = wget. Here is the wget command users are using to download the file from the diff= erent hosts: wget --no-cache http://servername/app/name/dist/xyz.zip Still no logging is happening :(Need your expert help with this. Thanks and Regards,Varun Gulati=20 On Tuesday, 10 May 2016 6:26 PM, Burn Alting wro= te: =20 On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote: >=20 >=20 > Hi Steve, >=20 >=20 > Thanks for your suggestions. We incorporated the below rule for > auditctl which you suggested, but unfortunately it didn't helped. We > are able to log the wget from the same server but unfortunately it is > still not logging from a different host: >=20 >=20 > -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access >=20 >=20 > This is how the file looks like: >=20 >=20 > -w /a/b/c/xyz.log -p rwxa -k Audit >=20 >=20 > -w /usr/bin/wget -p rwxa -k Audit >=20 >=20 > -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access >=20 >=20 > But nothing is logging the Audit when wget is called from any other > host. Can you please assist on this further. If you are using a web service (httpd, etc) to service your files, then make it authenticated and have it log. >=20 >=20 > Thanks and Regards, > Varun Gulati >=20 >=20 >=20 >=20 >=20 > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb > wrote: >=20 >=20 >=20 > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote: > > Hi Team, > > We have requirement where we have to monitor and log any read > operations > > performed on a file. e.g. /a/b/c/xyz.log >=20 > -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access >=20 >=20 > > This file is usually copied and downloaded by many users using > various > > operations, like, wget, ssh, jsp Download link provided. These > commands are > > fired from different hosts. With the auditd we want to create a rule > which > > auditctl can leverage to log the User ID that is reading (and > copying) it > > from a different host may be. >=20 > You will get the local auid/uid that the kernel sees when the request > triggers=20 > the rule. There is nothing more that can be done from the audit > system. >=20 > -Steve >=20 >=20 >=20 > > I have gone through many of the rules but didn't find anything > fruitful as > > such (which logs wget, scp commands from remote hosts). May be I am > missing > > on something. Since it is a very crucial requirement, appreciate > your > > guidance and directions with this. Let me know in case you require > any > > further information from my end. Many thanks in advance. > >=20 > >=20 > >=20 > > Thanks and Regards,Varun Gulati >=20 >=20 >=20 >=20 >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ------=_Part_1384283_291963593.1462888019546 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
 Hi Team,

<= /div>
Thanks for the respon= se. We are not using web services to provide/serve this file. Its simply ke= pt=20 at a particular folder which people download using wget.

Here is the wget command users are using to download th= e file from the different hosts:


Still no logging is happening :(
Need your expert help with this.<= /span>


Thanks and Regards,
Varun Gulati


=
On Tuesday, 10 May 2016 6:26 PM, Burn Alting <burn@s= wtf.dyndns.org> wrote:


On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:
>
>
> Hi Steve,
>
>
> Thanks fo= r your suggestions. We incorporated the below rule for
&g= t; auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfor= tunately it is
> still not logging from a different ho= st:
>
>
> = -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access
>
>
> This is= how the file looks like:
>
> > -w /a/b/c/xyz.log -p rwxa -k Audit
= >
>
> -w /usr/bin/wget -p rw= xa -k Audit
>
>
> -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-ac= cess
>
>
>= But nothing is logging the Audit when wget is called from any other
> host. Can you please assist on this further.

If you are using a web service (httpd, etc) to serv= ice your files, then
make it authenticated and have it lo= g.


>
>
> Thanks and= Regards,
> Varun Gulati
>
>
>
>
>
> On Tuesday, 10 May 2016 1:32 AM, Ste= ve Grubb <sgrubb@redhat.com>
>= wrote:
>
>
&= gt;
> On Monday, May 09, 2016 04:13:19 PM varun gulat= i wrote:
> > Hi Team,
> > W= e have requirement where we have to monitor and log any read
> operations
> > performed on a file. e.g. /= a/b/c/xyz.log
>
> -a always,exit= -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access
>
>
> > This file is usu= ally copied and downloaded by many users using
> vario= us
> > operations, like, wget, ssh, jsp Download li= nk provided. These
> commands are
&g= t; > fired from different hosts. With the auditd we want to create a rul= e
> which
> > auditctl can lev= erage to log the User ID that is reading (and
> copyin= g) it
> > from a different host may be.
>
> You will get the local auid/uid that th= e kernel sees when the request
> triggers
> the rule. There is nothing more that can be done from the audit=
> system.
>
&= gt; -Steve
>
>
>
> > I have gone through many of the rules b= ut didn't find anything
> fruitful as
> > such (which logs wget, scp commands from remote hosts). May be = I am
> missing
> > on somethin= g. Since it is a very crucial requirement, appreciate
>= ; your
> > guidance and directions with this. Let m= e know in case you require
> any
>= ; > further information from my end. Many thanks in advance.
> >
> >
> > =
> > Thanks and Regards,Varun Gulati

>
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit





------=_Part_1384283_291963593.1462888019546-- --===============6771961491673947926== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6771961491673947926==--