From mboxrd@z Thu Jan 1 00:00:00 1970 From: varun gulati Subject: Re: How to Audit ssh Commands --> wget, scp Date: Tue, 10 May 2016 10:39:31 +0000 (UTC) Message-ID: <364586275.1275853.1462876771158.JavaMail.yahoo@mail.yahoo.com> References: <1735441.Z8U2sxjTp5@x2> Reply-To: varun gulati Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3627935396172718596==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4AAdbiI026054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 10 May 2016 06:39:38 -0400 Received: from nm20-vm6.bullet.mail.sg3.yahoo.com (nm20-vm6.bullet.mail.sg3.yahoo.com [106.10.149.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B23EBC09726D for ; Tue, 10 May 2016 10:39:35 +0000 (UTC) In-Reply-To: <1735441.Z8U2sxjTp5@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3627935396172718596== Content-Type: multipart/alternative; boundary="----=_Part_1275852_1817330521.1462876771154" ------=_Part_1275852_1817330521.1462876771154 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Steve, Thanks for your suggestions. We incorporated the below=C2=A0rule for auditc= tl which you suggested, but unfortunately it didn't helped. We are able to = log the wget from the same server but unfortunately it is still not logging= from a different host: -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access This is how the file looks like: -w /a/b/c/xyz.log -p rwxa -k Audit -w /usr/bin/wget -p rwxa -k Audit -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access But nothing is logging the Audit when wget is called from any other host. C= an you please assist on this further. Thanks and Regards,Varun Gulati =20 On Tuesday, 10 May 2016 1:32 AM, Steve Grubb wrote: =20 On Monday, May 09, 2016 04:13:19 PM varun gulati wrote: > Hi Team, > We have requirement where we have to monitor and log any read operations > performed on a file. e.g. /a/b/c/xyz.log -a always,exit -F path=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access > This file is usually copied and downloaded by many users using various > operations, like, wget, ssh, jsp Download link provided. These commands a= re > fired from different hosts. With the auditd we want to create a rule whic= h > auditctl can leverage to log the User ID that is reading (and copying) it > from a different host may be. You will get the local auid/uid that the kernel sees when the request trigg= ers=20 the rule. There is nothing more that can be done from the audit system. -Steve > I have gone through many of the rules but didn't find anything fruitful a= s > such (which logs wget, scp commands from remote hosts). May be I am missi= ng > on something. Since it is a very crucial requirement, appreciate your > guidance and directions with this. Let me know in case you require any > further information from my end. Many thanks in advance. >=20 >=20 >=20 > Thanks and Regards,Varun Gulati ------=_Part_1275852_1817330521.1462876771154 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Steve,

=
Thanks for your suggestion= s. We incorporated the below rule for auditctl which you suggested, bu= t unfortunately it didn't helped. We are able to log the wget from the same= server but unfortunately it is still not logging from a different host:

-a always,exit -F path=3D/a= /b/c/xyz.log -F perm=3Dr -F key=3Dlog-access

This is how the file looks like:

-w /a/b/c/xyz.log -p = rwxa -k Audit

-w /usr/bin/wget -p rwxa -k Audit

-a always,exit -F pat= h=3D/a/b/c/xyz.log -F perm=3Dr -F key=3Dlog-access

But nothing is logging the Audit when= wget is called from any other host. Can you please assist on this further.=

Thanks and Re= gards,
Varun Gulati<= /b>
=


O= n Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com> wrote= :


On Monday, May = 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,> We have requirement where we have to monitor and log a= ny read operations
> performed on a file. e.g. /a/b/c/= xyz.log

-a always,exit -F path=3D/a/b/= c/xyz.log -F perm=3Dr -F key=3Dlog-access


> This file is usually copied and downloaded by m= any users using various
> operations, like, wget, ssh,= jsp Download link provided. These commands are
> fire= d from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading= (and copying) it
> from a different host may be.

You will get the local auid/uid that the k= ernel sees when the request triggers
the rule. There is = nothing more that can be done from the audit system.

-Steve



> I have gone through = many of the rules but didn't find anything fruitful as
&g= t; such (which logs wget, scp commands from remote hosts). May be I am miss= ing
> on something. Since it is a very crucial require= ment, appreciate your
> guidance and directions with t= his. Let me know in case you require any
> further inf= ormation from my end. Many thanks in advance.
>
>
>
> Thanks an= d Regards,Varun Gulati



<= /div>
------=_Part_1275852_1817330521.1462876771154-- --===============3627935396172718596== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3627935396172718596==--