How to Audit ssh Commands --> wget, scp
Steve Grubb
sgrubb at redhat.com
Mon May 9 20:02:09 UTC 2016
On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> This file is usually copied and downloaded by many users using various
> operations, like, wget, ssh, jsp Download link provided. These commands are
> fired from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading (and copying) it
> from a different host may be.
You will get the local auid/uid that the kernel sees when the request triggers
the rule. There is nothing more that can be done from the audit system.
-Steve
> I have gone through many of the rules but didn't find anything fruitful as
> such (which logs wget, scp commands from remote hosts). May be I am missing
> on something. Since it is a very crucial requirement, appreciate your
> guidance and directions with this. Let me know in case you require any
> further information from my end. Many thanks in advance.
>
>
>
> Thanks and Regards,Varun Gulati
More information about the Linux-audit
mailing list