How to Audit ssh Commands --> wget, scp

Burn Alting burn at swtf.dyndns.org
Tue May 10 12:56:54 UTC 2016 

On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:
> 
> 
> Hi Steve,
> 
> 
> Thanks for your suggestions. We incorporated the below rule for
> auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfortunately it is
> still not logging from a different host:
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> This is how the file looks like:
> 
> 
> -w /a/b/c/xyz.log -p rwxa -k Audit
> 
> 
> -w /usr/bin/wget -p rwxa -k Audit
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> But nothing is logging the Audit when wget is called from any other
> host. Can you please assist on this further.

If you are using a web service (httpd, etc) to service your files, then
make it authenticated and have it log.

> 
> 
> Thanks and Regards,
> Varun Gulati
> 
> 
> 
> 
> 
> On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb at redhat.com>
> wrote:
> 
> 
> 
> On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > Hi Team,
> > We have requirement where we have to monitor and log any read
> operations
> > performed on a file. e.g. /a/b/c/xyz.log
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> > This file is usually copied and downloaded by many users using
> various
> > operations, like, wget, ssh, jsp Download link provided. These
> commands are
> > fired from different hosts. With the auditd we want to create a rule
> which
> > auditctl can leverage to log the User ID that is reading (and
> copying) it
> > from a different host may be.
> 
> You will get the local auid/uid that the kernel sees when the request
> triggers 
> the rule. There is nothing more that can be done from the audit
> system.
> 
> -Steve
> 
> 
> 
> > I have gone through many of the rules but didn't find anything
> fruitful as
> > such (which logs wget, scp commands from remote hosts). May be I am
> missing
> > on something. Since it is a very crucial requirement, appreciate
> your
> > guidance and directions with this. Let me know in case you require
> any
> > further information from my end. Many thanks in advance.
> > 
> > 
> > 
> > Thanks and Regards,Varun Gulati
> 
> 
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list