<html><head></head><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:16px"><div><span></span></div><div></div><div id="yui_3_16_0_ym19_1_1462887764748_2584"> Hi Team,</div><div id="yui_3_16_0_ym19_1_1462887764748_2597"><br></div><div id="yui_3_16_0_ym19_1_1462887764748_2611">Thanks for the response. We are not using web services to provide/serve this file. Its simply kept 
at a particular folder which people download using wget.</div><div id="yui_3_16_0_ym19_1_1462887764748_2648"><br></div><div id="yui_3_16_0_ym19_1_1462887764748_2649">Here is the wget command users are using to download the file from the different hosts:</div><div id="yui_3_16_0_ym19_1_1462887764748_2669"><br></div><div id="yui_3_16_0_ym19_1_1462887764748_2625" dir="ltr"><span id="yui_3_16_0_ym19_1_1462887764748_2631" style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;">wget 
--no-cache <span id="yui_3_16_0_ym19_1_1462887764748_2632" style="color: blue; text-decoration: underline; cursor: pointer;"><a id="ms__id12169" href="http://cdetsacq.cisco.com/cdets/cli/dist/cdets-unix.zip"><a id="ms__id12300" href="http://servername/app/name/dist/xyz.zip">http://servername/app/name/dist/xyz.zip</a></a></span></span></div><div id="yui_3_16_0_ym19_1_1462887764748_2654" dir="ltr"><span style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;"><span style="color: blue; cursor: pointer;"></span></span><br></div><div id="yui_3_16_0_ym19_1_1462887764748_2670" dir="ltr"><span style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;"><span style="color: blue; cursor: pointer;"><font id="yui_3_16_0_ym19_1_1462887764748_2672" color="#000000" face="Times New Roman" size="3">Still no logging is happening :(</font></span></span></div><div dir="ltr"><span style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;"><span style="color: blue; cursor: pointer;"><font color="#000000" face="Times New Roman" size="3">Need your expert help with this.</font></span></span></div><div dir="ltr"><span style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;"><span style="color: blue; text-decoration: underline; cursor: pointer;"></span></span><br></div><div dir="ltr"><span style="color: rgb(26, 26, 26); font-family: segoe ui; font-size: 10pt; font-style: normal; font-weight: normal; text-decoration: none;"><span style="color: blue; text-decoration: underline; cursor: pointer;"></span></span><br></div><div class="signature" id="yui_3_16_0_ym19_1_1462887764748_2583"><b id="yui_3_16_0_ym19_1_1462887764748_2582">Thanks and Regards,</b><div><b>Varun Gulati</b></div></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: times new roman, new york, times, serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div dir="ltr"><font face="Arial" size="2"> On Tuesday, 10 May 2016 6:26 PM, Burn Alting <burn@swtf.dyndns.org> wrote:<br></font></div>  <br><br> <div class="y_msg_container">On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:<br clear="none">> <br clear="none">> <br clear="none">> Hi Steve,<br clear="none">> <br clear="none">> <br clear="none">> Thanks for your suggestions. We incorporated the below rule for<br clear="none">> auditctl which you suggested, but unfortunately it didn't helped. We<br clear="none">> are able to log the wget from the same server but unfortunately it is<br clear="none">> still not logging from a different host:<br clear="none">> <br clear="none">> <br clear="none">> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access<br clear="none">> <br clear="none">> <br clear="none">> This is how the file looks like:<br clear="none">> <br clear="none">> <br clear="none">> -w /a/b/c/xyz.log -p rwxa -k Audit<br clear="none">> <br clear="none">> <br clear="none">> -w /usr/bin/wget -p rwxa -k Audit<br clear="none">> <br clear="none">> <br clear="none">> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access<br clear="none">> <br clear="none">> <br clear="none">> But nothing is logging the Audit when wget is called from any other<br clear="none">> host. Can you please assist on this further.<br clear="none"><br clear="none">If you are using a web service (httpd, etc) to service your files, then<br clear="none">make it authenticated and have it log.<div class="yqt5413744849" id="yqtfd24544"><br clear="none"><br clear="none">> <br clear="none">> <br clear="none">> Thanks and Regards,<br clear="none">> Varun Gulati<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <<a href="mailto:sgrubb@redhat.com" shape="rect" ymailto="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>><br clear="none">> wrote:<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:<br clear="none">> > Hi Team,<br clear="none">> > We have requirement where we have to monitor and log any read<br clear="none">> operations<br clear="none">> > performed on a file. e.g. /a/b/c/xyz.log<br clear="none">> <br clear="none">> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access<br clear="none">> <br clear="none">> <br clear="none">> > This file is usually copied and downloaded by many users using<br clear="none">> various<br clear="none">> > operations, like, wget, ssh, jsp Download link provided. These<br clear="none">> commands are<br clear="none">> > fired from different hosts. With the auditd we want to create a rule<br clear="none">> which<br clear="none">> > auditctl can leverage to log the User ID that is reading (and<br clear="none">> copying) it<br clear="none">> > from a different host may be.<br clear="none">> <br clear="none">> You will get the local auid/uid that the kernel sees when the request<br clear="none">> triggers <br clear="none">> the rule. There is nothing more that can be done from the audit<br clear="none">> system.<br clear="none">> <br clear="none">> -Steve<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> > I have gone through many of the rules but didn't find anything<br clear="none">> fruitful as<br clear="none">> > such (which logs wget, scp commands from remote hosts). May be I am<br clear="none">> missing<br clear="none">> > on something. Since it is a very crucial requirement, appreciate<br clear="none">> your<br clear="none">> > guidance and directions with this. Let me know in case you require<br clear="none">> any<br clear="none">> > further information from my end. Many thanks in advance.<br clear="none">> > <br clear="none">> > <br clear="none">> > <br clear="none">> > Thanks and Regards,Varun Gulati</div><br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> --<br clear="none">> Linux-audit mailing list<br clear="none">> <a href="mailto:Linux-audit@redhat.com" shape="rect" ymailto="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a><br clear="none">> <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank" shape="rect">https://www.redhat.com/mailman/listinfo/linux-audit</a><div class="yqt5413744849" id="yqtfd43730"><br clear="none"><br clear="none"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>