How to Audit ssh Commands --> wget, scp

varun gulati gitmevg at yahoo.co.in
Tue May 10 10:39:31 UTC 2016 

Hi Steve,
Thanks for your suggestions. We incorporated the below rule for auditctl which you suggested, but unfortunately it didn't helped. We are able to log the wget from the same server but unfortunately it is still not logging from a different host:
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
This is how the file looks like:
-w /a/b/c/xyz.log -p rwxa -k Audit
-w /usr/bin/wget -p rwxa -k Audit
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
But nothing is logging the Audit when wget is called from any other host. Can you please assist on this further.
Thanks and Regards,Varun Gulati
 

    On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb at redhat.com> wrote:
 

 On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access


> This file is usually copied and downloaded by many users using various
> operations, like, wget, ssh, jsp Download link provided. These commands are
> fired from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading (and copying) it
> from a different host may be.

You will get the local auid/uid that the kernel sees when the request triggers 
the rule. There is nothing more that can be done from the audit system.

-Steve


> I have gone through many of the rules but didn't find anything fruitful as
> such (which logs wget, scp commands from remote hosts). May be I am missing
> on something. Since it is a very crucial requirement, appreciate your
> guidance and directions with this. Let me know in case you require any
> further information from my end. Many thanks in advance.
> 
> 
> 
> Thanks and Regards,Varun Gulati



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160510/8d90e883/attachment.htm>

More information about the Linux-audit mailing list