On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote: > > > Hi Steve, > > > Thanks for your suggestions. We incorporated the below rule for > auditctl which you suggested, but unfortunately it didn't helped. We > are able to log the wget from the same server but unfortunately it is > still not logging from a different host: > > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > > > This is how the file looks like: > > > -w /a/b/c/xyz.log -p rwxa -k Audit > > > -w /usr/bin/wget -p rwxa -k Audit > > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > > > But nothing is logging the Audit when wget is called from any other > host. Can you please assist on this further.
If you are using a web service (httpd, etc) to service your files, then make it authenticated and have it log. > > > Thanks and Regards, > Varun Gulati > > > > > > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <[email protected]> > wrote: > > > > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote: > > Hi Team, > > We have requirement where we have to monitor and log any read > operations > > performed on a file. e.g. /a/b/c/xyz.log > > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access > > > > This file is usually copied and downloaded by many users using > various > > operations, like, wget, ssh, jsp Download link provided. These > commands are > > fired from different hosts. With the auditd we want to create a rule > which > > auditctl can leverage to log the User ID that is reading (and > copying) it > > from a different host may be. > > You will get the local auid/uid that the kernel sees when the request > triggers > the rule. There is nothing more that can be done from the audit > system. > > -Steve > > > > > I have gone through many of the rules but didn't find anything > fruitful as > > such (which logs wget, scp commands from remote hosts). May be I am > missing > > on something. Since it is a very crucial requirement, appreciate > your > > guidance and directions with this. Let me know in case you require > any > > further information from my end. Many thanks in advance. > > > > > > > > Thanks and Regards,Varun Gulati > > > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
