Re: How to Audit ssh Commands --> wget, scp
On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
Hi Team,
We have requirement where we have to monitor and log any read operations
performed on a file. e.g. /a/b/c/xyz.log
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
This file is usually copied and downloaded by many users using
various
operations, like, wget, ssh, jsp Download link provided. These commands are
fired from different hosts. With the auditd we want to create a rule which
auditctl can leverage to log the User ID that is reading (and copying) it
from a different host may be.
You will get the local auid/uid that the kernel sees when the request triggers
the rule. There is nothing more that can be done from the audit system.
-Steve
I have gone through many of the rules but didn't find anything
fruitful as
such (which logs wget, scp commands from remote hosts). May be I am missing
on something. Since it is a very crucial requirement, appreciate your
guidance and directions with this. Let me know in case you require any
further information from my end. Many thanks in advance.
Thanks and Regards,Varun Gulati