Hi Steve,

Thanks for your suggestions. We incorporated the below rule for auditctl which you suggested, but unfortunately it didn't helped. We are able to log the wget from the same server but unfortunately it is still not logging from a different host:

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access

This is how the file looks like:

-w /a/b/c/xyz.log -p rwxa -k Audit

-w /usr/bin/wget -p rwxa -k Audit

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access

But nothing is logging the Audit when wget is called from any other host. Can you please assist on this further.

Thanks and Regards,
Varun Gulati



On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:


On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access


> This file is usually copied and downloaded by many users using various
> operations, like, wget, ssh, jsp Download link provided. These commands are
> fired from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading (and copying) it
> from a different host may be.

You will get the local auid/uid that the kernel sees when the request triggers
the rule. There is nothing more that can be done from the audit system.

-Steve



> I have gone through many of the rules but didn't find anything fruitful as
> such (which logs wget, scp commands from remote hosts). May be I am missing
> on something. Since it is a very crucial requirement, appreciate your
> guidance and directions with this. Let me know in case you require any
> further information from my end. Many thanks in advance.
>
>
>
> Thanks and Regards,Varun Gulati