Hi Team,

Thanks for the response. We are not using web services to provide/serve this file. Its simply kept at a particular folder which people download using wget.

Here is the wget command users are using to download the file from the different hosts:

wget --no-cache http://servername/app/name/dist/xyz.zip

Still no logging is happening :(
Need your expert help with this.


Thanks and Regards,
Varun Gulati


On Tuesday, 10 May 2016 6:26 PM, Burn Alting <burn@swtf.dyndns.org> wrote:


On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:
>
>
> Hi Steve,
>
>
> Thanks for your suggestions. We incorporated the below rule for
> auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfortunately it is
> still not logging from a different host:
>
>
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
>
>
> This is how the file looks like:
>
>
> -w /a/b/c/xyz.log -p rwxa -k Audit
>
>
> -w /usr/bin/wget -p rwxa -k Audit
>
>
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
>
>
> But nothing is logging the Audit when wget is called from any other
> host. Can you please assist on this further.

If you are using a web service (httpd, etc) to service your files, then
make it authenticated and have it log.


>
>
> Thanks and Regards,
> Varun Gulati
>
>
>
>
>
> On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com>
> wrote:
>
>
>
> On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > Hi Team,
> > We have requirement where we have to monitor and log any read
> operations
> > performed on a file. e.g. /a/b/c/xyz.log
>
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
>
>
> > This file is usually copied and downloaded by many users using
> various
> > operations, like, wget, ssh, jsp Download link provided. These
> commands are
> > fired from different hosts. With the auditd we want to create a rule
> which
> > auditctl can leverage to log the User ID that is reading (and
> copying) it
> > from a different host may be.
>
> You will get the local auid/uid that the kernel sees when the request
> triggers
> the rule. There is nothing more that can be done from the audit
> system.
>
> -Steve
>
>
>
> > I have gone through many of the rules but didn't find anything
> fruitful as
> > such (which logs wget, scp commands from remote hosts). May be I am
> missing
> > on something. Since it is a very crucial requirement, appreciate
> your
> > guidance and directions with this. Let me know in case you require
> any
> > further information from my end. Many thanks in advance.
> >
> >
> >
> > Thanks and Regards,Varun Gulati

>
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit