On Tuesday, May 10, 2016 01:46:59 PM varun gulati wrote:
Thanks for the response. We are not using web services to
provide/serve this
file.
You have to be. :-) If someone on another system uses wget to access a file on
the system you care about, something is serving the file on port 80. Maybe you
need to do a netstat -tanp to see what is serving the file.
Its simply kept at a particular folder which people download using
wget. Here is the wget command users are using to download the file from
the different hosts: wget --no-cache
http://servername/app/name/dist/xyz.zip
Still no logging is happening :(Need your expert help with this.
> Thanks for your suggestions. We incorporated the below rule for
> auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfortunately it is
> still not logging from a different host:
>
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
>
> This is how the file looks like:
>
> -w /a/b/c/xyz.log -p rwxa -k Audit
This should get you all access of that file if you are on a distribution that
enables the audit system unless you are on a special file system like NFS which
is not supported by the audit system.
> -w /usr/bin/wget -p rwxa -k Audit
This will show execution of wget on the server, not the client.
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F
key=log-access
This is roughly the same as the first above just expressed in the longer form.
> But nothing is logging the Audit when wget is called from any
other
> host. Can you please assist on this further.
If you are using a web service (httpd, etc) to service your files, then
make it authenticated and have it log.
I agree on this point. Auditd will tell you that the web server accessed the
file but not who is getting it. Only the web server can know that.
-Steve
> > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb(a)redhat.com>
> > wrote:
> >
> > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > > Hi Team,
> > > We have requirement where we have to monitor and log any read
> >
> > operations
> >
> > > performed on a file. e.g. /a/b/c/xyz.log
> >
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F
key=log-access
> >
> > > This file is usually copied and downloaded by many users using
> >
> > various
> >
> > > operations, like, wget, ssh, jsp Download link provided. These
> >
> > commands are
> >
> > > fired from different hosts. With the auditd we want to create a rule
> >
> > which
> >
> > > auditctl can leverage to log the User ID that is reading (and
> >
> > copying) it
> >
> > > from a different host may be.
> >
> > You will get the local auid/uid that the kernel sees when the request
> > triggers
> > the rule. There is nothing more that can be done from the audit
> > system.
> >
> > -Steve
> >
> > > I have gone through many of the rules but didn't find anything
> >
> > fruitful as
> >
> > > such (which logs wget, scp commands from remote hosts). May be I am
> >
> > missing
> >
> > > on something. Since it is a very crucial requirement, appreciate
> >
> > your
> >
> > > guidance and directions with this. Let me know in case you require
> >
> > any
> >
> > > further information from my end. Many thanks in advance.
> > >
> > >
> > >
> > > Thanks and Regards,Varun Gulati
> >
> > --
> > Linux-audit mailing list
> > Linux-audit(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/linux-audit