How to Audit ssh Commands --> wget, scp

How to Audit ssh Commands --> wget, scp

[varun gulati]

[-- Attachment #1.1: Type: text/plain, Size: 846 bytes --]

Hi Team,
We have requirement where we have to monitor and log any read operations performed on a file. 
e.g. /a/b/c/xyz.log
This file is usually copied and downloaded by many users using various operations, like, wget, ssh, jsp Download link provided. These commands are fired from different hosts.
With the auditd we want to create a rule which auditctl can leverage to log the User ID that is reading (and copying) it from a different host may be. I have gone through many of the rules but didn't find anything fruitful as such (which logs wget, scp commands from remote hosts). May be I am missing on something. Since it is a very crucial requirement, appreciate your guidance and directions with this.
Let me know in case you require any further information from my end. Many thanks in advance.



Thanks and Regards,Varun Gulati

[-- Attachment #1.2: Type: text/html, Size: 2225 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to Audit ssh Commands --> wget, scp

[Steve Grubb]

On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access


> This file is usually copied and downloaded by many users using various
> operations, like, wget, ssh, jsp Download link provided. These commands are
> fired from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading (and copying) it
> from a different host may be.

You will get the local auid/uid that the kernel sees when the request triggers 
the rule. There is nothing more that can be done from the audit system.

-Steve


> I have gone through many of the rules but didn't find anything fruitful as
> such (which logs wget, scp commands from remote hosts). May be I am missing
> on something. Since it is a very crucial requirement, appreciate your
> guidance and directions with this. Let me know in case you require any
> further information from my end. Many thanks in advance.
> 
> 
> 
> Thanks and Regards,Varun Gulati

Re: How to Audit ssh Commands --> wget, scp

[varun gulati]

[-- Attachment #1.1: Type: text/plain, Size: 1923 bytes --]

Hi Steve,
Thanks for your suggestions. We incorporated the below rule for auditctl which you suggested, but unfortunately it didn't helped. We are able to log the wget from the same server but unfortunately it is still not logging from a different host:
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
This is how the file looks like:
-w /a/b/c/xyz.log -p rwxa -k Audit
-w /usr/bin/wget -p rwxa -k Audit
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
But nothing is logging the Audit when wget is called from any other host. Can you please assist on this further.
Thanks and Regards,Varun Gulati
 

    On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com> wrote:
 

 On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log

-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access


> This file is usually copied and downloaded by many users using various
> operations, like, wget, ssh, jsp Download link provided. These commands are
> fired from different hosts. With the auditd we want to create a rule which
> auditctl can leverage to log the User ID that is reading (and copying) it
> from a different host may be.

You will get the local auid/uid that the kernel sees when the request triggers 
the rule. There is nothing more that can be done from the audit system.

-Steve


> I have gone through many of the rules but didn't find anything fruitful as
> such (which logs wget, scp commands from remote hosts). May be I am missing
> on something. Since it is a very crucial requirement, appreciate your
> guidance and directions with this. Let me know in case you require any
> further information from my end. Many thanks in advance.
> 
> 
> 
> Thanks and Regards,Varun Gulati



  

[-- Attachment #1.2: Type: text/html, Size: 4233 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to Audit ssh Commands --> wget, scp

[Burn Alting]

On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:
> 
> 
> Hi Steve,
> 
> 
> Thanks for your suggestions. We incorporated the below rule for
> auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfortunately it is
> still not logging from a different host:
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> This is how the file looks like:
> 
> 
> -w /a/b/c/xyz.log -p rwxa -k Audit
> 
> 
> -w /usr/bin/wget -p rwxa -k Audit
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> But nothing is logging the Audit when wget is called from any other
> host. Can you please assist on this further.

If you are using a web service (httpd, etc) to service your files, then
make it authenticated and have it log.

> 
> 
> Thanks and Regards,
> Varun Gulati
> 
> 
> 
> 
> 
> On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> 
> 
> 
> On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > Hi Team,
> > We have requirement where we have to monitor and log any read
> operations
> > performed on a file. e.g. /a/b/c/xyz.log
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> > This file is usually copied and downloaded by many users using
> various
> > operations, like, wget, ssh, jsp Download link provided. These
> commands are
> > fired from different hosts. With the auditd we want to create a rule
> which
> > auditctl can leverage to log the User ID that is reading (and
> copying) it
> > from a different host may be.
> 
> You will get the local auid/uid that the kernel sees when the request
> triggers 
> the rule. There is nothing more that can be done from the audit
> system.
> 
> -Steve
> 
> 
> 
> > I have gone through many of the rules but didn't find anything
> fruitful as
> > such (which logs wget, scp commands from remote hosts). May be I am
> missing
> > on something. Since it is a very crucial requirement, appreciate
> your
> > guidance and directions with this. Let me know in case you require
> any
> > further information from my end. Many thanks in advance.
> > 
> > 
> > 
> > Thanks and Regards,Varun Gulati
> 
> 
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: How to Audit ssh Commands --> wget, scp

[varun gulati]

[-- Attachment #1.1: Type: text/plain, Size: 2960 bytes --]

 Hi Team,
Thanks for the response. We are not using web services to provide/serve this file. Its simply kept at a particular folder which people download using wget.
Here is the wget command users are using to download the file from the different hosts:
wget --no-cache http://servername/app/name/dist/xyz.zip
Still no logging is happening :(Need your expert help with this.

Thanks and Regards,Varun Gulati 

    On Tuesday, 10 May 2016 6:26 PM, Burn Alting <burn@swtf.dyndns.org> wrote:
 

 On Tue, 2016-05-10 at 10:39 +0000, varun gulati wrote:
> 
> 
> Hi Steve,
> 
> 
> Thanks for your suggestions. We incorporated the below rule for
> auditctl which you suggested, but unfortunately it didn't helped. We
> are able to log the wget from the same server but unfortunately it is
> still not logging from a different host:
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> This is how the file looks like:
> 
> 
> -w /a/b/c/xyz.log -p rwxa -k Audit
> 
> 
> -w /usr/bin/wget -p rwxa -k Audit
> 
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> But nothing is logging the Audit when wget is called from any other
> host. Can you please assist on this further.

If you are using a web service (httpd, etc) to service your files, then
make it authenticated and have it log.

> 
> 
> Thanks and Regards,
> Varun Gulati
> 
> 
> 
> 
> 
> On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> 
> 
> 
> On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > Hi Team,
> > We have requirement where we have to monitor and log any read
> operations
> > performed on a file. e.g. /a/b/c/xyz.log
> 
> -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> 
> 
> > This file is usually copied and downloaded by many users using
> various
> > operations, like, wget, ssh, jsp Download link provided. These
> commands are
> > fired from different hosts. With the auditd we want to create a rule
> which
> > auditctl can leverage to log the User ID that is reading (and
> copying) it
> > from a different host may be.
> 
> You will get the local auid/uid that the kernel sees when the request
> triggers 
> the rule. There is nothing more that can be done from the audit
> system.
> 
> -Steve
> 
> 
> 
> > I have gone through many of the rules but didn't find anything
> fruitful as
> > such (which logs wget, scp commands from remote hosts). May be I am
> missing
> > on something. Since it is a very crucial requirement, appreciate
> your
> > guidance and directions with this. Let me know in case you require
> any
> > further information from my end. Many thanks in advance.
> > 
> > 
> > 
> > Thanks and Regards,Varun Gulati
> 
> 
> 
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit




  

[-- Attachment #1.2: Type: text/html, Size: 8187 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to Audit ssh Commands --> wget, scp

[Steve Grubb]

On Tuesday, May 10, 2016 01:46:59 PM varun gulati wrote:
> Thanks for the response. We are not using web services to provide/serve this
> file.

You have to be. :-) If someone on another system uses wget to access a file on 
the system you care about, something is serving the file on port 80. Maybe you 
need to do a netstat -tanp to see what is serving the file.


> Its simply kept at a particular folder which people download using
> wget. Here is the wget command users are using to download the file from
> the different hosts: wget --no-cache
> http://servername/app/name/dist/xyz.zip
> Still no logging is happening :(Need your expert help with this.
> 
> > Thanks for your suggestions. We incorporated the below rule for
> > auditctl which you suggested, but unfortunately it didn't helped. We
> > are able to log the wget from the same server but unfortunately it is
> > still not logging from a different host:
> > 
> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> > 
> > This is how the file looks like:
> > 
> > -w /a/b/c/xyz.log -p rwxa -k Audit

This should get you all access of that file if you are on a distribution that 
enables the audit system unless you are on a special file system like NFS which 
is not supported by the audit system.


> > -w /usr/bin/wget -p rwxa -k Audit

This will show execution of wget on the server, not the client.
 
> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access

This is roughly the same as the first above just expressed in the longer form.


> > But nothing is logging the Audit when wget is called from any other
> > host. Can you please assist on this further.
> 
> If you are using a web service (httpd, etc) to service your files, then
> make it authenticated and have it log.

I agree on this point. Auditd will tell you that the web server accessed the 
file but not who is getting it. Only the web server can know that.

-Steve


> > On Tuesday, 10 May 2016 1:32 AM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > 
> > On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> > > Hi Team,
> > > We have requirement where we have to monitor and log any read
> > 
> > operations
> > 
> > > performed on a file. e.g. /a/b/c/xyz.log
> > 
> > -a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> > 
> > > This file is usually copied and downloaded by many users using
> > 
> > various
> > 
> > > operations, like, wget, ssh, jsp Download link provided. These
> > 
> > commands are
> > 
> > > fired from different hosts. With the auditd we want to create a rule
> > 
> > which
> > 
> > > auditctl can leverage to log the User ID that is reading (and
> > 
> > copying) it
> > 
> > > from a different host may be.
> > 
> > You will get the local auid/uid that the kernel sees when the request
> > triggers
> > the rule. There is nothing more that can be done from the audit
> > system.
> > 
> > -Steve
> > 
> > > I have gone through many of the rules but didn't find anything
> > 
> > fruitful as
> > 
> > > such (which logs wget, scp commands from remote hosts). May be I am
> > 
> > missing
> > 
> > > on something. Since it is a very crucial requirement, appreciate
> > 
> > your
> > 
> > > guidance and directions with this. Let me know in case you require
> > 
> > any
> > 
> > > further information from my end. Many thanks in advance.
> > > 
> > > 
> > > 
> > > Thanks and Regards,Varun Gulati
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit