On 2023-09-28, Nick Holland <nick@holland-consulting.net> wrote:
> On 8/31/23 17:29, mymlact@gmx.com wrote:
>> Hi All,
>>
>> I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
>> subsystem.
>>
>> Does openssh have a native way to audit what files were
>> downloaded/uploaded with user/timestamp information?
>>
>> If not, are there any recommendations?
>>
>> Thanks in advance.
>>
>
> Try this, perhaps?
>
> man sftp-server,
> options of interest may include -f, -l.
>
> You will probably have to have a /dev/log inside the chroot, which
> also means the "nodev" option is not your friend.
Files accessed: yes. Files opened are logged with flags, so you can
distinguish between read/write. Files closed, renamed, removed are logged.
User: yes, but you'll need to match lines together based on PID,
look for the 'session opened/closed' lines which have username/IP.
In a long running connection authlog may have rotated between the
connection and transfer.
You don't need a /dev/log socket to do this on OpenBSD, we have the
mechanism described in sendsyslog(2). For sftp chroot with the internal-sftp
implementation you can do "ForceCommand internal-sftp -l INFO".
No comments:
Post a Comment