12 April,16 at 11:37 AM
Applies to: All versions of DirectControl-Enabled OpenSSH
Question:
Is it possible to log all file transfers made to a UNIX machine via SFTP?
Answer:
Yes, it is possible to track file transfers done using SFTP. Follow the below steps to set it up:
sftp-server(8) says about loglevel: "INFO and VERBOSE log transactions that sftp-server performs on behalf of the client", and setting this in sshd_config:
Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f <log_facility> -l <INFO>
On redhat, <log_facility> is authpriv which will log messages into /var/log/secure.
[root@rhel3 log]# grep -i sftp /etc/centrifydc/ssh/sshd_config
Subsystem sftp /usr/share/centrifydc/libexec/sftp-server -f authpriv -l INFO
[root@rhel3 log]# grep authpriv /etc/syslog.conf
# The authpriv file has restricted access.
authpriv.* /var/log/secure
With the above change to sshd_config in place, restart sshd: /etc/init.d/centrify-sshd restart
sftp will now log messages about file transfers into the /var/log/secure as follows:
[root@rhel3 log]# tail secure
Nov 12 16:48:28 rhel3 sftp-server[23389]: session opened for local user root from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: session opened for local user kayla from [172.27.21.84]
Nov 12 16:51:49 rhel3 sftp-server[23638]: opendir "/"
Nov 12 16:51:49 rhel3 sftp-server[23638]: closedir "/"
Nov 12 16:51:54 rhel3 sftp-server[23638]: open "/password" flags READ mode 0666
Nov 12 16:51:54 rhel3 sftp-server[23638]: close "/password" bytes read 45397 written 0
Nov 12 16:52:23 rhel3 sftp-server[23638]: opendir "/tmp"
Nov 12 16:52:23 rhel3 sftp-server[23638]: closedir "/tmp"
Nov 12 16:52:25 rhel3 sftp-server[23638]: open "/tmp/kset.zone" flags READ mode 0666
Nov 12 16:52:25 rhel3 sftp-server[23638]: close "/tmp/kset.zone" bytes read 36 written 0