LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-14-2012, 04:53 PM   #1
a.drigo
LQ Newbie
 
Registered: Dec 2011
Posts: 4

Rep: Reputation: Disabled
SFTP audit user


I am new at this forum, I have a Server with Centos

Linux Server01 2.6.32-279.1.1.el6.x86_64 #1 SMP Tue Jul 10 13:47:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

with SFTP implemented it is working fine, but I need to audit all user that will use de SFTP.
My sshd_config is like this:

# override default of no subsystems
#Subsystem sftp internal-sftp
Subsystem sftp internal-sftp -l VERBOSE

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server


Match group sftponly
ChrootDirectory /sftp/sftp
X11Forwarding no
AllowTcpForwarding no
#ForceCommand internal-sftp
ForceCommand internal-sftp -l VERBOSE


I search at internet and find some people that use the option -l VERBOSE and it start to register at the logs, but it not work, it just log when user log, logoff, password mistake, I need it show when user got inside dir, change file, delete files for exemple.
Someone ahead had this problem ?
Log I have in /var/log/secure


Aug 14 17:41:33 server01 sshd[2664]: Accepted password for mickey from xxx.xxx.xxx.xxx port 57250 ssh2
Aug 14 17:41:33 server01 sshd[2664]: pam_unix(sshd:session): session opened for user mickey by (uid=0)
Aug 14 17:41:34 server01 sshd[2666]: subsystem request for sftp
Aug 14 17:47:41 server01 sshd[2664]: pam_unix(sshd:session): session closed for user mickey

I got inside of many dir copy files and delete but it dont show at logs.

Some idea ?
Thanks for all.
 
Old 08-14-2012, 05:29 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by a.drigo View Post
I search at internet and find some people that use the option -l VERBOSE and it start to register at the logs, but it not work, it just log when user log, logoff, password mistake, I need it show when user got inside dir, change file, delete files for exemple.
Try replacing "internal-sftp" with "sftp-server" and see 'man 8 sftp-server' for logging options?
 
Old 08-16-2012, 09:53 AM   #3
a.drigo
LQ Newbie
 
Registered: Dec 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
I Try replace "internal-sftp" with "sftp-server" but When I did it I have se follow Erro when try conection,

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

I am searching but I did not find the solution.

Thanks a lot.
 
Old 08-16-2012, 07:19 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by a.drigo View Post
Your shell is probably incompatible with the application (BASH is recommended).
So what shell does your user use?
 
Old 08-17-2012, 09:54 AM   #5
a.drigo
LQ Newbie
 
Registered: Dec 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
I find a way to make logs work.

I put at /etc/rsyslog.conf

# Create an additional socket for some of the sshd chrooted users.
$AddUnixListenSocket /sftpdata/sftpdata/dev/log

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~



and I creat a dir at /sftpdata/sftpdata/ named dev

# mkdir dev

I leave /etc/ssh/sshd_config the way I had post
and restart the rsyslog

# service rsyslog restart

And it start to work.

#tail -f /var/log/secure

Aug 17 10:24:51 server01 sshd[9482]: received client version 5
Aug 17 10:24:51 server01 sshd[9482]: realpath "."
Aug 17 10:24:51 server01 sshd[9482]: opendir "/"
Aug 17 10:24:51 server01 sshd[9482]: closedir "/"
Aug 17 10:24:59 server01 sshd[9482]: realpath "/files1"
Aug 17 10:24:59 server01 sshd[9482]: lstat name "/files1"
Aug 17 10:24:59 server01 sshd[9482]: opendir "/files1"
Aug 17 10:24:59 server01 sshd[9482]: closedir "/files1"
Aug 17 10:28:33 server01 sshd[9482]: realpath "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: lstat name "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: opendir "/files1/Company1"
Aug 17 10:28:33 server01 sshd[9482]: closedir "/files1/Company1"

Thanks very much !!
Thanks unSpawn

Last edited by a.drigo; 08-17-2012 at 12:45 PM.
 
1 members found this post helpful.
Old 08-17-2012, 11:11 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,675
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Well done and thanks for posting your solution.
 
Old 11-07-2012, 05:49 PM   #7
cheflo
LQ Newbie
 
Registered: Nov 2012
Posts: 2

Rep: Reputation: Disabled
Since this thread showed up when I was googling the same problem, but for Debian/Ubuntu, I just wanted to share the solution that I eventually came to. I posted it over at the Ubuntu forums http://ubuntuforums.org/showthread.php?t=2081637.
Thank you for pointing me in the right direction.
 
1 members found this post helpful.
  


Reply

Tags
logging, sftp, syslog


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to SFTP with a user made for only to perform SFTP raj2arora2009 Linux - Security 1 04-10-2012 08:23 AM
Audit Log - Invalid User jaypas Linux - Newbie 2 08-12-2010 11:14 PM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 09:10 AM
User Creationg : ssh/sftp user jail to $HOME only routers Solaris / OpenSolaris 2 10-30-2007 12:28 AM


All times are GMT -5. The time now is 04:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration