Monitoring SSHFS connections
 

How does one monitor SSHFS connections?

I hope I am overlooking something obvious. I am not looking for information about malicious hacking. Just normal monitoring.

When connecting directly through SSH, the shell history reveals the user's commands. Not so with SSHFS. Files can be changed through SSHFS and the shell history is never touched.

The /var/log/secure (audit.log) shows who connected but not any activity.

Thanks. :)

Since sshfs provides a local mount of a remote file system, wouldn't any activity be reflected in the local history/logs?
I woudn't expect the remote system to know anything about activity, although of course a change (add/remove/edit) of a file on the local system would be visible (but not logged) on the remote system.

Possibly, but access to that history or logs is unlikely if personal systems are used for the access. That in itself is a different security topic for another day. :)

At the moment, looks like I might have to learn about the built-in kernel auditing.

Let me point out that the user has full control of the Bash history and can switch it off. Or use a shell that doesn’t have a history mechanism.

I think you want an intrusion detection system. Alternatively, you could audit exec and open system calls.

Yes, I know. Thankfully that is not an issue though. :)

Possibly, but probably not. I already know who is logged in, when, and from what IP address. I just can't tell what was changed when SSHFS is used rather than direct SSH login. And yes, sometimes "who" logged in through SSHFS is me. :)

Yes, I mentioned that in my previous post. :)

sshfs is the fuse file system for sftp which is a subsystem of ssh. You need to enable sftp log level in your server's sshd_config file. I believe the logs will be in the system log file which depends on the distribution.

Assuming your not using a chroot user try this:

Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE

I don't know if anything is logged on the client.

check syslog

this.
also fuse can probably be tweaked somehow to output informational messages.
lastly sshfs has some options of its own too.

another of these questions that wouldn't have been asked if OP had done their research, or at the very least RTFM (read the fruitful manual).

If you do a lot of logging, you can make a separate log file by giving the SFTP activity a different log facility, e.g. LOCAL2, instead of the default of AUTH.

Then adjust your log server and log rotation to deal with the SFTP logs separately.

Funny how priority lists get changed. I finally was able to get back to this task.

Thanks much for the friendly nudging about SSHFS being a FUSE subsystem and being related to SFTP. For the moment I am using INFO logging details on a test system. I decided to dump the output to the SSH authentication log. Working fine, although I had to tweak rsyslog.conf. Oddly, authpriv.* was defined but not auth.*, which I added.

In summary,

* Edit /etc/ssh/sshd_config:

* Edit /etc/rsyslog.conf:

I'll tag this topic as solved.

Pompous and not constructive. Sometimes people need some friendly nudging.