[scponly] Logging User Actions

Ralf Durkee rd at rd1.net
Tue Nov 14 14:11:09 EST 2006 

Nilocsia at web.de wrote:
> . . . cut . . .
> Nov 14 13:34:18 localhost scponly[21528]: processing request: "/usr/local/libexec/sftp-server" 
> Nov 14 13:34:18 localhost scponly[21528]: Found "LOG_SFTP" and setting it to "1"
> Nov 14 13:34:18 localhost scponly[21528]: Found "USER" and setting it to "scponly"
> Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_UMASK" and setting it to ""
> Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_PERMIT_CHMOD" and setting it to "1"
> Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_PERMIT_CHOWN" and setting it to "1"
> Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_LOG_LEVEL" and setting it to "4"
> Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_LOG_FACILITY" and setting it to "3"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "LOG_SFTP=1"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "USER=scponly"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_UMASK="
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_PERMIT_CHMOD=1"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_PERMIT_CHOWN=1"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_LOG_LEVEL=4"
> Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_LOG_FACILITY=3"
> Nov 14 13:34:18 localhost scponly[21528]: running: /usr/local/libexec/sftp-server (username: scponly(501), IP/port: 192.168.75.1 3305 22)
>
>
> Concerning Ralf's notes - Does anyone know
>
> - how to create <chroot>/dev/log (mknod?)
>   
Take a look in your /dev/ directory for the proper name,  and type. 
Since we don't know what platform you're using I'm guessing tht it might 
be /dev/log.
Do a long listing (ls -l) on the appropriate name.  If the device type 
begins with an 's' or a 'p', then it's a socket/pipe and you can add 
options to syslogd to create an extra socket in the chroot area.  If it 
begins with a 'b' or 'c' then it's a normal device, and you can use 
mknod to create one in the chroot with the same major number and minor 
numbers shown in the 'ls -l'.
> - which libraries are needed in chrooted area
>   
Depends on lots of things, if you have an ldd on your platform, it's 
likely to be able to tell you exactly.  try 'man ldd'
> - where do the log-messages go? (/var/log or <chroot>/var/log)
>   
They go to the syslog daemon.  According to your logs above, 
specifically with

SFTP_LOG_LEVEL=4
SFTP_LOG_FACILITY=3

Look at your syslog configuration as to what file, if any, it places this level and facility. (typically found in /etc/syslog.conf) and check the syslogd man page for more information.

-- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
Principal Security Consultant
http://rd1.net

> Thank You.
>
> Tobias
>
> -----------------------------------------------------------------
> Von: Ralf Durkee 
> Gesendet: 10.11.06 17:14:24
> An: scponly at lists.ccs.neu.edu
> Betreff: Re: [scponly] Logging User Actions
>
>
> Keep in mind that the logging patch modifies the sftp-server executable, 
> so you need to make sure you have the patched version of sftp-server in 
> the chrooted area. Also you will need the appropriate logging device 
> such as /dev/log created in the chrooted area. There may be additional 
> dynamic libraries needed as well.
>
> -- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
> Principal Security Consultant
> http://rd1.net
>
>
>
> Nilocsia at web.de wrote:
>   
>> The sftp loggin patch works fine but only with non-scponly-users:
>>
>> Nov 9 12:37:00 localhost sftp-server[14073]: Starting sftp-server 
>> logging for user tobias.
>> ...
>> Nov 9 12:37:53 localhost sftp-server[14073]: opendir /usr/local/etc
>> Nov 9 12:37:56 localhost sftp-server[14073]: open 
>> /usr/local/etc/ssh_config
>> Nov 9 12:37:56 localhost sftp-server[14073]: reading 1354 bytes from file
>> Nov 9 12:37:56 localhost sftp-server[14073]: reading 0 bytes from file
>>
>> Loggin in with an chroot-account that uses "scponlyc" creates just a 
>> message like this:
>>
>> Nov 9 12:48:09 localhost scponly[16683]: running: 
>> /usr/local/libexec/sftp-server (username: scponly(501), IP/port: 
>> 192.168.75.1 1704 22)
>>
>> Is there a way to activate sftp -logging for scponlyc-users also?
>>
>> Thanks in advance.
>>
>> Tobias
>>
>> ------------------------------------------------------------------------
>> *Von:* Kaleb Pederson
>> *Gesendet:* 19.10.06 17:22:57
>> *An:* scponly at lists.ccs.neu.edu
>> *Betreff:* Re: [scponly] Logging User Actions
>>
>>
>> If you turn on logging you will get some of that behavior if the user in
>> question is using scp. Also, copy of multiple files will not really 
>> show up
>> correctly because of the way files are transferred.
>>
>> If the user is using sftp, nothing useful will show up in the logs.
>>
>> If this is what you would like, the best thing to do would be to use 
>> the sftp
>> logging patch available at http://sftplogging.sourceforge.net/
>>
>> I hope that helps.
>>
>> --Kaleb
>>
>>
>> On Thursday 19 October 2006 5:00 am, Nilocsia at web.de wrote:
>>     
>>> Is there an option in scponly (or maybe in OpenSSH) which allows 
>>>       
>> logging of
>>     
>>> u ser actions, like deleting or copying of files?
>>>
>>> Tobias.
>>>
>>>       
> ______________________________________________________________________________
> "Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
> Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!
>
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>
>

More information about the scponly mailing list