How to Audit FTP and SFTP File Transfers

The FTP service creates logs of its file transfers. The SFTP service, which runs under the SSH protocol, can be audited by Solaris auditing. Logins to both services can be audited by Solaris auditing.

1. To log commands and file transfers of the FTP service, see the ftpaccess(4) man page.

   For the available logging options, read the “Logging Capabilities” section. In particular, the log commands and log transfers options might provide useful logs.

2. To log sftp file transfers, perform one or both of the following:

   • Audit file-reads.

     File transfers over an SSH connection use the sftp command. These transfers can be recorded by using the +fr audit flag. To audit failed sftp file transfers, audit the -fr audit flag.

     The following output is from a successful sftp session:

     header,138,2,open(2) - read,,ma2,2009-08-25 14:48:58.770 -07:00 path,/home/jdoe/vpn_connect attribute,100644,jdoe,staff,391,437,0 subject,jdoe,jdoe,staff,jdoe,staff,4444,120289379,8457 65558 ma1 return,success,6

   • Use the verbose option to the sftp command.

     The -v option can be repeated up to three times.

     # sftp -vvv [ other options ] hostname

3. To record access to the FTP and SFTP services, audit the lo class.

   As the following output indicates, logging in to and out of the ftpd daemon generates audit records.

   % bsmrecord -c lo | more ... in.ftpd program /usr/sbin/in.ftpd See ftp access event ID 6165 AUE_ftpd class lo (0x00001000) header subject [text] error message return in.ftpd program /usr/sbin/in.ftpd See ftp logout event ID 6171 AUE_ftpd_logout class lo (0x00001000) header subject return ...

   The SSH login records all accesses to the sftp command.

   ... /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh class lo (0x00001000) header subject [text] error message return