Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

How to Audit FTP and SFTP File Transfers

The FTP service creates logs of its file transfers. The SFTP service, which runs under the ssh protocol, can be audited by preselecting the ft audit class. Logins to both services can be audited.


Note -  For information about how to log commands and file transfers of the FTP service, see the proftpd (8) man page.

For the available logging options, read ProFTPD Logging.


  • Perform one of the following depending on whether you want to audit SFTP or FTP.
    • To log sftp access and file transfers, edit the ft class.

      The ft class includes the following SFTP transactions:

      % auditrecord -c ft
      file transfer: chmod ...
      file transfer: chown ...
      file transfer: get ...
      file transfer: mkdir ...
      file transfer: put ...
      file transfer: remove ...
      file transfer: rename ...
      file transfer: rmdir ...
      file transfer: session start ...
      file transfer: session end ...
      file transfer: symlink ...
      file transfer: utimes
    • To record access to the FTP server, audit the lo class.

      As the following sample output indicates, logging in to and out of the proftpd daemon generates audit records.

      % auditrecord -c lo | more
      ...
      FTP server login
      program     proftpd              See in.ftpd(1M)
      event ID    6165                 AUE_ftpd
      class       lo                   (0x0000000000001000)
      header
      subject
      [text]                       error message
      return
      
      FTP server logout
      program     proftpd              See in.ftpd(1M)
      event ID    6171                 AUE_ftpd_logout
      class       lo                   (0x0000000000001000)
      header
      subject
      return
      ...