Go to main content

Managing Auditing in Oracle® Solaris 11.4

Exit Print View

Updated: February 2019
 
 

How to Audit FTP and SFTP File Transfers

The FTP service creates logs of its file transfers. The SFTP service, which runs under the ssh protocol, can be audited by preselecting the ft audit class. Logins to both services can be audited.

  • Perform one of the following depending on whether you want to audit SFTP or FTP.
    • To log sftp access and file transfers, edit the ft class.

      The ft class includes the following SFTP transactions:

      $ auditrecord -c ft
      file transfer: chmod ...
      file transfer: chown ...
      file transfer: get ...
      file transfer: mkdir ...
      file transfer: put ...
      file transfer: remove ...
      file transfer: rename ...
      file transfer: rmdir ...
      file transfer: session start ...
      file transfer: session end ...
      file transfer: symlink ...
      file transfer: utimes
    • To record access to the Professional File Transfer Protocol (FTP) server, ensure that you are auditing the lo class.

      As the following sample output indicates, logging in to and out of the proftpd daemon generates audit records.

      $ auditrecord -c lo | more
      ...
      FTP server login
      program     proftpd              See in.ftpd(1M)
      event ID    6165                 AUE_ftpd
      class       lo                   (0x0000000000001000)
      header
      subject
      [text]                       error message
      return
      
      FTP server logout
      program     proftpd              See in.ftpd(1M)
      event ID    6171                 AUE_ftpd_logout
      class       lo                   (0x0000000000001000)
      header
      subject
      return
      ...

See Also

For information about how to log FTP commands and file transfers, use the man command to view the proftpd (8) man page.

For the available logging options, read ProFTPD Logging (http://www.proftpd.org/docs/howto/Logging.html).