Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: April 2019

How to Audit FTP and SFTP File Transfers

The FTP service creates logs of its file transfers. The SFTP service, which runs under the ssh protocol, can be audited by preselecting the ft audit class. Logins to both services can be audited.

Note -  The audit service supports SFTP over SunSSH, not over OpenSSH. For information about Secure Shell implementations in Oracle Solaris, see What’s New in Secure Shell in Oracle Solaris 11.3 in Managing Secure Shell Access in Oracle Solaris 11.3.
  • Perform one of the following depending on whether you want to audit SFTP or FTP.
    • To log sftp access and file transfers, edit the ft class.

      The ft class includes the following SFTP transactions:

      $ auditrecord -c ft
      file transfer: chmod ...
      file transfer: chown ...
      file transfer: get ...
      file transfer: mkdir ...
      file transfer: put ...
      file transfer: remove ...
      file transfer: rename ...
      file transfer: rmdir ...
      file transfer: session start ...
      file transfer: session end ...
      file transfer: symlink ...
      file transfer: utimes
    • To record access to the Professional File Transfer Protocol (FTP) server, audit the lo class.

      As the following sample output indicates, logging in to and out of the proftpd daemon generates audit records.

      $ auditrecord -c lo | more
      FTP server login
      program     proftpd              See in.ftpd(1M)
      event ID    6165                 AUE_ftpd
      class       lo                   (0x0000000000001000)
      [text]                       error message
      FTP server logout
      program     proftpd              See in.ftpd(1M)
      event ID    6171                 AUE_ftpd_logout
      class       lo                   (0x0000000000001000)

See Also

For information about how to log FTP commands and file transfers, use the man command to view the proftpd (8) man page.

For the available logging options, read ProFTPD Logging (http://www.proftpd.org/docs/howto/Logging.html).