0

I have configured a CentOS 7.7 installation to use the internal-sftp subsystem and to chroot a specific user in to a particular folder. I want to enable logging, so I configured sshd like this:

Subsystem sftp internal-sftp Match User username AuthorizedKeysFile /etc/ssh/authorized_keys/username X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp -d /folder -l VERBOSE

This allows me to see read and write operations out of the box, without creating any supporting files in the chroot. The entries are stored in /var/log/secure:

Dec 16 11:23:33 machine sshd[30798]: opendir "/folder/Test" [postauth] Dec 16 11:23:33 machine sshd[30798]: closedir "/folder/Test" [postauth] Dec 16 11:23:33 machine sshd[30798]: open "/folder/Test/TEST.csv" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth] Dec 16 11:23:33 machine sshd[30798]: close "/folder/Test/TEST.csv" bytes read 0 written 606 [postauth] Dec 16 11:23:34 machine sshd[30798]: opendir "/folder/Test" [postauth] Dec 16 11:23:34 machine sshd[30798]: closedir "/folder/Test" [postauth] Dec 16 11:23:37 machine sshd[30804]: opendir "/folder/Test" [postauth] Dec 16 11:23:37 machine sshd[30804]: closedir "/folder/Test" [postauth]

How can this be expanded to include logging for renaming, moving and deleting files, and creating new directories?

Note that I have also tried DEBUG3 log level.

$ sudo yum list installed | grep openssh openssh.x86_64 7.4p1-21.el7 @base openssh-clients.x86_64 7.4p1-21.el7 @base openssh-server.x86_64 7.4p1-21.el7 @base

/var/log/messages only contains

Dec 17 16:09:06 machine systemd-logind: New session 6481 of user username. Dec 17 16:09:17 machine systemd-logind: Removed session 6481.
Improve this question
4
  • is there anything in /var/log/messages ? Anyway - this may be relevant Commented Dec 16, 2019 at 14:01
  • What version of OpenSSH are you using? -- Though even old versions of OpenSSH logs all those operations the same way. Commented Dec 16, 2019 at 15:06
  • @MartinPrikryl I've edited my question to include the OpenSSH version details. The version is that supplied with CentOS 7.7. Commented Dec 17, 2019 at 16:06
  • @Smock I have read that, but as far as I can tell I'm doing what is required to make this work. Question updated with info from /var/log/messages. Commented Dec 17, 2019 at 16:08

1 Answer 1

Reset to default
0

It turns out that I also needed to specify the logging switch and level on the Subsystem sftp internal-sftp line to get logging for the other operations:

Subsystem sftp internal-sftp -l VERBOSE

Without that, I only get open and close directory information as per my first post. If I add -l VERBOSE to the Subsystem ... line only, I don't get any logging of operations. I'm sure there's a perfectly logical explanation to why that is, but I don't know it.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.