0

I have configured a CentOS 7.7 installation to use the internal-sftp subsystem and to chroot a specific user in to a particular folder. I want to enable logging, so I configured sshd like this:

Subsystem sftp internal-sftp

Match User username
    AuthorizedKeysFile /etc/ssh/authorized_keys/username
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory %h
    ForceCommand internal-sftp -d /folder -l VERBOSE

This allows me to see read and write operations out of the box, without creating any supporting files in the chroot. The entries are stored in /var/log/secure:

Dec 16 11:23:33 machine sshd[30798]: opendir "/folder/Test" [postauth]
Dec 16 11:23:33 machine sshd[30798]: closedir "/folder/Test" [postauth]
Dec 16 11:23:33 machine sshd[30798]: open "/folder/Test/TEST.csv" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth]
Dec 16 11:23:33 machine sshd[30798]: close "/folder/Test/TEST.csv" bytes read 0 written 606 [postauth]
Dec 16 11:23:34 machine sshd[30798]: opendir "/folder/Test" [postauth]
Dec 16 11:23:34 machine sshd[30798]: closedir "/folder/Test" [postauth]

Dec 16 11:23:37 machine sshd[30804]: opendir "/folder/Test" [postauth]
Dec 16 11:23:37 machine sshd[30804]: closedir "/folder/Test" [postauth]

How can this be expanded to include logging for renaming, moving and deleting files, and creating new directories?

Note that I have also tried DEBUG3 log level.

$ sudo yum list installed | grep openssh

openssh.x86_64                             7.4p1-21.el7               @base
openssh-clients.x86_64                     7.4p1-21.el7               @base
openssh-server.x86_64                      7.4p1-21.el7               @base

/var/log/messages only contains

Dec 17 16:09:06 machine systemd-logind: New session 6481 of user username.
Dec 17 16:09:17 machine systemd-logind: Removed session 6481.
jamieburchell
  • 135
  • 6
  • is there anything in `/var/log/messages` ? Anyway - [this may be relevant](https://serverfault.com/questions/73319/sftp-logging-is-there-a-way) – Smock Dec 16 '19 at 14:01
  • What version of OpenSSH are you using? -- Though even old versions of OpenSSH logs all those operations the same way. – Martin Prikryl Dec 16 '19 at 15:06
  • @MartinPrikryl I've edited my question to include the OpenSSH version details. The version is that supplied with CentOS 7.7. – jamieburchell Dec 17 '19 at 16:06
  • @Smock I have read that, but as far as I can tell I'm doing what is required to make this work. Question updated with info from /var/log/messages. – jamieburchell Dec 17 '19 at 16:08

1 Answers1

0

It turns out that I also needed to specify the logging switch and level on the Subsystem sftp internal-sftp line to get logging for the other operations:

Subsystem sftp internal-sftp -l VERBOSE

Without that, I only get open and close directory information as per my first post. If I add -l VERBOSE to the Subsystem ... line only, I don't get any logging of operations. I'm sure there's a perfectly logical explanation to why that is, but I don't know it.

jamieburchell
  • 135
  • 6