On 2023-09-28, Nick Holland <n...@holland-consulting.net> wrote: > On 8/31/23 17:29, myml...@gmx.com wrote: >> Hi All, >> >> I am setting an openbsd 7.3 stable system to serve files via ssh's sftp >> subsystem. >> >> Does openssh have a native way to audit what files were >> downloaded/uploaded with user/timestamp information? >> >> If not, are there any recommendations? >> >> Thanks in advance. >> > > Try this, perhaps? > > man sftp-server, > options of interest may include -f, -l. > > You will probably have to have a /dev/log inside the chroot, which > also means the "nodev" option is not your friend.
Files accessed: yes. Files opened are logged with flags, so you can distinguish between read/write. Files closed, renamed, removed are logged. User: yes, but you'll need to match lines together based on PID, look for the 'session opened/closed' lines which have username/IP. In a long running connection authlog may have rotated between the connection and transfer. You don't need a /dev/log socket to do this on OpenBSD, we have the mechanism described in sendsyslog(2). For sftp chroot with the internal-sftp implementation you can do "ForceCommand internal-sftp -l INFO".
