sftp user action logs - EXPLAINED and SOLVED

I already wrote how to setup and why to use SFTP.Time has passed and someone ask you to see did someone using sftp add/rename/download/upload/delete some file or folder. You go to /var/log and search for logs about sftp actions. And all that you can find is ...

ubuntu sshd[3510]: subsystem request for sftp by user boris
ubuntu sshd[3510]: pam_unix(sshd:session): session closed for user boris



So as you can see there is no log about what user connected by using sftp is doing. At some point in time someone will tell you that this is a security/where are these files/who delete files issue. So how to do this? It is quite simple if you understand how logs are created, chroot and off course if you are reading this!

Check ssh version first!

 First and most important thing to know. On older version of openssh there is very good chance that this will not work. Why, sftp-server dont have these options for older versions.
I tested this on
root@ubuntu:/var/log# cat /etc/issue
Ubuntu 12.04.4 LTS \n \l
root@ubuntu:/var/log# uname -a
Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686 i686 i386 GNU/Linux
root@ubuntu:/var/log# dpkg -l openssh*
ii  openssh-client 1:5.9p1-5ubunt secure shell (SSH) client, for secure access
ii  openssh-server 1:5.9p1-5ubunt secure shell (SSH) server, for secure access

But on CentOs 5.8 this do not work
# cat /etc/issue
CentOS release 5.8 (Final)
# rpm -qa |grep ssh
openssh-4.3p2-82.el5
openssh-server-4.3p2-82.el5

Few thing to know about logs and chroot

As you know sftp users(in my case user boris) are all chrooted to directory configured in /etc/ssh/sshd_config with ChrootDirectory directive. In case that you do not know what this means, it means that once user is connected he cannot live this location. This user can't do anything outside this this folder. Read/write operations are only limited to his sftp folder. If you are wondering why I wrote 3 sentences about that use cannot leave chroot dir folder, wait just a bit more. Rsyslog or syslog capture events things by using socket /dev/log. This is important because sftp of features of ssh and ssh use rsyslog for logs storing then in /var/log. Permissions on /dev/log is  

# ls -la /dev/log
srw-rw-rw- 1 root root 0 Oct 31 12:54 /dev/log
So anybody that can approach to /dev/log can make logs by using rsyslog. But can sftp user approach to /dev/log? NO! Why? Because he is captured inside of his chrooted directory!!! So, idea is to still have chrooted user but that he can write in /dev/log.

Configuration in sshd_config

To enable logs for sftp-server we must fist enable it in sshd_config.  Change line

ForceCommand internal-sftp 
to
ForceCommand internal-sftp -l INFO -f AUTH

Option -l(small letter L) is for log level and option -f is for location of log. Do not for -f add location of file, this is done in rsyslog.conf.
After you make neccesery changes, restart ssh service.

#/etc/init.d/sshd restart

Accessing /dev/log from chrooted folder 

How to do this? My sftp folder is defined in sshd_config in ChrootDirectory /opt/sftp_test/%u directive and my sftp user is boris. Follow these steps!

#cd /opt/sftp_test/boris
#mkdir dev
#touch dev/log

#chmod 511 dev
#chattr +i dev
# mount --bind /dev/log dev/log

And this is it!!!

How to test if this is working?
Go to your AUTH log. Depending of Linux distro this can be in /var/log/secure or /var/log/auth.log.
In this test server I am using Ubuntu 12.04.
#tail -f /var/log/auth.log
Oct 31 15:28:30 ubuntu internal-sftp[2460]: session opened for local user boris from [x.x.x.x]
Oct 31 15:28:31 ubuntu internal-sftp[2460]: opendir "/"
Oct 31 15:28:31 ubuntu internal-sftp[2460]: closedir "/"
Oct 31 15:28:47 ubuntu internal-sftp[2460]: opendir "/boris"
Oct 31 15:28:47 ubuntu internal-sftp[2460]: closedir "/boris"
Oct 31 15:28:53 ubuntu internal-sftp[2460]: mkdir name "/boris/12/123" mode 0777
Oct 31 15:28:58 ubuntu internal-sftp[2460]: opendir "/boris/12/123"
Oct 31 15:28:58 ubuntu internal-sftp[2460]: closedir "/boris/12/123"
Oct 31 15:29:05 ubuntu internal-sftp[2460]: open "/boris/12/123/analy.jpg" flags WRITE,CREATE,TRUNCATE mode 0700
Oct 31 15:29:05 ubuntu internal-sftp[2460]: close "/boris/12/123/analy.jpg" bytes read 0 written 28925
Oct 31 15:29:19 ubuntu internal-sftp[2460]: session closed for local user boris from [x.x.x.x]
Oct 31 15:29:19 ubuntu sshd[2459]: Received disconnect from x.x.x.x: 11: disconnected by user
Oct 31 15:29:19 ubuntu sshd[2287]: pam_unix(sshd:session): session closed for user boris

As you can see  this is much better log!
If you have more then one user that is using sftp, you have to do this for every one of them!

In case that you want this to work after reboot. read this post fstab mount bind!