On Fri, Sep 04, 2009 at 12:12:33PM -0400, Greg Wooledge wrote: > On Thu, Sep 03, 2009 at 11:26:57AM -0500, Derek Martin wrote: > > The logging of individual file transfers arguably buys you very little > > though, because the users are legitimate users who are authenticated. > > This is generally quite a different situation from FTP installations, > > where often the users are anonymous > > If I understand correctly, many people run an sftp service which is > essentially an encrypted, NAT-capable version of anonymous FTP. They > offer files (or file hosting space) to a large group of barely-trusted > people, and want to limit or track abuse of the service. Absolutely; of course I was generalizing, and acknowledged that there exist cases where the logging is more useful than in others. When the OP posted, he did not describe his intended purpose; all we knew was that he wanted to log the file names. I was simply trying to point out that, depending on his use case, this may be unnecessary, unwarranted, and un-useful. I would also point out that even in the case you describe, the situation is different from an actual anonymous FTP server, and I think that it's worth pointing out what is available without tracking individual file transfers. In general with OpenSSH, for determining abuse, without logging file names, one already knows the identity of the user, where they logged in from, and how long they were connected. If the user uses up the available space on the storage device, you know who they are, and you can find the files. If you enable system accounting (if the server has those facilities -- devices based on any of the free unix kernels generally at least have the possibility) then you can identify when the user downloads more data then they should be allowed to. All without logging individual file names. Though admittedly, logging file names may more efficient in terms of space consumed, and it's easier to count log lines than process the system accounting file. But you could certainly build a tool that processes the accounting for you, and if this is a product, include that as part of your management tools. On Fri, Sep 04, 2009 at 06:10:37PM -0400, Dennis Taylor wrote: > When one of our technicians or engineers accesses one of our > embedded systems in the field, we have no reasonable expectation of > privacy. Clearly this is for support purposes, and in that case such a policy makes sense; you don't own the data, and are not an agent of the person who owns the data -- you have no right to it. But in general I'm philosophically opposed to the idea of "no reasonable expectation of privacy." As you might have guessed. ;-) It's become the modus operandi of the day, but I think that's wrong, from both a moral and practical standpoint. People tend to feel somewhat stifled if they know they are being watched. And we have a variety of laws against watching people without their knowledge not without reason, though of late they have been lessened and weakened, sadly. Honestly, what I personally would like to see is more software with logic that automatically starts logging but only when a behavior surpasses some configured notion of what's acceptable. This has multiple benefits (including reducing disk usage of logs). I like my privacy, and I think we should all generally have more of it than we typically do today, at the hands of technology. > We need to be trusted, but also accountable. Above, I'm trying to point out that not logging individual file transfers does not necessarily prevent accountability. In many cases, all it does is provide additional detail that's not strictly necessary or even especially useful. In your case, it may be particularly useful, or even required. > We have gone to great lengths to make it impractical for even an > authorized user to steal others' information. Having logs that we > cannot tamper with is one more layer of security, mostly to help > track who compromised the system if they do find away around the > other layers. Sure. Of course, if they find a way around the other layers, most likely they've managed to escalate their privileges, in which case your logging is suspect (unless it's to some sort of write-only media). > It is also an industry requirement, and our products are audited by > independent firms to verify that we do in fact log accesses. You can log *access* without necessarily logging individual file transfers. Though again, in your case it may be appropriate or required. To be clear, I'm not trying to suggest that one should never log file transfers, or that it is never useful. I'm simply saying that it is not always clear that it is necessary, and it is clear that it is not always necessary. :) Just because you can do something, doesn't mean you should. I think all of us as technologists should take the time to consider if what we are doing is ethical and necessary. From a purely philosophical point of view, I think it is better not to log individual file transfers unless you can determine that you have a justifiable need for the data so obtained that you can not obtain another way. A legal requirement would certainly qualify as a justifiable need... And (obviously), I think we should apply this philosophy everywhere, not just to file transfers. Of course, if you have a bonifide need for a high level of security, then you do what you have to do. But you ought to at least make sure that the parties involved have appropriate notice. If you're going to log transfers of legitimate users, you should notify the users that you do so. Just my $.00002 -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
Attachment:
pgpVzi7F9JsO1.pgp
Description: PGP signature