Re: logging file names with sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 04, 2009 at 12:12:33PM -0400, Greg Wooledge wrote:
> On Thu, Sep 03, 2009 at 11:26:57AM -0500, Derek Martin wrote:
> > The logging of individual file transfers arguably buys you very little
> > though, because the users are legitimate users who are authenticated.
> > This is generally quite a different situation from FTP installations,
> > where often the users are anonymous
> 
> If I understand correctly, many people run an sftp service which is
> essentially an encrypted, NAT-capable version of anonymous FTP.  They
> offer files (or file hosting space) to a large group of barely-trusted
> people, and want to limit or track abuse of the service.

Absolutely; of course I was generalizing, and acknowledged that there
exist cases where the logging is more useful than in others.  When the
OP posted, he did not describe his intended purpose; all we knew was
that he wanted to log the file names.  I was simply trying to point
out that, depending on his use case, this may be unnecessary,
unwarranted, and un-useful.

I would also point out that even in the case you describe, the
situation is different from an actual anonymous FTP server, and I
think that it's worth pointing out what is available without tracking
individual file transfers.  

In general with OpenSSH, for determining abuse, without logging file
names, one already knows the identity of the user, where they logged
in from, and how long they were connected.  If the user uses up the
available space on the storage device, you know who they are, and you
can find the files.  If you enable system accounting (if the server
has those facilities -- devices based on any of the free unix kernels
generally at least have the possibility) then you can identify when
the user downloads more data then they should be allowed to.  All
without logging individual file names.  Though admittedly, logging
file names may more efficient in terms of space consumed, and it's
easier to count log lines than process the system accounting file.
But you could certainly build a tool that processes the accounting for
you, and if this is a product, include that as part of your management
tools.

On Fri, Sep 04, 2009 at 06:10:37PM -0400, Dennis Taylor wrote:
> When one of our technicians or engineers accesses one of our
> embedded systems in the field, we have no reasonable expectation of
> privacy.  

Clearly this is for support purposes, and in that case such a policy
makes sense; you don't own the data, and are not an agent of the
person who owns the data -- you have no right to it.  But in general
I'm philosophically opposed to the idea of "no reasonable expectation
of privacy."  As you might have guessed.  ;-)  It's become the modus
operandi of the day, but I think that's wrong, from both a moral and
practical standpoint.  People tend to feel somewhat stifled if they
know they are being watched.  And we have a variety of laws against
watching people without their knowledge not without reason, though of
late they have been lessened and weakened, sadly.

Honestly, what I personally would like to see is more software with
logic that automatically starts logging but only when a behavior
surpasses some configured notion of what's acceptable.  This has
multiple benefits (including reducing disk usage of logs). I like my
privacy, and I think we should all generally have more of it than we
typically do today, at the hands of technology.

> We need to be trusted, but also accountable.  

Above, I'm trying to point out that not logging individual file
transfers does not necessarily prevent accountability.  In many cases,
all it does is provide additional detail that's not strictly
necessary or even especially useful.  In your case, it may be
particularly useful, or even required. 

> We have gone to great lengths to make it impractical for even an
> authorized user to steal others' information.  Having logs that we
> cannot tamper with is one more layer of security, mostly to help
> track who compromised the system if they do find away around the
> other layers.  

Sure.  Of course, if they find a way around the other layers,  most
likely they've managed to escalate their privileges, in which case
your logging is suspect (unless it's to some sort of write-only
media).

> It is also an industry requirement, and our products are audited by
> independent firms to verify that we do in fact log accesses.

You can log *access* without necessarily logging individual file
transfers.  Though again, in your case it may be appropriate or
required.

To be clear, I'm not trying to suggest that one should never log file
transfers, or that it is never useful.  I'm simply saying that it is
not always clear that it is necessary, and it is clear that it is not
always necessary. :)  Just because you can do something, doesn't mean
you should.  I think all of us as technologists should take the time
to consider if what we are doing is ethical and necessary.  From a
purely philosophical point of view, I think it is better not to log
individual file transfers unless you can determine that you have a
justifiable need for the data so obtained that you can not obtain
another way.  A legal requirement would certainly qualify as a
justifiable need...  And (obviously), I think we should apply this
philosophy everywhere, not just to file transfers.

Of course, if you have a bonifide need for a high level of security,
then you do what you have to do.  But you ought to at least make sure
that the parties involved have appropriate notice.  If you're going to
log transfers of legitimate users, you should notify the users that
you do so.

Just my $.00002

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Attachment: pgpVzi7F9JsO1.pgp
Description: PGP signature


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux