RE: logging file names with sftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

> -----Original Message-----
> From: listbounce@xxxxxxxxxxxxxxxxx 
> [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Derek Martin
> Sent: Friday, September 04, 2009 9:25 PM
> To: secureshell@xxxxxxxxxxxxxxxxx
> Subject: Re: logging file names with sftp
> 
> On Fri, Sep 04, 2009 at 12:12:33PM -0400, Greg Wooledge wrote:
> > On Thu, Sep 03, 2009 at 11:26:57AM -0500, Derek Martin wrote:
> > > The logging of individual file transfers arguably buys 
> you very little
> > > though, because the users are legitimate users who are 
> authenticated.
> > > This is generally quite a different situation from FTP 
> installations,
> > > where often the users are anonymous
> > 
> > If I understand correctly, many people run an sftp service which is
> > essentially an encrypted, NAT-capable version of anonymous 
> FTP.  They
> > offer files (or file hosting space) to a large group of 
> barely-trusted
> > people, and want to limit or track abuse of the service.
> 
> Absolutely; of course I was generalizing, and acknowledged that there
> exist cases where the logging is more useful than in others.  When the
> OP posted, he did not describe his intended purpose; all we knew was
> that he wanted to log the file names.  I was simply trying to point
> out that, depending on his use case, this may be unnecessary,
> unwarranted, and un-useful.

Agreed.

> 
> I would also point out that even in the case you describe, the
> situation is different from an actual anonymous FTP server, and I
> think that it's worth pointing out what is available without tracking
> individual file transfers.  
> 
> In general with OpenSSH, for determining abuse, without logging file
> names, one already knows the identity of the user, where they logged
> in from, and how long they were connected.  If the user uses up the
> available space on the storage device, you know who they are, and you
> can find the files.  If you enable system accounting (if the server
> has those facilities -- devices based on any of the free unix kernels
> generally at least have the possibility) then you can identify when
> the user downloads more data then they should be allowed to.  All
> without logging individual file names.  Though admittedly, logging
> file names may more efficient in terms of space consumed, and it's
> easier to count log lines than process the system accounting file.
> But you could certainly build a tool that processes the accounting for
> you, and if this is a product, include that as part of your management
> tools.
> 
> On Fri, Sep 04, 2009 at 06:10:37PM -0400, Dennis Taylor wrote:
> > When one of our technicians or engineers accesses one of our
> > embedded systems in the field, we have no reasonable expectation of
> > privacy.  
> 
> Clearly this is for support purposes, and in that case such a policy
> makes sense; you don't own the data, and are not an agent of the
> person who owns the data -- you have no right to it.  But in general
> I'm philosophically opposed to the idea of "no reasonable expectation
> of privacy."  As you might have guessed.  ;-)  It's become the modus
> operandi of the day, but I think that's wrong, from both a moral and
> practical standpoint.  People tend to feel somewhat stifled if they

The people being monitored usually are downloading files requested
by the developers.  It's really not an issue here.  Obviously, I cannot
speak for the original poster.

> know they are being watched.  And we have a variety of laws against
> watching people without their knowledge not without reason, though of
> late they have been lessened and weakened, sadly.
> 

I agree in principle, but in this specific case it may be your credit
card number (albeit encrypted) that I am accessing.  That certainly is
none of our business.  The auditors want to be able to forensically
determine if those files were accessed by any means, with records
kept at least a year.  In a perfect world, we would not ever need
to look at the files.  To be clear, we do NOT decrypt the sensitive
data, and the keys are not accessible to even authenticated users.

> Honestly, what I personally would like to see is more software with
> logic that automatically starts logging but only when a behavior
> surpasses some configured notion of what's acceptable.  This has
> multiple benefits (including reducing disk usage of logs). I like my
> privacy, and I think we should all generally have more of it than we
> typically do today, at the hands of technology.

I like the idea of selective logging.  It is just difficult to do
and be sure we do not miss something we should have included. Eventually,
I may have a way to realiably implement that.

> 
> > We need to be trusted, but also accountable.  
> 
> Above, I'm trying to point out that not logging individual file
> transfers does not necessarily prevent accountability.  In many cases,
> all it does is provide additional detail that's not strictly
> necessary or even especially useful.  In your case, it may be
> particularly useful, or even required. 
> 

Yes, required.

> > We have gone to great lengths to make it impractical for even an
> > authorized user to steal others' information.  Having logs that we
> > cannot tamper with is one more layer of security, mostly to help
> > track who compromised the system if they do find away around the
> > other layers.  
> 
> Sure.  Of course, if they find a way around the other layers,  most
> likely they've managed to escalate their privileges, in which case
> your logging is suspect (unless it's to some sort of write-only
> media).
> 

We enable sending log files to a host that we do not have access to
tamper with.  The folks with access to that host do not have
access to our equipment.  When they log in using a shell, commands
are logged as well.  They have the privileges necessary to stop
the logging if they know how, but the last thing logged will be
them stopping the logging.

> > It is also an industry requirement, and our products are audited by
> > independent firms to verify that we do in fact log accesses.
> 
> You can log *access* without necessarily logging individual file
> transfers.  Though again, in your case it may be appropriate or
> required.
> 

Definitely required by outside forces.  (Card Information Security
Program, Payment Card Industry Data Storage Standards, and so on.)
Under the best of circumstances, all we need to download is the
debug logs for the developers to study over to see what is wrong.
Sometimes we need more.

> To be clear, I'm not trying to suggest that one should never log file
> transfers, or that it is never useful.  I'm simply saying that it is
> not always clear that it is necessary, and it is clear that it is not
> always necessary. :)  Just because you can do something, doesn't mean
> you should.  I think all of us as technologists should take the time
> to consider if what we are doing is ethical and necessary.  From a
> purely philosophical point of view, I think it is better not to log
> individual file transfers unless you can determine that you have a
> justifiable need for the data so obtained that you can not obtain
> another way.  A legal requirement would certainly qualify as a
> justifiable need...  And (obviously), I think we should apply this
> philosophy everywhere, not just to file transfers.
> 
> Of course, if you have a bonifide need for a high level of security,
> then you do what you have to do.  But you ought to at least make sure
> that the parties involved have appropriate notice.  If you're going to
> log transfers of legitimate users, you should notify the users that
> you do so.
> 

All dozen or so are aware of why we recently made significant changes
to their access methods.

> Just my $.00002
> 
> -- 
> Derek D. Martin
> http://www.pizzashack.org/
> GPG Key ID: 0x81CFE75D
> 
> 

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux