2013-03-12 16:01:56| 分类：
How to log events and user actions when chroot jail has been configured for incoming sftp users?
Three actions need to occur to enable logging for chroot jail.
--First entries need to be created for sftp jail in /etc/ssh/sshd_config .
Subsystem sftp internal-sftp
Match Group sftponly
ForceCommand internal-sftp -l VERBOSE -f AUTHPRIV
The above entry allows any user that is registered in the sftponly group to login as an sftp user and will be held in chroot jail. The root directory for these users will be /chroots/username and these directories must exist prior to login.
If the sftponly user group does not exist in the authentication database it should be created and it should be unique in order to retain the most control. The group name used can be any string. The user has used sftponly only as an example.
The amount of logging can be controlled by the -l switch. The man page for sshd_config will provide more details.
It should be noted that a single user can be defined or the match user structure can be used. More detail on this can be found in the man page for sshd_config.
--Next a /dev directory must be created in each users home directory. This directory is used by the system to write log entries for each user using a socket device. When the rsyslog facility is restarted it will create a socket called log in each users /home/dev directory.
The root , user and dev directories for each user must be owned by root as the internal-sftp facility or sshd must have root access to write these logs.
--Finally the following entries should be made in the /etc/rsyslog.conf file:
The rsyslog facility will need to create a socket to write the logs for each user. That is defined using the AddUnixListenSocket entry.
Once each of the configuration files has been edited, both sshd and rsyslog facilities should be restarted. Events will be logged to the /var/log/secure log.
If the user wish to have a seperate log file the following lines can be added to the rsyslog.conf file. In this case, the file sftp.log will be used to write the events as well as the secure log file:
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
:programname, isequal, "sshd" -/var/log/sftp.log
:programname, isequal, "sshd" ~
Only one of these two lines should be needed. Each pair of lines redirects the logging output based on the facility name (in this case either sshd or internal-sftp) to the sftp.log file which must exist.
--Log rotation for the new log file , Drop the following file in /etc/logrotate.d :
invoke-rc.d rsyslog reload > /dev/null
BTW, if below message in your log file, you can disable your OS SElinux service:
rsyslogd: connot create '/chroots/test1/dev/log': Permission denied
---HOWTO: chroot SFTP (only) - OpenSSH 4.9+ Built-in Version