[audit-discuss] Re: DRAFT: ftp/sftp auditing
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Jan 18 03:59:10 PST 2007
On Wed, 17 Jan 2007, Nicolas Williams wrote:
>> what I mean is when I download the same file more than once I need
>> to tell what start record is paired to what end record (I can be downloading
>> the same file more than once, in parallel). Audit session ID won't help me
>> here. J.
>
>So something like XID.
is it exchange identifier? Do you mean anything special by that?
>Do we really need to know when the operation is done? Note that this
>implies being careful to record close/done events on server process
>exit, or at least being careful to understand in praudit/whatever that
>server process exit implicitly closes the current downloads/uploads.
if we log only the start record it would be much simpler for us. If
we log finish record as well, we can get bytes transferred (which might be
different from the file size) and elapsed time.
I think that both pieces of information can be interesting for
admins. However, if we don't do it now, we can easily do it later in
backward compatible way - adding XID's and adding the 2nd record for every
put/get.
having only start records which would be named just AUE_get/put and
letting AUE_get/put_finish for later (if at all) could be a good start.
Jan.
--
Jan Pechanec
More information about the audit-discuss
mailing list